Jamf Nation Community

bananapatata · ‎01-07-2019

I have a question regarding scripting.

I'm trying to build a user account in an educational lab environment that's easy for some of our students to sign into that subsequently removes their data on logout (a la Deep Freeze). It warns the user this will occur and although I could just use a Guest account I'd like to try this first. I've accomplished most of what I'm looking to remove (though if I'm missing something please bring it up) but I can't find an answer to my issue in the forums. I can't seem to remove Safari data from session to session.

This is the part I need help with:
Any combination of the following commands (whether I insert into Files & Process or into Scripts after my other one) doesn't seem to have any effect and I'm not quite sure why:

sudo bash -c "rm -f /Users/student/Library/Safari/History.db"; 
sudo bash -c "rm -f /Users/student/Library/Safari/LastSession.plist"; 
sudo bash -c "rm -f /Users/student/Library/Safari/HistoryIndex.sk"; 
sudo bash -c "rm -f /Users/student/Library/Safari/TopSites.plist"; 
sudo bash -c "rm -f /Users/student/Library/Safari/WebpageIcons.db"; 
sudo bash -c "rm -f /Users/student/Library/Safari/Downloads.plist"

Here's what's working:
Config Profile (Restrictions) - disables iCloud/Internet Accounts Preference Panes
- Restrictions > Preferences > Restrict items in System Preferences > Disable Selected Items > iCloud/Internet Accounts
- Restrictions > Functionality > all iCloud options

Files & Processes - removes the User folders and Chrome data (items on a new line for visual clarity)

sudo bash -c "rm -rf /Users/student/Desktop/*"; 
sudo bash -c "rm -rf /Users/student/Documents/*"; 
sudo bash -c "rm -rf /Users/student/Downloads/*"; 
sudo bash -c "rm -rf /Users/student/Movies/*"; 
sudo bash -c "rm -rf /Users/student/Music/*"; 
sudo bash -c "rm -rf /Users/student/Pictures/*"; 
sudo bash -c "rm -rf /Users/student/Library/Application Support/Google/Chrome/Default/*"

Script (not my own) to empty the trash

#!/bin/bash
# for each user in the /Users folder that is (!)not the Shared folder
for dir in /Users/[!Shared]*
do
    # Create a variable with just the users name
    user=`echo $dir | cut -d'/' -f3`

    # Empty each users trash
    rm -rf $dir/.Trash/*

    # For logs or viewing progress--shows when the users trash has been emptied
    echo -e "Trash has been emptied for:	$user"
done

sshort · ‎01-07-2019

I believe more Safari items were SIP-protected in either High Sierra or Mojave, that might be why it's fighting you.

View solution in original post

sshort · ‎01-07-2019

I believe more Safari items were SIP-protected in either High Sierra or Mojave, that might be why it's fighting you.

bananapatata · ‎01-08-2019

Great link! Yeah, I do think access to Mail, Messages, Safari data, and Time Machine backups are now controlled via the new “Full Disk Access” setting. The location of the Safari.plist file I believe also changed to /Users/$user/Library/Containers — which you would need SIP for, but that's not the file I'm looking to delete.

I'm unsure of how I would even add Jamf as an app that has "Full Disk Access" or why it'd be necessary in the first place since it's running from root, but I'm still open to suggestions! :)

macbentosh · ‎01-08-2019

Could you use outset for something like this to run an on demand at logout? https://github.com/chilcote/outset

bananapatata · ‎01-11-2019

@sshort You were right. The entire /Users/$User/Library/Safari folder is protected by SIP in addition to the /Containers folder mentioned. Looks like this isn't an option.

guidotti · ‎05-27-2020

@bananapatata I know this is an old thread, but what did you end up doing? I have some public kiosk use cases for this.

bananapatata · ‎10-06-2020

@guidotti Ended up ignoring the Safari issue for 6 months and then switched over to just enabling guest accounts.

Jamf Nation Community

Help Removing Safari Data on Logout