Skip to main content

Using a DEP prestage enrollment, I'm trying to get the following script to kick off right after the user is at the desktop. If I scope a policy to trigger at "Enrollment Complete", the policy is being triggered for user "_mbsetupuser" and the JAMF Helper dialogue box opens up in the setup assistant rather than at the desktop. If I use "Login" as the trigger, the JAMF dialogue box opens at the desktop, but clicking "Log Out" doesn't cause the logout to occur.



EDIT: I should add that I've scoped the policy to Self Service and manually ran it. It works as expected that way.



I am a novice when it comes to scripting. The base script I'm using is something I found on JAMF Nation.



!/bin/bash



jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
windowType="hud"
description="To begin FileVault disk encryption of your Mac, you will need to log out and log back in. Please save any work and click 'Log Out'. You will automatically be logged out in 5 minutes."



button1="Log Out"
button2="Cancel"



icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns"
title="Configure FileVault Encryption"
alignDescription="justified"
alignHeading="justified"
defaultButton="1"
timeout="300"



JAMF Helper window as it appears for targeted computers



userChoice=$("$jamfHelper" -windowType "$windowType" -lockHUD -title "$title" -timeout "$timeout" -defaultButton "$defaultButton" -icon "$icon" -description "$description" -alignDescription "$alignDescription" -alignHeading "$alignHeading" -button1 "$button1")



If user selects "Log Out"



if [ "$userChoice" == "0" ]; then
sudo kill -9 pgrep loginwindow
exit 0
fi

It might be the syntax for logging out. Scripts from the JSS run as root so sudo shouldn't be needed.



You could also try 



if [ "$userChoice" == "0" ]; then

osascript -e 'tell application "System Events" to log out'

exit 0

fi

Removing the sudo resolved it.



Also, I have tried using osascript -e 'tell application "System Events" to log out', but the problem there is that it only opens the log out window, but the user can then cancel that. This way just logs out right away.



Thanks!

It's just my opinion, but I wouldn't do a kill on the loginwindow if I were you. That's a brute force ugly way to accomplish it. It's a little like force rebooting your Mac to do a restart. Sure, it restarts the system, but it's not the most gentle approach.



In case it helps, here is some code I've used to do logouts as the user which does a real logout, not just killing the loginwindow.



The below should work on 10.10.x through 10.12.x, though I can't say I've tested it against Sierra, so I don't know for sure. I assume it should work though.



#!/bin/sh



## Get the logged in username

loggedInUser=$(stat -f%Su /dev/console)



## Get the logged in UID

loggedInUID=$(id -u $loggedInUser)



## Do logout as the user

/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser "/usr/bin/osascript -e 'ignoring application responses' -e 'tell application "loginwindow" to «event aevtrlgo»' -e 'end ignoring'"


Just a quick note on the «event aevtrlgo» This is Applescript speak for "do event 'Apple event really log out'" It doesn't bring up the logout confirmation window. It just starts an immediate logout. Throwing in the 'ignoring application responses' ensures the event won't care if an open app complains. It just continues with the logout. I don't think that part is really necessary for a post enrollment script, but it's better to have it in there, just in case.



Hope that helps.

I'm having an issue where if I setup a brand new computer, this _mbusersetup is getting policies intended for my "admin" account.



https://www.jamf.com/jamf-nation/discussions/24237/dep-w-10-12-5-done-from-internet-recovery-account-creation-issue



still can't figure out how to stop this _mbusersetup account from getting policies on DEP before I can create my account

@kquan I'm battling the same issue with the _mbusersetup during prestage.



The conversation over at https://www.jamf.com/jamf-nation/discussions/23542/how-are-you-deploying-new-mac-laptops#responseChild142625 may be helpful for you, though. Namely @chriscollins lists a workflow that should solve for this. I haven't been able to reach him for my questions about it, but what he has already posted may be able to help you.

So not a direct fix for your issue, but after our machines are enrolled (DEP) and the user is logged in this is how we get the user name



SN=`ls /Users | grep -v Shared | grep -v .localized | grep -v _mbsetupuser |grep -v .DS_Store`


When including time from log in It's the most "reliable" and the fastest way to get the user name.



We used this when were binding to AD too.



C

Terms & ConditionsCookie settings