Convert Managed Mobile Account?

musat
Contributor II

Hello, We are starting the final implementation year of a 1:1 student device rollout in my school district. I know that at the end of this next school year we are going to be offering the departing 8th graders the option to purchase their MacBook. Due to that, I am starting to look into what it will take to remove everything district related from the device. One major stumbling block I have run into is how to convert their user account. I can delete the directory bindingwithout issues. However, the account is still listed as "Managed, Mobile" in the Users & Groups" System Preferences pane. So, how can I go about changing this account to a "regular" account so that they can keep all of their data and settings? So far, I have only seen the steps of deleting the old account and creating a new one, using the same Users directory. But that would require logging in with a third account, which is an extra step we would like to be able to avoid with our 8th graders.

Tim

3 REPLIES 3

joshuasee
Contributor III

Is there a particular downside to leaving it as managed, mobile? With the directory binding gone it shouldn't further trouble your servers, and the account would remain usable. If you do want to convert the account, the process could be automated with a script, but wouldn't you want to setup and login with another admin account anyway for the parent/guardian? I do know of one ridiculously labor intensive technique that would avoid a login:
1) Clone the boot drive to an external drive.
2) Erase and reimage the machine using the recovery partition or an unbooted image.
3) When Setup Assistant runs, migrate the account back in from the external drive.

rcorbin
Contributor II

@musat Were you able to come up with a solution for this ?

@joshuasee The problem with just unbinding the machine is then the user no longer has the ability to change their password. I don't think the local admin account can even reset that password. Yes other than that everything else works fine.

Simmo
Contributor II
Contributor II

I created a script for this a while back, this version is modified for OS X 10.10 only.
Edit it to reflect your environment and test first.
I have only tested using this at login, haven't tried out of self service.

#!/bin/bash

#  Recreate User Account.sh
#
#  This script is designed to remove a mobile user account and re-create
#  a local account with the same username, home folder and password 
#  from user-input. As this script calls the binary sysadminctl it 
#  will only work on OS X 10.10 or later, earlier versions of OS X will 
#  need to use dscl to remove and re-create the user.

#Gets the short name of the currently logged in user
loggedInUser=$3

#Get loggedInUser UID
UserUID=`dscl . read /Users/"$loggedInUser" UniqueID | grep UniqueID: | cut -c 11-`

#Exit if UID is under 1000 (local account)
if [[ "$UserUID" -lt 1000 ]]; then
echo "Not a mobile account, exiting"
exit 2
else

#Gets the real name of the currently logged in user
userRealName=`dscl . -read /Users/$loggedInUser | grep RealName: | cut -c11-`
if [[ -z $userRealName ]]; then
userRealName=`dscl . -read /Users/$loggedInUser | awk '/^RealName:/,/^RecordName:/' | sed -n 2p | cut -c 2-`
fi

#Prompts user to enter their login password
loginPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please enter your login password." ¬
default answer "" ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1 ¬
with hidden answer)
end tell
EOT`

#Confirm password.
confirmPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please confirm your password" ¬
default answer "" ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1 ¬
with hidden answer)
end tell
EOT`

defaultPasswordAttempts=1

#Checks to make sure passwords match, if they don't displays an error and prompts again.
while [ $loginPassword != $confirmPassword ] || [ -z $loginPassword ]; do
`/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "Passwords do not match. Please try again." ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1
end tell
EOT`

loginPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please enter your login password." ¬
default answer "" ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1 ¬
with hidden answer)
end tell
EOT`

confirmPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please confirm your password" ¬
default answer "" ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1 ¬
with hidden answer)
end tell
EOT`

defaultPasswordAttempts=$((defaultPasswordAttempts+1))

if [[ $defaultPasswordAttempts -ge 5 ]]; then
`/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "You have entered mis-matching passwords five times. Please come to the IT desk for assistance." ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1
end tell
EOT`
echo "Entered mis-matching passwords too many times."
exit 1
fi

done

#This will delete the currently logged in user
sysadminctl -deleteUser "$loggedInUser" -keepHome

#Gets the current highest user UID
maxid=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)

#New UID for the user
newid=$((maxid+1))

#Creating the new user
sysadminctl -addUser "$loggedInUser" -UID "$newid" -fullName "$userRealName" -password "$loginPassword" -home /Users/"$loggedInUser" -admin

#Make sure ownership is set correctly
chown -R "$loggedInUser":staff /Users/"$loggedInUser"


echo "Script successful."

fi

sleep 3

#refresh to login window
ps -Ajc | grep loginwindow | awk '{print $2}' | xargs kill -9

exit 0