Jamf Nation Community

We use MCX for our carts and set cachedaccounts.expiry.delete.disusedSeconds to zero. This deletes all student accounts on logout. Students learned early if they need to save anything it has to go into HD-Users-Shared or on the network.

How about a launchd item that runs at startup and resets the password? Or,
On Wed, Sep 7, 2011 at 2:24 AM, Rob Potvin <bisjamf at bis-school.com> wrote:
I guess you could do it with an "At Startup" policy that is set to run
offline as well that does the same as the launchd:

dscl . -passwd /Users/<studentusername> <newpassword>

That should accomplish what you are looking for.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Just use MCX to disallow users to change passwords. Restrict their access to the accounts pref pane. Then they cannot change passwords.

it sounds like you haven't locked down the cart machines adequately.

set mcx to allow/disallow as needed. you might want to set an EFI password on the laptops. are the student accounts local admins? if so, revoke admin rights as well.

Students can actually be crafty. Our last set of Macbooks we had (late 2007) in our 1:1 were taken apart, had RAM removed, the EFI password cleared, then students booted their computers into SUM and ran rm -rf /var/db/.AppleSetupDone and rebooted their computers. They then got the initial user screen and created their own local account as admin.

This is what prompted me to play detective and then turn them into the administration.

sure, in a 1:1 environment, unfettered physical access is guaranteed. there's not much you can do to prevent someone from doing all the things you mention, aside from using policies to revert those changes. at that point, policy should take affect. do you charge the families or students for the use of these laptops? if not, and if they tamper with the machines, do you charge them the full value of the hardware? i hope there's some clause like that to keep things on the level.

with a cart setup, i'm assuming use is supervised and takes place in classrooms or on school grounds, at least. it should be easier to lock them down and prevent obvious physical tampering during class time.

EFI is all setup, student account is just a local account!

They are locked down, just forgot the password thing, will be fixed also fixed a few other things

this is the script that I am running on logout

# defGrp: the group that your default user is assigned to # defHome: the location of your default user's home directory # defTemplate: the location of your default user home dir template set defGrp = staff set defHome = /Users/student/Library set defTemplate = /Library/Management/defLibrary set tmpDir = /tmp set localAdmin = ladmin /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading "Laptop Reset" -description "Please wait as the student account is reset to normal" -icon /System/Library/CoreServices/Problem Reporter.app/Contents/Resources/ProblemReporter.icns & ### Debug/testing sanity check ### if ( $#argv < 1 ) then echo "No user specified!" exit 1 endif ### Script action ### # If this is not the admin user... if ( $3 != $localAdmin ) then # Create a timestamp for the temporary home directory storage set time = `date ''+%m-%d-%y_%H.%M.%S''` # Move the home directory mkdir -m 755 "${tmpDir}/prevuser.$time" mv $defHome "${tmpDir}/prevuser.$time" # Copy a new default home directory from the user template /usr/bin/ditto -rsrcFork $defTemplate $defHome # Change the ownership of the new home directory to the user logging in /usr/sbin/chown -R ${3}:${defGrp} $defHome endif killall jamfHelper ### Always exit with 0 status exit 0

I replaces the Library folder on logout, so everything is back, but the files stay and kids use their elockers (Studywiz) for their files

Cheers