Delete user DATA on logout, not account

palitech
New Contributor

We've got a few macbook air carts on our campus used by various students. Each cart has one admin account for us techs, and one standard account for the students. I would like to be able to delete the data that students are storing on the computer locally. They are not AD accounts, and I would not like to delete the whole account. Ive been on the Discussions section and have found great scripts others are already using, but they mostly mention deleting the home folder. I would just like to delete the data stored in the Docs, Desktop, and Downloads folder. Now we are new to JAMF let alone scripting and logout hooks so any advice or ideas would also be appreciated. Would this be possible? Or would we have to delete the account and recreate it at the same time every logout? Thanks guys

11 REPLIES 11

alexjdale
Valued Contributor III

Depending on the requirements, you might want to keep a clone of the default student home folder somewhere and have a startup script that deletes the existing folder (or moves it as a rotating backup so you always have access to the last version) and copies the "template" to /users so there is always a fresh profile on reboot. Sort of like a "deep freeze" for that one home folder.

davidacland
Honored Contributor II
Honored Contributor II

I would personally delete the home folder and then create a new one from the user template. This is because users could leave items in the root of the home folder that you could miss. The script would like something like this:

#!/bin/sh

rm -Rf /Users/home_folder_name
cp -R /System/Library/User Template/English.lproj /Users/
mv /Users/English.lproj /Users/home_folder_name
chown -R home_folder_name /Users/home_folder_name

exit 0

If you do just want to empty a few sub-folders from the home folder it would be:

#!/bin/sh

rm -Rf /Users/home_folder_name/Desktop/*
rm -Rf /Users/home_folder_name/Documents/*
rm -Rf /Users/home_folder_name/Downloads/*

exit 0

You could always get a bit fancier with a for loop but the basic script above would do the trick.

Hope this helps.

palitech
New Contributor

@alexjdale thank you for your input. I will look into this further with our administrator. In the mean time i just set up a policy with @davidacland 's second script and works great. Thanks again to you both for your swift and helpful responses! We appreciate it.

H3144-IT
Contributor II

Alternatively, have a look at Faronics DEEP FREEZE for Mac.

http://www.faronics.com/products/deep-freeze/mac/

Wipes any Data & installed Software at each Reboot...
You can schedule Maintenance Windows & automate them with Casper Suite.

Simmo
Contributor II
Contributor II

Curious, if you don't want to store any data on the account, could you not just use the Guest account, or a custom guest account?

stevevalle
Contributor III

Hi @palitech.

I have created 2 policies and made them available offline. The first creates a "Student" account on startup, the second deletes the account on logout/shutdown. Student account is not an administrator.

Doing this ensures that any modifications to the account when logged in ie. changes in dock, desktop pattern, etc are not present when another student logs in.

Hope this helps.

Steve

Randydid
Contributor II

@stevevalle

Your solution is perfect for the same issue the OP stated above. I have inherited a 10.8.5 image that I have neither the time nor motivation to mess with too much. The User Create/Delete policy is great but my predecessor did not suppress the AppleID prompt at login in the default user template. I will be updating this image next summer, but in the meantime, would love an easy fix and this does it minus the Apple ID registration at login.

The backstory is this: Students are logging into the 'Student' user account and then posting test answers in the Documents/Dekstop folders for class sections later on.

/randy

stevevalle
Contributor III

@Diddel

To combat this, I have changed the value of the DidSeeCloudSetup key to TRUE in this file:

~/Library/Preferences/com.apple.SetupAssistant

Use composer to capture this file, upload it to Casper Admin and ensure that FUT is ticked. You can then set a policy that pushes out this file and saves it to the users template. That way, any new user that is created will not get the iCloud popup.

Hope that helps

adminNWA
New Contributor III

I have tried the policy solution as @stevevalle suggests and what I am finding is that it is about 85% effective, but about 15% of the time the create user policy fails because it says that the user already exists. To combat that I have added the following script to the create user policy and set it to execute before other items in the policy

#!/bin/sh

if [ -d "/Users/**[account short name]**" ]; then
   sudo rm -Rf /Users/**[account short name]**
   sudo dscl . delete /Users/**[account short name]**
   echo "Preparing to create student account... please wait"
   sleep 30
fi

Because it takes a little bit of time for the account to wipe I sleep the script for 30 seconds.

Still I am not getting 100% success. I still encounter issues where the create account policy cannot run because the account already exists.

I'm thinking that the script inside of the policy may not be executing 1st all of the time, is that possible?

I'm also thinking that maybe 30 seconds may not be enough time and I may have to move it to a minute?

I'm not sure what is happening when the students are putting their laptops away that the delete script is not always completing. I'm thinking that maybe putting a loop script that runs after the delete policy fires that loops until the account is actually deleted may solve part of the problem, but I worry that what is really going on is that students go to the Apple menu and select shutdown but then are closing the lid before the shutdown process completes.

Does anyone have any suggestions that would allow me to get this to work 100% of the time. All I am trying to do is to wipe the student account when the student shutdown the computer and to re-create the student account when the student powers on the computer.

el2493
Contributor III

@adminNWA if you think the issue is that the account isn't deleting before the script tries to create an account, could you build a while loop into this to loop until the account is deleted? I haven't tested it, but something like this (you would enter this instead of sleep 30):

#!/bin/sh
accountExists=$(dscl . list /Users | grep "**[account short name]**") #if the account exists, this variable will equal the account name
countUp=0
while [ -n "$accountExists" ]
do #while the account exists, do this loop
    echo $accountExists" still exists"
    sleep 5
    accountExists=$(dscl . list /Users | grep "**[account short name]**") #check again to see if account exists
    ((countUp++))
    if [ "$countUp" -ge 12 ]; then #makes it cancel if it's checking for more than 1 minute and account is still there
        echo $accountExists" still exists after 1 minute, could not delete account"
        exit 1
    fi
done

Again I haven't tested it, but in theory that should stay in the loop while the account still exists and then exit out of the loop (and allow you to run the command to create the account) when the account doesn't exist. So if 15% of the time it's taking more than 30 seconds to delete the account, this could help (and if you find it takes 1-2 minutes for the account to delete, you could change it to if [ "$countUp" -ge 24 ]

el2493
Contributor III

*Sorry, just read your full comments and saw that you already considered doing a loop. And yeah, the loop wouldn't help if the issue was students not shutting down properly (like holding down the power button rather than shutting down properly, or running the laptop until the battery died)