Automated home directory cleanup script not working

thebrucecarter
Contributor II

Greetings all,

I'm trying to move what were formerly local login and logout hook files on our lab machines to Jamf Pro. I'm having trouble with one at the moment. It is the script I use to roll out old home directories. We don't want the user home directories to hang around forever, but we don't want students to lose files to a system crash or forgetting to copy them to local storage, so we have a two user buffer before the home directory is deleted. The script runs on logout. This does not seem to work in Mojave. I get a bunch of "operation not permitted" errors. I assume this has something to do with the greater protections in Mojave (the labs were never updated to High Sierra, they are still running Sierra, and have not been under Jamf Pro before either). There is some logic around what directories to get rid of, but the salient portion of things is just:

chflags -Rf nouchg "${baseDirectory}${homeFolder}"
rm -Rf "${baseDirectory}${homeFolder}"
WriteLog "PurgeOldHomes" "${baseDirectory}"${homeFolder}" just died"

What I get back is the following (kinda lengthy). The folders that do not have associated errors are indeed deleted like they are supposed to be, but it leaves behind the Library folder, the Pictures folder, and of course the home directory folder itself. The short question is, is there a way around this? We need this functionality. Thanks for any help. Here is a part of the log (alabuser is a substitute for a student ID):

2019-02-13 12:37:56 PurgeOldHomes Working on alabuser
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser is a directory and is being evaluated
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser is Unprotected and is being evaluated
chflags: /Users/alabuser/Library/Application Support/CallHistoryTransactions: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/com.apple.TCC: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/AddressBook: Operation not permitted
chflags: /Users/alabuser/Library/Application Support/CallHistoryDB: Operation not permitted
chflags: /Users/alabuser/Library/IdentityServices: Operation not permitted
chflags: /Users/alabuser/Library/Calendars: Operation not permitted
chflags: /Users/alabuser/Library/Messages: Operation not permitted
chflags: /Users/alabuser/Library/Mail: Operation not permitted
chflags: /Users/alabuser/Library/Safari: Operation not permitted
chflags: /Users/alabuser/Library/Suggestions: Operation not permitted
chflags: /Users/alabuser/Library/Containers/com.apple.Safari: Operation not permitted
chflags: /Users/alabuser/Library/PersonalizationPortrait: Operation not permitted
chflags: /Users/alabuser/Library/Metadata/CoreSpotlight: Operation not permitted
chflags: /Users/alabuser/Library/Cookies: Operation not permitted
chflags: /Users/alabuser/Library/Caches/CloudKit/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Pictures: Operation not permitted
rm: /Users/alabuser/Library/Application Support/CallHistoryTransactions: Operation not permitted
rm: /Users/alabuser/Library/Application Support/com.apple.TCC: Operation not permitted
rm: /Users/alabuser/Library/Application Support/AddressBook: Operation not permitted
rm: /Users/alabuser/Library/Application Support/CallHistoryDB: Operation not permitted
rm: /Users/alabuser/Library/Application Support: Operation not permitted
rm: /Users/alabuser/Library/IdentityServices: Operation not permitted
rm: /Users/alabuser/Library/Calendars: Operation not permitted
rm: /Users/alabuser/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
rm: /Users/alabuser/Library/Preferences/com.apple.universalaccess.plist: Operation not permitted
rm: /Users/alabuser/Library/Preferences: Operation not permitted
rm: /Users/alabuser/Library/Messages: Operation not permitted
rm: /Users/alabuser/Library/Mail: Operation not permitted
rm: /Users/alabuser/Library/Safari: Operation not permitted
rm: /Users/alabuser/Library/Suggestions: Operation not permitted
rm: /Users/alabuser/Library/Containers/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Library/Containers: Operation not permitted
rm: /Users/alabuser/Library/PersonalizationPortrait: Operation not permitted
rm: /Users/alabuser/Library/Metadata/CoreSpotlight: Operation not permitted
rm: /Users/alabuser/Library/Metadata: Operation not permitted
rm: /Users/alabuser/Library/Cookies: Operation not permitted
rm: /Users/alabuser/Library/Caches/CloudKit/com.apple.Safari: Operation not permitted
rm: /Users/alabuser/Library/Caches/CloudKit: Operation not permitted
rm: /Users/alabuser/Library/Caches: Operation not permitted
rm: /Users/alabuser/Library: Operation not permitted
rm: /Users/alabuser: Operation not permitted
2019-02-13 12:37:56 PurgeOldHomes /Users/alabuser just died

4 REPLIES 4

cbrewer
Valued Contributor II

SIP is protecting the home folder. Try using sysadminctl to delete the account first (but keep the home directory). Then you can work with the home directory.

/usr/sbin/sysadminctl -deleteUser $user -keepHome

thebrucecarter
Contributor II

Bingo! We used dscl, but same idea, I had to move that in FRONT of the directory deletion, and then everybody was happy. Thanks very much.

Now I'm wondering if there is an advantage in switching it over to sysadminctl. All we do is delete the home directory if it is time for it to go, so we wouldn't even need the --keepHome. We're having to re-engineer some of these scripts anyway (and it's about time, and they're mostly my scripts so I can say that... heh) so it's a good time for any modernization changes.

Thanks again for the direction!

sshort
Valued Contributor

@bcarter5876 If your environment is enabling FileVault, definitely stick with sysadminctl. When High Sierra introduced secureToken I found too many instances of dscl unintentionally stripping secureToken from users that already had one. I had a VP reboot his Mac on a sales trip to discover only the IT admin account was available from the filevault screen b/c he didn't have secureToken anymore. Fun times...

thebrucecarter
Contributor II

yikes Good to know, thank you. These are strictly lab environment machines (multiuser, and no persistent home directories beyond the short rescue rope we throw them, and not FileVaulted) but it still might be worth just doing the change anyway.