Auto Refreshing User Folder on Login/Logout

chadlawson
Contributor

I have a handful of workstations I need to be able to secure against people leaving themselves logged into cloud services, as well as cleaning up screenshots, personal documents, etc.

I'd like to have a script that, on logout, moves the user's home folder to a temporary location (in case files need to be recovered) so when they log in a new home folder is created. Essentially, I want to create the capability of the guest account but with some flexibility. And I'm pretty sure one of my 400 (fka CCE) classmates did exactly this last year.

The problem is that with Mojave, there seems to be something preventing the move. Even if I remove the "group:everyone deny delete" ACL from the user's folder, I still get a "operation not permitted" error.

How can I automate this process in Mojave, or what is the best way you've found to accomplish the directive I've been given to clear the workstation account on every login?

Thanks,

Chad

1 REPLY 1

adminNWA
New Contributor III

I am not doing exactly what you are doing because I am not preserving the contents of the home directory but this is what I have setup.

I configure a policy to execute on startup. The policy executes the following script

#!/bin/sh accountExists=$(dscl . list /Users | grep "student") #if the account exists, this variable will equal the account name

run loop to test to make sure that student has been deleted

loopCount=1 while [ -n "$accountExists" ] do #while the folder exists, do this loop echo "Attempt # $loopCount to delete $accountExists account" /usr/local/bin/jamf deleteAccount -username "student" -deleteHomeDirectory sleep 5 accountExists=$(dscl . list /Users | grep "student") if [ "$loopCount" -ge 13 ]; then exit 1 fi ((loopCount++)) done

create student account

/usr/local/bin/jamf createAccount -username "student" -realname "student" -password "#####" -home "/var/student"

On logout I have another policy that runs and executes this command

/usr/local/bin/jamf deleteAccount -username "student" -deleteHomeDirectory

The startup script has the added complexity of checking to make sure that the student folder has been deleted, and if it has not, it loops until it has been deleted. Once I am sure that the account is gone I run the jamf createAccount command. This usually requires about 30-45 seconds on startup before the account is present and the students can login.

This solution has been really reliable, close to 100%, just as good as the guest account.

Because the startup script makes sure the account is deleted first the process is also auto correcting. If a student forces a shutdown (by holding the power button) the startup script will detect that the student account was not deleted and it will delete it and then recreate it.

The only time there is a problem is when a student logs out of the student account without shutting down the computer. Because on logout the student account is deleted, BUT it is only recreated on startup. However a restart of the computer will fix the problem because on startup the student account will be recreated.

Rather than executing the single JAMF command "/usr/local/bin/jamf deleteAccount -username "student" -deleteHomeDirectory" on logout I could create a logout script that on logout deleted the student account and then powered the computer down. I may do that for the next academic year, but right now this has been working.

I assume that one option you would have with the jamf deleteAccount command would be to preserve the home folder. You could probably test that really quickly just by changing your logout command to be

/usr/local/bin/jamf deleteAccount -username "student"

That should delete the user account but not the home folder. But there may be an additional directive like -deleteHomeDirectory that would allow you to delete a user account and preserve their home folder. I would just check the jamf command options.