Help

Activity from a logged off user

RCoS
New Contributor III

Posted on ‎02-19-2018 08:09 AM

Hi,

Our network engineer recently asked me about an issue where a logged off user was still contacting our jamfcloud and the Apple Store even though they had logged off a certain Mac 2 days ago. No-one else had logged into that mac since.

He could see this via logs on the firewall. Our users log in via their active directory account.

Is this normal? The user in question is one of our u16 year olds and we restrict access on their internet, just wondering if this could cause a problem if the last logged on user is still generating traffic. I also assumed it was something like the jamfadmin or adobeinstall account that would be getting used when the mac was sitting at the log in window.

Thanks
Andy

0 Kudos
Reply
7 REPLIES 7

AVmcclint
Honored Contributor

Posted on ‎02-19-2018 08:56 AM

If all he did was log out, then it is possible that there are still processes owned by him that are running. It is annoying that Apple can't make log out mean quit all processes owned by me and log out. If he restarts the computer that should definitely make sure there's no processes owned by that user until he logs in again.

0 Kudos
Reply

AVmcclint
Honored Contributor

Posted on ‎02-19-2018 08:57 AM

You can check this by SSHing to that Mac as the admin user then look up the processes and see who owns them... I'm willing to bet that you'll see more than a few with his name.

0 Kudos
Reply

RCoS
New Contributor III

Posted on ‎02-20-2018 06:27 AM

The strange thing is this user logged out on a Sunday, we have the macs shut down at night and reboot in the morning so by Monday this should have gone. I'll double check the macs are actually shutting down and rebooting and not just on all the time.

Cheers

0 Kudos
Reply

RCoS
New Contributor III

Posted on ‎02-21-2018 01:15 AM

50ccd907b42446ffaa0e2a3f20fe8262
As you can see from the Terminal command the mac in question shutdown 10pm on Sunday night and rebooted 8am Monday morning but activity was still happening on behalf of the last logged in user.

Can this be resolved or is this just the way it is?

0 Kudos
Reply

AVmcclint
Honored Contributor

Posted on ‎02-21-2018 03:40 AM

Is your network engineer seeing just the computer talking to the jamfcloud? If so, that would be normal. The computer sitting at a non-FileVault login window would still check in to the server. Is he seeing the actual user account communicating, because that should be impossible if the computer was rebooted. Maybe they are just seeing the name of the last person known to use that computer even though there really is no communication from that user's account. We have many systems that identify the computer by the last person who logged in.

0 Kudos
Reply

RCoS
New Contributor III

Posted on ‎02-21-2018 03:56 AM

Yeah, I don't think there is any other traffic going anywhere other than jamfcloud or the apple store. It shows on our Firewall as coming from the last known user that was logged on but I am surprised it rememebers this information after a shutdown and reboot.

Just hoping it won't cause an issue as all internet traffic from the account in question should be restricted.

Cheers

0 Kudos
Reply

AVmcclint
Honored Contributor

Posted on ‎02-21-2018 04:00 AM

As long as you can show that the computer has been rebooted and there's no one using the computer during that time, you'll be fine. It's just a peculiarity of the reporting systems we all use.

0 Kudos
Reply