Jamf Nation Community

I have bee seeing this too, one of the symptoms is outlook can't create it's preferences in the users library. I ended up putting in self service a script that set ownership of the home directory using chown and running diskutil command resetting user permissions using the user's UID.

chown -R $loggedInUser:staff /Users/$loggedInUser

diskutil resetUserPermissions / $loggedInUser_UID

Would like to find the source of this issue, this been a problems with mobil account in Catalina & Big Sur. For now I would like to figure out how to use extension atribute and a smart group to run this when the users logged in after upgrading to Catalina & Big Sur.

I'm seeing this issue with Macs with local, non-admin accounts as well. This only seems to happen to managed Macs AD or not.

This has been a non-stop battle as I have been seeing in on ANY MacBook with Big Sur whenever a new account from AD is created on the machine. The permissions are not correct and the user can not save to Downloads and Documents without us having to correct the permissions. This permission issue also messes up the Keychain because when the user account is created the /Library/Keychain inside the user directory is a file not a directory. We have to delete this file and create a directory, and then make sure the user is the owner and such. This has been an absolute nightmare and we are about to have 250+ new MacBooks coming in sometime over the next few months.

Here is the full script I use.

#!/bin/sh

####################################################################################################

#

# ABOUT THIS PROGRAM

#

# NAME

# reset_user_permission.sh -- Reset user's home folder permissions

#

# SYNOPSIS

# sudo reset_user_permission.sh

#

####################################################################################################

#

# HISTORY

#

# Version: 1.1

# Michael A. Burdett

# 2019/03/05

#

# Reference

# https://support.apple.com/en-us/HT203538

#

#####################################################################################################

# variables

#get current loged in user

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

loggedInUser_UID=`id -u $loggedInUser`

#set log File

logfile="/Library/Logs/reset_user_permission_for_$loggedInUser.log"

#get os Version

os_ver=$(sw_vers -productVersion)

 

#Take Local time machine snapshot

if [[ "$os_ver" -ge 10.13.* ]]; then

  /bin/echo "--" >> ${logfile}

  /bin/echo "`date`: Takeing a Time Machine Snapshot" >> ${logfile}

  osascript -e 'display notification "Takeing a Time Machine Snapshot" with title "JAMF Management" sound name "Tink"'

  sleep 1

  tmutil snapshot

fi

 

#set permissions using chown

/bin/echo "--" >> ${logfile}

/bin/echo "`date`: set user permission for $loggedInUser using chown" >> ${logfile}

echo display notification \"Setting permission for $loggedInUser home folder\" with title \"JAMF Management\" sound name \"default\" | osascript

sleep 1

chown -R $loggedInUser:staff /Users/$loggedInUser

 

#reset permissions using diskutil

/bin/echo "--" >> ${logfile}

/bin/echo "`date`: set user permission for $loggedInUser using disk utility reset User Permissions" >> ${logfile}

echo display notification \"Setting permission for $loggedInUser home folder using Apple Disk Utility\" with title \"JAMF Management\" sound name \"default\" | osascript

sleep 1

diskutil resetUserPermissions / $loggedInUser_UID

 

#restart messsage

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

windowType="hud"

description="Your computer needs to be restarted to finish the permission repairs. To restart, select 'Restart' below. Applications will Quit and a restart will begin immediately. If you are unable to restart at the moment, please select 'Cancel.'

 

*Please save all working documents before selecting 'Restart.'

 

If you require assistance, please contact the Service Desk"

 

button1="Restart"

button2="Cancel"

icon="/Library/Application\ Support/JAMF/bin/TECHdesklogoWhitebox.png"

title="Restart required"

alignDescription="left"

alignHeading="center"

defaultButton="2"

cancelButton="2"

timeout="300"

 

userChoice=$("$jamfHelper" -windowType "$windowType" -lockHUD -title "$title" -timeout "$timeout" -defaultButton "$defaultButton" -cancelButton "$cancelButton" -icon "$icon" -description "$description" -alignDescription "$alignDescription" -alignHeading "$alignHeading" -button1 "$button1" -button2 "$button2")

 

if [ "$userChoice" == "0" ]; then

    echo "User clicked Restart; Quiting applications"

    osascript -e 'display notification "Restarting Computer" with title "JAMF Management" sound name "Tink"'

    osascript -e 'tell application "System Events"' -e 'restart' -e 'end tell'

 

elif [ "$userChoice" == "2" ]; then

    echo "User clicked Cancel or timeout was reached; now exiting."

      osascript -e 'display notification "You clicked Cancel or timeout was reached.  Please restart as soon as possible." with title "JAMF Management" sound name "Tink"'

    exit 0

fi

 

This has been so problematic I set a policy to run this script on login, once per computer per user.  It annoying to have all users login and then be asked to restart but it seem to take care of the issue until the underlining issue if found.

Another way to Repair Permissions in Home Folder

1. Start up in Recovery mode by holding Command-R.
2. Once in Recovery mode, open Terminal from the Utilities menu.
3. There type repairHomePermissions and press Return.
4. That should launch the Repair Home app. Select the correct user account from those offered, and enter the admin password for that account. If that isn’t an admin account, Apple doesn’t explain what you should do.
5. Then click on the Next button.
6. Once that has completed, click on the Exit button.
7. In the main Recovery mode window, select Reinstall macOS, and click on Continue to reinstall macOS in its entirety.
8. Once that is complete, restart in normal mode.