@Zeek where did you hear that? It definitely works fine on spinning or fusion drives (albeit slow).

Sigh, one of our imaged 2 weeks ago to the day has started locking up on boot with no warning. Updated to 10.11.6 and the latest security update to bring it up to 15G1108 and same issue.

Literally nothing fixes it, even removing all MDM remnants and still intermittent boot. No local accounts, nothing.

@allanp81 The only thing I can think of is completely re-imaging the machine with the 15G1108 build and not doing an in place upgrade.

On November 8 I imaged a cart of 30 mac book airs that were having major startup issues with an image that was 15G1108 and I have not had 1 issue from that cart since.

@kkt @LibertyJSS @rdwhitt and others. We had issues with our high use areas, hanging on boot or login window after about 2 weeks of heavy use. This happened on 10.10 and 10.11, rebuilding the machine was the only fix that worked. There was a kauth hangup for us in the logs. Then one day I went back to basics and looked at my AD binding config and realised I had overlooked a setting which could be related to the issue:

Create mobile account at login

I'd always had this option enabled for 1 to 1 setups and never gave it a thought in shared use computing. Once I rebuilt my Macs with this binding option off, 4 weeks later I knew it had worked. We've been ticking along nicely without failure for 6 months now.

There's definitely a bug there. We don't really have a use for this option and most people shouldn't for shared use desktop Macs. So give it a go if you have it enabled. I think that once the machine had hit a certain number of mobile account users, it just crapped out.

@davidhiggs That's definitely something we'll try as we have mobile accounts enabled. I've noticed that in our dev environment it doesn't seem to then apply user level configuration profiles if we disable using mobile accounts, not sure if that's by design or just a totally separate issue.

@davidhiggs I've tried this but once I untick the option to use mobile accounts it seems to stop any user level configuration profiles from being applied. Not sure why.

Will have to test this setting, too. We've had Create Mobile Accounts on for many years, and apparently it only started being a problem in high traffic labs as of 10.10+. I'm wondering if high numbers of /Users accounts or high numbers of /var/folders/ directories are the actual problem, too.

Our pain point seems to be when the number exceeds 50 or so local profiles.

Really odd that this number isn't limited only by the size of your local storage and not some undocumented "handful" number.

@davidhiggs I've talked to Apple Education Support and they've said the same thing. Essentially, Mobile Accounts were never meant to service more than a handful of people on a machine. Turning that setting off has fixed the issues we were having as well.

Once you've disabled mobile accounts are you applying user level configuration profiles as well?

We have this same issue. Our library machines are the ones that have heavy use and over a hundred managed mobile accounts. I have one machine with me right now that would lock up on boot 8 out of 10 times. The machine had 114 MM accounts on it. I have reduced that count to 30 MM accounts, now the machine is 10 for 10 on NOT locking up on startup.

We have been doing Manged mobile accounts for years, what changed?

@Chriskmpruitt

We have been doing Manged mobile accounts for years, what changed?

Yosemite and El Capitan.
No idea on what really changed in the underlying code but you know Apple. Just like with their AD plugin or wifi, they have to break everything sometimes.

We were initially using JAMF AD binding options, but I switched to using config profiles while troubleshooting. Even though it didn't fix the kauth timeout at the time, I preferred this method.

@Chriskmpruitt 10.10 and 10.11 must be not be coping with a large number of cached credentials
@allanp81 we don't have any user level profiles currently. if i have some time, i'll see if i get the same issue you do

@Chriskmpruitt how did you clear the mobile accounts? We're clearing all users on each boot already.

Also I suppose the question then becomes was it building up on a machine that uses mobile accounts to make it eventually start failing to boot.

We use a script run by a launch daemon that runs on each startup to clear out any accounts that aren't admin so we're not getting a build up of local accounts. Clearly this isn't enough so something else is getting broken/filled up that then causes the intermittent boot issue.

I've tried clearing all caches I can think of etc. but obviously there has to be something.

I just got done re-imaging our entire space again. One machine started acting up about ~3 weeks after the last re-image, and afterward it spread like wildfire. It is definitely affecting the most heavily used machines first, which makes the mobile account theory make a lot of sense.

We are going to implement the mobile account change ASAP and see if that helps.

@allanp81 are you just removing the home folder or are you removing them from the local directory? Are you running something like dscl . -delete /users/student_account in your script?

@allanp81 since we are still testing, I am just deleting the accounts one by one. If someone has a script to delete accounts (last login older than a month or something) I would give it a try on a cart or two.

@ssrussell We're doing pretty much exactly that.

@ssrussell Here is the simple version of the script we have been using to delete mobile accounts. We are deleting every 7 days in places and still having the hanging at startup.

#!/bin/sh
userList=`dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}'`
# Deleting account and home directory for the following users...
for a in $userList ; do
#To change timefrme to a different number of days adjust the parameter, for instance, -mtime +3 is three days since modification
find /Users -type d -maxdepth 1 -mindepth 1 -not -name "*.*" -mtime +21 | grep "$a";
if [[ $? == 0 ]]; then
dscl . delete /Users/"$a"; #delete the account
rm -r /Users/"$a"; #delete the home directory
fi
done

@Rocky Thanks! I'm going to test this out. Some of our Macs are full to the brim with student accounts. Its nice that his will expire out old stale accounts while leaving the fresher ones on the Macs instead of just wiping all students at startup.

@Rocky I think they are saying that you have to both clear out old mobilized AD accounts and de-mobilize new ones in the AD Bind settings (on desktops only) to see relief from the random startup failures. Many of the computers seeing the issue will show a "kauth" error at startup.

I'll be testing turning off Mobile accounts in the AD-plugin on desktops soon, but haven't yet. In my testing, it only becomes an issue on Macs with a large buildup of mobilized AD accounts.

I've tested turning off mobie accounts but unfortunately it seems to stop user level config profiles stop working. I've logged a ticket with jamf about this but haven't heard anything back since sending screenshots of the issue.

The main question still is what is getting clogged etc. when a load of mobile accounts have been logged into a mac? Clearing the accounts using the dscl command as above doesn't fix it as we're routinely doing that anyway. If you "sudo profiles -P" from terminal you'll see all of the config profiles still there for all of the users that have used the machine, whether the account still exists or not and there's no simple way to clear these but even when you do clear them it doesn't change anything.

What other caches could there be that need clearing or is it just something we'll never get to the bottom of without Apple's assistance? (fat chance of Apple helping as they'll just say upgrade to Sierra).

If upgrading to Sierra fixes this...I'm in! :)

Upgrading to Sierra does not fix this issue. I hadn't seen the problem in a while, but just had to re-load a Sierra test machine to resolve the issue.

@amiller6 Were you able to retest with "Create Mobile Accounts" set to Off ?