Auto delete files left on desktop and downloads

rgauthier
New Contributor III

Does anyone know if there is a command or commands that I could use to remove files left on the desktop after user logs out? This account is a generic account that other students will be using. There are other policies I will like to set as well. What I'm trying to do is keep the computers running smooth by deleting all the histories on the browsers, deleting any downloads and emptying the trash bin.

Thanks in advance!

23 REPLIES 23

honestpuck
Contributor

Have you considered having a script that deletes the user and then creates it again using jamf deleteAccount and 'jamf createAccount`? If you set up your user template properly that would work fine.

You could then scope a bunch of policies to set up the account at login.

Many applications fill the user folder with settings etc that would need to be recreated every time. Some very badly behaved applications fill it up with gBs of data. For example a previous version of Reason copied its instrument library into the user folder: that was 10GB

obi-k
Valued Contributor II

Maybe a Guest User account would work for you?

https://www.macrumors.com/how-to/create-guest-account-macos/

rgauthier
New Contributor III

That's not a bad idea. I will test it tomorrow to see if this option will work for us. Thanks!

I could also test the guest account as a last resort. Thanks!

rgauthier
New Contributor III

@ honestpuck, I forgot that the local account needs to have a blank password. Therefore, deleting the account and re-creating it will force me to add a password onto it using JAMF. Thanks though.

drtaru
New Contributor III

Beware with using blank passwords, MacOS 10.15 has removed support for blank passwords and acts really funky if you try and use no password

mm2270
Legendary Contributor III

@rgauthier Uhm, what you're describing is a Guest account - no password, all the user contents are removed on logout. Just use that if that's how you need it to work. In either case, it's a security risk to have accounts with no passwords, but if that's how you need this to work, then I'd at least go with the OSes built in option instead of trying to hack a scripted process together.

jhuls
Contributor III

I have one lab left where I use a policy that triggers on logout to remove the entire user account and user profile using jamf deleteAccount. I have seen on occasion where it leaves a couple crumbs but that was awhile back(probably the dangers of doing anything extensive on logout). Those crumbs never have any data tied to the user but usually not much more than the user profile folder but empty. Originally it worked perfect but then after a few updates to macOS and Jamf it started doing this at random times. I haven't seen it do it for awhile but have been considering creating a startup policy that would run the script to remove the profile if it still exists. All of our Macs reboot nightly so even if a student fails to logout(that of course NEVER happens), the nightly reboot will clean everything up.

As for the account itself it's an active directory account. We were told some time back not to have blank passwords anymore so we just use the school name as the password on the account. It's simple enough for students to use and credentials are posted in the room.

The best solution(for us anyways...maybe not you) is to give students their own accounts. When I took Mac support over, they were using one local account that had admin privileges and had Deep Freeze to reset things on restart in all of our labs. I found DF to be getting in my way too often and the previous tech was supposed to have moved them over to AD so I revamped things plus I'm not a fan of giving students admin. In all but one of the Mac labs the students are now using assigned AD accounts with no admin privileges. It's not their own accounts but it's the best I could convince the "powers that be" of doing and it works great. The students get their own environment to work in and customize and we don't have to worry about removing data except at the end of the semester. Like I said I still have one lab that uses only one account and it's working "ok". In the last few days there's been some chatter about letting the students use their own accounts everywhere but we have to solve printing since all printing goes through our servers. This is why the other Mac labs have assigned accounts as those accounts have printer access. The accounts that each student has for their email does not have printer access. At least the chatter is happening now though.

atomczynski
Valued Contributor

With a guest account the data is reset at logout. I'm looking for a way to have the ability to run this task at a define trigger or schedule by me.

Some of the apps we have require few hand touches after deployment and don't work correctly as default. Think of it like a spring cleaning.

We have a policy to create the user account with a password, then a policy to change the password to blank
That's on student devices.

I also have a small fleet of loaners for staff and they use a generic local account in that case and I'd like to sanitize it when confirmed they are done. Right now I sign them out of Google browser and delete downloads, etc.

rgauthier
New Contributor III

Thanks for your response. If you can, it will be a tremendous help to us at our school. Feel free to either email me the instructions you taken to accomplish this or re post here. My email address is rgauthier@schools.nyc.gov.

Thanks again and stay safe out there.

rgauthier
New Contributor III

@ jhuls Thanks for your response. I'm working with the security and Network team to guide me on the right path to setup Active directory and added to jamf cloud. What you posted, sounds exactly what I was trying to do. As of now, I running HIgh Sierra on most of the Macs in our school. So blanking the password is not a problem at the moment. If you know a way I could set a policy to log that standard user and delete any files left on the desktop, it will be much appreciated if you have a way to do that. I know setting up a guest account will be idea. I guess that will be my last option.

Thanks again for your reply.

rgauthier
New Contributor III

@mm2270, I will research OSes built in option. I'm not sure what that is. The account that I have currently with no password, is a standard managed account with a few policies I set up. If you could, can you let me know what OSes built in option is and how it works? I tried looking it up, but it seems like it's a Windows thing. I could be wrong. Any help will be much appreciated.

Thanks for your reply.

rgauthier
New Contributor III

@atomczynski The policy you have set for the browsers and etc, do you mind sharing it with me? I would love to test it on my laptop. You can either email me or just posted here. My email address is rgauthier@schools.nyc.gov.

Thank you! Stay safe.

atomczynski
Valued Contributor

Safari - reset settings to default
https://github.com/palantir/jamf-pro-scripts/blob/master/scripts/Reset%20Safari.sh

claudiogardini
Contributor

We just move the entire Home Directory to a temporary Location and add a Timestamp where it stays for a few days. If the User misses some files you can always go and grab them from there.

The Homefolder ist automatically recreated from the Template on the next Login.

rgauthier
New Contributor III

@ claudiogardini , is there a way to do this remotely and set it for multiple computers? Thanks for your response.

rgauthier
New Contributor III

@ atomczynski, Thanks I will check it out.

claudiogardini
Contributor

@rgauthier Sure, just have a Logout Trigger configured in jamf and run the Script ongoing on Logout.

TSOAFTVPPC
Contributor

If you are concerned about cruft, the desktop is only the most obvious place that it accumulates, if only the most unattractive, Most problems occur however with cruft that accumulates elsewhere in the User folder. The guest account is the surest way to avoid this however many apps rely on the user folder to store settings etc,  Depending on the complexity of the app a new user experience everytime one launches can be tiresome and sometimes confusing for end users.
We have a script that runs on startup the simply deletes everything in all the places that accumulate cruft.

TDManila
New Contributor III

UP! looking for this too

This is no longer possible in the newer Operating Systems. You will need to use the Guest Account for this. 

Still works in Ventura, however you need to grant the bash app full disk access under Privacy & Security in System Settings.

But the Logout Trigger is no longer available. So how do you trigger the cleanup?