Jamf Nation Community

Thanks @JefferyAnderson 

Used this to resolve an issue we were having.  Tested on macOS 12.3.  Adding here for others to reference if needs be.

We are domain joined in our student labs.  The issue we were/are having is that students sometimes login to a workstation before our technicians login to the workstation.  The first account to login gets the SecureToken and therefore can't be deleted from the system when no other account has a SecureToken and/or the bootstrap hasn't been escrowed. This gives an active directory service account a SecureToken and resolved our problem.  We have a script that runs at login that deletes previous active directory accounts (students) which is where the problem started, unable to delete student accounts when they had a SecureToken.  Note, these lab machines are not encrypted.

Script to create mobile account and "login" while the workstation is till at a login prompt.

#!/bin/zsh

username=$4
password=$5

# Create mobile account
result=$(expect -c "
    spawn /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $username
    expect \"SecureToken\"
    send -- \"\r\"
    expect eof
    ")
echo $result
# Login to mobile account to grant it a secureToken (First user to login)
result=$(expect -c "
    spawn /usr/bin/login
    expect \"login:\"
    send -- \"$username\"
    send -- \"\r\"
    expect \"password:\"
    send -- \"$password\"
    send -- \"\r\"
    expect eof
    ")
echo $result
# Jamf inventory (more for testing)
/usr/local/bin/jamf recon

Script for account deletes at login and information gathering about SecureToken. Some logic in here was borrowed from Jamf Nation, thanks!

#!/bin/zsh

#set -x
clear

# Get the current logged in user
currentLoggedInUser=$(ls -l /dev/console | cut -d " " -f 4)
# List of users that we want to exclude from deletion
usersToKeep=( $currentLoggedInUser $4 )

function secureTokengodmode {
  secureToken=$(/usr/bin/dscl . read /Users/godmode | grep "SecureToken")
  if [[ "$secureToken" == *"SecureToken"* ]]; then
    echo "User: godmode SecureToken status: Enabled"
  else
    echo "User: godmode SecureToken status: Disabled"
  fi
}

function removeAccount {
    removeAccountHome=$(dscl . read /Users/$1 | grep "NFSHomeDirectory" | awk '{print $2}')
    echo "Removing home folder for $1."
    log "Removing home folder for $1."
    rm -rf "$removeAccountHome"
    sleep 3
    if [[ -d "$removeAccountHome" ]]; then
        echo "$removeAccountHome failed to delete, skipping."
        log "$removeAccountHome failed to delete, skipping."
    else
        echo "Removing user account for $1."
        log "Removing user account for $1."
        dscl . -delete "/Users/$1"
        sleep 3
    fi
}

function log {
   timeStamp=$(date)
   echo "$timeStamp - $1" >> "/Library/Logs/deleted user accounts.log"
}

# cleanup!
function cleanup {
    if [[ -f "$outFile"1 ]]; then
        rm "$outFile"1
    fi
}

# Logic

secureTokengodmode

# Get a list of all the users with a UniqueID of greater than 1000 and save to a file
outFile=/var/tmp/output
/usr/bin/dscl . list /Users UniqueID | grep -v "^_" | awk '{if($2>1000)print $1}' > "$outFile"1

echo "List of Users to keep: $usersToKeep"
for usersToDelete in $usersToKeep ; do
    # Use grep to search for an exact match and if found, remove it from the file
    grep -v -Fx "$usersToDelete" "$outFile"1 > "$outFile"2 & mv "$outFile"2 "$outFile"1
done
# Check if the file is empty or not
if [[ -s "$outFile"1 ]]; then
    # Read the output file to an array for processing
    eval "array=($(<"$outFile"1))"
    # Remove the user account and home directory
    for removeUser in $array ; do
        removeAccount $removeUser
    done
    cleanup
else
    echo "No users to delete at this time."
    cleanup
fi

# List remaining users on the workstation
remainingUsers=$(/usr/bin/dscl . list /Users UniqueID | grep -v "^_")
echo "Remaining users:"
echo "$remainingUsers"
log "Remaining users: $remainingUsers"

echo " "
### Secure Token users ###
declare -a secureTokens
declare -a delete
secureTokens=($(fdesetup list -extended | awk '{print $4}'))
#echo ${secureTokens[@]}
delete+=(USER)
delete+=(Record)
#echo ${delete[@]}
for i in ${delete[@]}; do
secureTokens=( "${secureTokens[@]/$i}" )
done
#echo ${secureTokens[@]}
function join { local IFS="$1"; shift; echo "$*"; }
result=$(join , ${secureTokens[@]})
echo "Remaining Secure Token Users: $result"
log "Remaining Secure Token Users: $result"

echo " "
bootstrap=$(profiles status -type bootstraptoken)
if [[ $bootstrap == *"escrowed to server: YES"* ]]; then
    echo "Bootstrap Status: Escrowed"
    log "Bootstrap Status: Escrowed"
else
    echo "Bootstrap Status: Not Escrowed"
    log "Bootstrap Status: Not Escrowed"
fi

exit

 Perhaps this can be of use to others.

I haven't used that in production in awhile. But I'm not aware of any OS changes that would break it off the top of my head. I'd try running it locally and see if it works there.
The way I wrote the display dialog prompt may wait on a "Jamf would like to access system events" prompt. but other than that I'm not sure what could be happening.

I updated the Display Dialog function in case that was causing the infinite spinning

So that means the script couldn't add the user, and most likely the computer could not contact the domain controller. If you're remote and using VPN you'll want to make sure VPN is connected before trying this.