- Jamf Nation Community
- Products
- Jamf Pro
- Automated home directory cleanup script not workin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Automated home directory cleanup script not working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on
02-13-2019
09:58 AM
- last edited on
03-04-2025
07:34 AM
by
kh-richa_mig
Greetings all,
I'm trying to move what were formerly local login and logout hook files on our lab machines to Jamf Pro. I'm having trouble with one at the moment. It is the script I use to roll out old home directories. We don't want the user home directories to hang around forever, but we don't want students to lose files to a system crash or forgetting to copy them to local storage, so we have a two user buffer before the home directory is deleted. The script runs on logout. This does not seem to work in Mojave. I get a bunch of "operation not permitted" errors. I assume this has something to do with the greater protections in Mojave (the labs were never updated to High Sierra, they are still running Sierra, and have not been under Jamf Pro before either). There is some logic around what directories to get rid of, but the salient portion of things is just:
chflags -Rf nouchg "${baseDirectory}${homeFolder}"
rm -Rf "${baseDirectory}${homeFolder}"
WriteLog "PurgeOldHomes" "${baseDirectory}"${homeFolder}" just died"What I get back is the following (kinda lengthy). The folders that do not have associated errors are indeed deleted like they are supposed to be, but it leaves behind the Library folder, the Pictures folder, and of course the home directory folder itself. The short question is, is there a way around this? We need this functionality. Thanks for any help. Here is a part of the log (alabuser is a substitute for a student ID):
2019-02-13 12:37:56 PurgeOldHomes Working on alabuser
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser is a directory and is being evaluated
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser is Unprotected and is being evaluated
chflags: /Users/alabuser/Library/Application Support/CallHistoryTransactions: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/com.apple.TCC: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/AddressBook: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/CallHistoryDB: Operation not permitted
chflags: /Users/alabuser/Library/IdentityServices: Operation not permitted
chflags: /Users/alabuser/Library/Calendars: Operation not permitted
chflags: /Users/alabuser/Library/Messages: Operation not permitted
chflags: /Users/alabuser/Library/Mail: Operation not permitted
chflags: /Users/alabuser/Library/Safari: Operation not permitted
chflags: /Users/alabuser/Library/Suggestions: Operation not permitted
chflags: /Users/alabuser/Library/Containers/com.apple.Safari: Operation not permitted
chflags: /Users/alabuser/Library/PersonalizationPortrait: Operation not permitted
chflags: /Users/alabuser/Library/Metadata/CoreSpotlight: Operation not permitted
chflags: /Users/alabuser/Library/Cookies: Operation not permitted
chflags: /Users/alabuser/Library/Caches/CloudKit/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Pictures: Operation not permitted
rm: /Users/alabuser/Library/Application Support/CallHistoryTransactions: Operation not permitted
rm: /Users/alabuser/Library/Application Support/com.apple.TCC: Operation not permitted
rm: /Users/alabuser/Library/Application Support/AddressBook: Operation not permitted
rm: /Users/alabuser/Library/Application Support/CallHistoryDB: Operation not permitted
rm: /Users/alabuser/Library/Application Support: Operation not permitted
rm: /Users/alabuser/Library/IdentityServices: Operation not permitted
rm: /Users/alabuser/Library/Calendars: Operation not permitted
rm: /Users/alabuser/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
rm: /Users/alabuser/Library/Preferences/com.apple.universalaccess.plist: Operation not permitted
rm: /Users/alabuser/Library/Preferences: Operation not permitted
rm: /Users/alabuser/Library/Messages: Operation not permitted
rm: /Users/alabuser/Library/Mail: Operation not permitted
rm: /Users/alabuser/Library/Safari: Operation not permitted
rm: /Users/alabuser/Library/Suggestions: Operation not permitted
rm: /Users/alabuser/Library/Containers/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Library/Containers: Operation not permitted
rm: /Users/alabuser/Library/PersonalizationPortrait: Operation not permitted
rm: /Users/alabuser/Library/Metadata/CoreSpotlight: Operation not permitted
rm: /Users/alabuser/Library/Metadata: Operation not permitted
rm: /Users/alabuser/Library/Cookies: Operation not permitted
rm: /Users/alabuser/Library/Caches/CloudKit/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Library/Caches/CloudKit: Operation not permitted
rm: /Users/alabuser/Library/Caches: Operation not permitted
rm: /Users/alabuser/Library: Operation not permitted
rm: /Users/alabuser: Operation not permitted
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser just died
Labels:
- Labels:
-
Jamf Pro
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2019 11:05 AM
SIP is protecting the home folder. Try using sysadminctl to delete the account first (but keep the home directory). Then you can work with the home directory.
/usr/sbin/sysadminctl -deleteUser $user -keepHome
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2019 11:53 AM
Bingo! We used dscl, but same idea, I had to move that in FRONT of the directory deletion, and then everybody was happy. Thanks very much.
Now I'm wondering if there is an advantage in switching it over to sysadminctl. All we do is delete the home directory if it is time for it to go, so we wouldn't even need the --keepHome. We're having to re-engineer some of these scripts anyway (and it's about time, and they're mostly my scripts so I can say that... heh) so it's a good time for any modernization changes.
Thanks again for the direction!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2019 12:01 PM
@bcarter5876 If your environment is enabling FileVault, definitely stick with sysadminctl. When High Sierra introduced secureToken I found too many instances of dscl unintentionally stripping secureToken from users that already had one. I had a VP reboot his Mac on a sales trip to discover only the IT admin account was available from the filevault screen b/c he didn't have secureToken anymore. Fun times...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2019 12:16 PM
yikes Good to know, thank you. These are strictly lab environment machines (multiuser, and no persistent home directories beyond the short rescue rope we throw them, and not FileVaulted) but it still might be worth just doing the change anyway.
