Jamf Nation Community

ccmobilesolutio · 2 weeks ago

Hey everyone,

I'm currently looking for a smart way to automatically logout logged in macOS users.

Situation:

School using PSSO, users can work on whatever Mac they want. Most students don't log out properly.

No planning on force rebooting the Mac. No planning on login into each Mac using local admin credentials and ending the sessions.

Fast User Switching and AutoLogOutDelay are configured as follows:

sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled --bool YES
sudo defaults write /Library/Preferences/.GlobalPreferences com.apple.autologout.autoLogoutDelay -int 300

The autoLogoutDelay seems to be completely broken and / or doesn't work at all. All accounts are still logged in despite the delay of 5 minutes - or I just don't geht how it's supposed to work.

Anyway - I've stumbled across this post which seems to be an effective way (need to test it)

https://community.jamf.com/t5/jamf-pro/force-logout-help-please/m-p/130871#M119980

Wondering, if there are better possibilities to log out other users?

Thanks for your feedback and best,

Matt

snowfox · a week ago

You can setup a policy on jamf (look for 'restart options') to restart the machines automatically on a fixed schedule.

You can set it to restart immediately if no one is logged in or it will start a 5 minute countdown timer immediately and display a warning message to the currently logged in user that the machine is about to restart in 5 minutes.

Performing a restart is the only thing that is going to clear all of the currently logged in user sessions.

Of course you can also set it to restart immediately even if someone is still logged in. If you are running it after the students have gone for the day. Use the 'Client-Side Limitations' section under 'General' to pick what days and time to run the policy at. Setting the time is a bit backwards. You have to choose when NOT to run the policy in order to run it in the hours that you want ie. NOT between 9am - 5pm.

View solution in original post

sdagley · 2 weeks ago

@ccmobilesolutio Would forcing a restart be acceptable? "shutdown -r now" should accomplish that for you.

Samstar777 · 2 weeks ago

@ccmobilesolutio May be you can test this script for your requirement : https://github.com/Samstar777/macOS-User-Logout-Script

AJPinto · 2 weeks ago

In the Configuration Profile Login Window payload under options you can set a Log users out after XYZ minutes of inactivity option.

My rule of thumb with anything apple related, if the resource you find is over 3 years old just assume it wont work anymore. Apple is really reliable at retiring what they consider to be tech debt. If the configuration profile option does not work, your best second option is rebooting.

ccmobilesolutio · 2 weeks ago

First of all thanks everyone for your feedback.

@sdagley We've discussed that to perform a reboot on a regular basis every evening or so but this would be the last option if nothing else is possible.

@AJPinto I've already configured that but this does not work for accounts that are logged in but not "active". Only the current user get's the notification that he will be logged off automatically in x Minutes due to being idle.

@Samstar777 This looks promising, will give it a try and might adjust it to our needs.

AJPinto · 2 weeks ago

Rebooting would be best, but you can try using pkill to force log users out.

sudo pkill -KILL -u <username>

ccmobilesolutio · 2 weeks ago

Discussed that with the customer today and we both agreed that rebooting is by far the best and easiest solution. As long as there is no better solution to logout all users despite the one being active and to refresh the loginwindow without having the active user sign in again we'll stick to reboot.
Made a script available via Self Service so that anyone can trigger the reboot wether they are standard user or admin.

ccmobilesolutio · 2 weeks ago

@Samstar777 Unfortunately the script, as well as some modifications that I've tested, do not achieve what we're looking for. Script is running but when you log out the user that has run the script you still see the other sessions as active on lockscreen. This might be just a visual error, but we need to also get rid of these accounts in lockscreen.

Killing the loginwindow completely refreshes it causing the actual user also having to sign in again. I'll keep looking for a way to refresh the login mask.

Samstar777 · a week ago

@ccmobilesolutio Let me know if you want me to enhance my script to help you with your requirements. You can always reach me on dm or reply with your comments here.

snowfox · a week ago

You can setup a policy on jamf (look for 'restart options') to restart the machines automatically on a fixed schedule.

You can set it to restart immediately if no one is logged in or it will start a 5 minute countdown timer immediately and display a warning message to the currently logged in user that the machine is about to restart in 5 minutes.

Performing a restart is the only thing that is going to clear all of the currently logged in user sessions.

Of course you can also set it to restart immediately even if someone is still logged in. If you are running it after the students have gone for the day. Use the 'Client-Side Limitations' section under 'General' to pick what days and time to run the policy at. Setting the time is a bit backwards. You have to choose when NOT to run the policy in order to run it in the hours that you want ie. NOT between 9am - 5pm.

ccmobilesolutio · Tuesday

Rebooting just seems to be the only working way to "get rid" of the accounts in the login window as well as completely force logout all logged in users.

Jamf Nation Community

Force logout current macOS User