Posted on 02-14-2023 01:06 PM
Hello Jamf Community,
I work with a University. In our department we run Mac labs that act as classrooms for a large variety of classes that are reserved daily. We are redesigning our Mac classroom "build" primarily with Jamf Pro. The biggest hurdle that we face is in determining a user account and maintenance method that meets the needs of our classrooms.
Needs we have:
The previous team that designed our current system had disabled SIP in order to develop a user template that was copied over the existing user account that is used by students upon login with a login-hook. This happens upon restart (initiated by Apple Remote Desktop) and the user is auto-logged in. That worked fine for many years, but some systems have broken upon OS 12 Monterrey (the computers fail to complete 'optimization'). We are intent on moving away from disabling SIP.
There are a few special softwares that we need on the computers, and for the most part the settings that we need and the programs that we want installed are all simple enough to manage via the Jamf Pro MDM.
We are currently trying to figure out what the best method will be for managing a user account that will be used by multiple students in any given day (upwards of 8 per day per computer). For example:
At our institution, at least, our needs are pretty unique and it has been difficult to discern how others are managing similar systems. Any advice or thoughts from the community on this puzzle are appreciated!
Posted on 02-14-2023 01:33 PM
We use jamf connect in our environment, so users sign in with OKTA credentials. I have a script that runs at login that deletes all users (not including management accounts ) apart from the one logging in and a SwiftNotify message telling the user that all user data is routinely deleted, so save things to Google Drive.
#!/bin/bash
######################### WARNING - THIS SCRIPT IS DESTRUCTIVE ##########################
# This script deletes all users not currently logged in or the Jamf Management account.#
# Written by mgrant1@arm.catholic.edu.au, for the use of the Catholic schools office, #
# Diocese of Armidale. 9/12/2022 #
#########################################################################################
#Discover the logged-in user, so we don't accidentally delete them
loggedInUser=$( ls -l /dev/console | awk '{print $3}')
#print logged in user
echo "$loggedInUser is currently logged in."
#Find Users, excluding selected Admin user ($4), and System and Service Accounts
users=$( dscl . ls /Users | grep -v '_' | grep -v 'root' | grep -v 'daemon'| grep -v 'nobody'| grep -v 'csomaclocal'| grep -v $loggedInUser )
echo "Removing User Accounts."
for a in $users; do
#delete user
/usr/bin/dscl . delete /Users/$a > /dev/null 2>&1
echo "$a's user account has been removed."
#Delete User Home Folder
/bin/rm -rf /Users/"$a"
echo "$a's user home folder has been removed."
continue
done
echo "User accounts Removed Successfully."
exit 0
Posted on 02-20-2023 09:34 AM
Hi @mickgrant ,
Thanks for sharing your process! I've got a few questions:
We don't currently have access to Jamf Connect (we might soon). Right now we are attempting to discern a way to have a local user account already built when the user arrives, maybe for auto-login with a kcpassword, maybe built upon startup or login; the same account would be deleted upon restart ideally, which would allow a fresh experience each time.
Your script seems to be efficient at removing previous users after they have logged in with Jamf Connect credentials, while preserving the current user.
Is this script called via a launchd agent/daemon?
Many thanks!
02-20-2023 11:13 AM - edited 02-20-2023 11:13 AM
Alternatively, if we wanted to have a generic standard user account that either auto-logs or has a simple password that everyone logs into, could we simply and relatively securely use a script to simply delete the user data from the account?
And maybe have that script run from a launch agent / daemon?
For example:
#!/bin/bash
# create a new folde where the user's home folder contents will temporarily move
sudo mkdir /olduser
# move all contents of the user's home folder to the new folder that was just created
sudo mv /Users/<useraccount>/* /olduser
# remove the user's home folder
sudo rm -rf /Users/<useraccount>/
#recreate the user's home folder
sudo mkdir /Users/<useraccount>/
# set the correct permissions
sudo chown <useraccount>:staff /Users/<useraccount>/
# move the contents of the new folder to the user's home folder
sudo mv /olduser/* /Users/<useraccount>/
# remove the temporary folder that was created
sudo rm -rf /olduser
Posted on 03-02-2023 06:30 AM
Hi,
We have about 4 different computer labs with 20 iMacs in each room. Currently there are 9 different classes running between them. We have created local accounts for each students and assigned them an iMac which they will use for the duration of the course. Students have been informed that all files must be saved to OneDrive which is mapped to their desktop.
Once students leave the course, we remove their account but keep their files on OneDrive for 3 months just in case any students need them.
Posted on 03-02-2023 07:11 AM
Awesome! Thanks for replying and for the details on your lab set up. That sounds like a great approach. The biggest barrier to an approach like this in our set up, and the difficulty we face, is that the students who use the computers may only use them once in the semester (there are nine different departments with upwards of 25 students in upwards of 20 sections per class. A given student may go into one classroom, use the computer once, and only use one other computer in one other classroom the entire semester. A thousand students might make their way though the classrooms. We have a turn around time from class to class of 15 minutes in total, but generally clear a single room and prep it for the next one in 3 minutes.
Posted on 03-02-2023 07:19 AM
i understand and agree that this approach is not for you. Using guest account could work but students will need to save to cloud storage before logging off but students can't be trusted to do that each time. i would suggest exploring jamf connect and have a word with your jamf buddy.