Question

Automated home directory cleanup script not working

6 years ago
February 13, 2019
4 replies
0 views

+14

thebrucecarter
Jamf Heroes
112 replies

Greetings all,

I'm trying to move what were formerly local login and logout hook files on our lab machines to Jamf Pro. I'm having trouble with one at the moment. It is the script I use to roll out old home directories. We don't want the user home directories to hang around forever, but we don't want students to lose files to a system crash or forgetting to copy them to local storage, so we have a two user buffer before the home directory is deleted. The script runs on logout. This does not seem to work in Mojave. I get a bunch of "operation not permitted" errors. I assume this has something to do with the greater protections in Mojave (the labs were never updated to High Sierra, they are still running Sierra, and have not been under Jamf Pro before either). There is some logic around what directories to get rid of, but the salient portion of things is just:

chflags -Rf nouchg "${baseDirectory}${homeFolder}"
rm -Rf "${baseDirectory}${homeFolder}"
WriteLog "PurgeOldHomes" "${baseDirectory}"${homeFolder}" just died"

What I get back is the following (kinda lengthy). The folders that do not have associated errors are indeed deleted like they are supposed to be, but it leaves behind the Library folder, the Pictures folder, and of course the home directory folder itself. The short question is, is there a way around this? We need this functionality. Thanks for any help. Here is a part of the log (alabuser is a substitute for a student ID):

2019-02-13 12:37:56 PurgeOldHomes Working on alabuser
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser is a directory and is being evaluated
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser is Unprotected and is being evaluated
chflags: /Users/alabuser/Library/Application Support/CallHistoryTransactions: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/com.apple.TCC: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/AddressBook: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/CallHistoryDB: Operation not permitted
chflags: /Users/alabuser/Library/IdentityServices: Operation not permitted
chflags: /Users/alabuser/Library/Calendars: Operation not permitted
chflags: /Users/alabuser/Library/Messages: Operation not permitted
chflags: /Users/alabuser/Library/Mail: Operation not permitted
chflags: /Users/alabuser/Library/Safari: Operation not permitted
chflags: /Users/alabuser/Library/Suggestions: Operation not permitted
chflags: /Users/alabuser/Library/Containers/com.apple.Safari: Operation not permitted
chflags: /Users/alabuser/Library/PersonalizationPortrait: Operation not permitted
chflags: /Users/alabuser/Library/Metadata/CoreSpotlight: Operation not permitted
chflags: /Users/alabuser/Library/Cookies: Operation not permitted
chflags: /Users/alabuser/Library/Caches/CloudKit/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Pictures: Operation not permitted
rm: /Users/alabuser/Library/Application Support/CallHistoryTransactions: Operation not permitted
rm: /Users/alabuser/Library/Application Support/com.apple.TCC: Operation not permitted
rm: /Users/alabuser/Library/Application Support/AddressBook: Operation not permitted
rm: /Users/alabuser/Library/Application Support/CallHistoryDB: Operation not permitted
rm: /Users/alabuser/Library/Application Support: Operation not permitted
rm: /Users/alabuser/Library/IdentityServices: Operation not permitted
rm: /Users/alabuser/Library/Calendars: Operation not permitted
rm: /Users/alabuser/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
rm: /Users/alabuser/Library/Preferences/com.apple.universalaccess.plist: Operation not permitted
rm: /Users/alabuser/Library/Preferences: Operation not permitted
rm: /Users/alabuser/Library/Messages: Operation not permitted
rm: /Users/alabuser/Library/Mail: Operation not permitted
rm: /Users/alabuser/Library/Safari: Operation not permitted
rm: /Users/alabuser/Library/Suggestions: Operation not permitted
rm: /Users/alabuser/Library/Containers/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Library/Containers: Operation not permitted
rm: /Users/alabuser/Library/PersonalizationPortrait: Operation not permitted
rm: /Users/alabuser/Library/Metadata/CoreSpotlight: Operation not permitted
rm: /Users/alabuser/Library/Metadata: Operation not permitted
rm: /Users/alabuser/Library/Cookies: Operation not permitted
rm: /Users/alabuser/Library/Caches/CloudKit/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Library/Caches/CloudKit: Operation not permitted
rm: /Users/alabuser/Library/Caches: Operation not permitted
rm: /Users/alabuser/Library: Operation not permitted
rm: /Users/alabuser: Operation not permitted
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser just died

+15

cbrewer
Esteemed Contributor
719 replies
6 years ago
February 13, 2019

SIP is protecting the home folder. Try using sysadminctl to delete the account first (but keep the home directory). Then you can work with the home directory.

/usr/sbin/sysadminctl -deleteUser $user -keepHome

+14

thebrucecarter
Author
Jamf Heroes
112 replies
6 years ago
February 13, 2019

Bingo! We used dscl, but same idea, I had to move that in FRONT of the directory deletion, and then everybody was happy. Thanks very much.

Now I'm wondering if there is an advantage in switching it over to sysadminctl. All we do is delete the home directory if it is time for it to go, so we wouldn't even need the --keepHome. We're having to re-engineer some of these scripts anyway (and it's about time, and they're mostly my scripts so I can say that... heh) so it's a good time for any modernization changes.

Thanks again for the direction!

+15

sshort
Valued Contributor
301 replies
6 years ago
February 13, 2019

@bcarter5876 If your environment is enabling FileVault, definitely stick with sysadminctl. When High Sierra introduced secureToken I found too many instances of dscl unintentionally stripping secureToken from users that already had one. I had a VP reboot his Mac on a sales trip to discover only the IT admin account was available from the filevault screen b/c he didn't have secureToken anymore. Fun times...

+14

thebrucecarter
Author
Jamf Heroes
112 replies
6 years ago
February 13, 2019

yikes Good to know, thank you. These are strictly lab environment machines (multiuser, and no persistent home directories beyond the short rescue rope we throw them, and not FileVaulted) but it still might be worth just doing the change anyway.

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos + marketing

Reply

Related topics

Removed computer from Managed VPP App scope, but app was not removedicon

Apps Not Being Removed From iPads (VPP/Deviced-Based Assignment)icon

PI-009041 Jamf attempting to remove unmanaged appsicon

Managed Preferences - Arranging Dock Itemsicon

Apps disappearing after scope changeicon

Most helpful members this week

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings