Jamf Nation Community

dmw3 · ‎07-17-2019

When trying to set an expiry time for mobile account have found that even if you specify a time when saved the nominated time always reverts back to "0" and "hours".

If this is the only time available in this pane, why is it there? Nothing that I have read on the Admin Guide gives a clue to how it is supposed to be configured / set.

We do have scripts that do a similar job if the title is correct, but having some issues with the scripts on later macOS. Thought that Configuration Profiles would be better to use maybe not if the only value is "0 hours"

a_williams · ‎08-14-2019

Hi, @dmw3 !

To get the time to save, enter it as an Epoch value. Epoch value is time converted to seconds.

1 hour = 3600
1 Day = 86400
1 week = 604800
1 month = 2629743 (will display as hours)

For instance, if we want the account to be deleted after 1 hour, enter 3600 and leave the drop down menu on Hour. Two hours would be 7200 with the drop down menu set to Hours, etc.

I hope this helps!

eckk · ‎12-05-2019

been tearing my hair out for an entire day on this. This explanation should be somewhere in the payload because who would know this with out it being explained?

msnowdon · ‎12-05-2019

Funny, I was taking a look at the configuration profile today for the first time. The mobile accounts tend to build up over time especially on lab machines. But then I was thinking, is it even necessary to create mobile accounts on devices that are not leaving the building? It can still be bound to AD. Its just something we have always implemented but Im starting to rethink the way we manage Macs.

declure · ‎01-29-2020

New to JAMF cloud. I come from the Apple Server world previously, where this was not a thing. Clearly, you've reproduced Apple's past payloads into your own method, but without explanation of the method. I set 30 days and it said save successful thinking all was well, not realizing it bumped me down to 0 without notice. Just wiped a bunch of accounts....grrr. Even worse you've left the same "Example" used by Apple which is clearly misinformation now; it should not say "Enter 5 days...1 week" if that is not possible.

declure · ‎01-29-2020

Follow up - I followed instructions and set 2592000 hours and after saving it changed it to 30 days. Cool, except if I ever make any small change to that payload again, guess what it does to my 30 day setting? Zero'd, again. Seems like a bug not a feature. That's some serious consequences if I ever forget to reset the value exactly every single time I edit it.

jamfpigeon · ‎02-10-2020

I was about to post a bug report, but it looks like I'm not the only one. Accidentally deleted a bunch of student's accounts. :(

gabester · ‎03-20-2020

@jamfpigeon that's too bad... I have yet to leverage this functionality, but it would be great if the text above the field made it clear to specify a value in seconds, does anyone disagree?

vogel · ‎01-11-2022

Hello all - looking for advice. I am unable to get these Mobile accounts to delete. I've made sure to specify the value in seconds, trying to reflect either one hour or one day. But the accounts just NEVER delete. Is there a change that needs to be made on the AD side of things that I need to rope my colleagues into?

For those able to get this to work, how are you binding? Are you using a Policy with Jamf's Directory Services, then adding the Mobility configuration as its own Configuration Profile, or using a Configuration Profile "all-in-one" with binding settings and Mobility settings?

Oh and one last thing, do I need "Create Mobile account at login" checked on both the AD bind as well as the Mobility profile?

Thank you so much in advanced.. I'm close to banging my head against the wall over here.

BrentP · ‎03-30-2022

We are having the same problems. Our mobility accounts are not being deleted, even thought it is set to 0. Good thing to know that if I set that in seconds it will stick (how is this still a bug?).

Any ideas on why these accounts are not being deleted?

Thanks!

Doof · ‎08-01-2022

Same issues here. Macs in a lab environment, bound to AD, and devices upgraded to 12.5. Time is set to zero and option to delete only after successful sync has been deselected, yet it still doesn't seem to work as expected. Has anyone been able to successfully implement this payload and have it remove all the mobile accounts?

robertojok · ‎08-29-2022

Hi Vogel were you ever able to get this to work? I have had the same issues with the accounts never deleting. Not sure if the policy is supposed to be user level or computer level, but it does not seem to work at all.

declure · ‎09-08-2022

Somehow ended up back on this old thread after discovering the same thing - my accounts no longer seem to be expiring anymore either. I looked at the profile details and not even seeing it written in the profile, just home sync settings. Only thing that has changed was last year I did upgrade my macs to Big Sur. Possible this method is no longer valid past Big Sur? Given it seems JAMF has fixed or updated nothing in all these years, I can't say I'm surprised to see this acting deprecated. Honestly, I wasn't a big fan of this method, it was just a little easier than scripting - but I think the time has come to just script this solution. I found a really good one posted here:

https://community.jamf.com/t5/jamf-pro/remove-old-mobile-accounts/td-p/104043

I tested and deployed cbrewer's solution and it worked for me. Just create a script on the jamf server than runs his code, change the days to the value you need, and in my case - I just removed the first "if" that checks for groups - I was fine with any AD account of a certain age and it worked really well. Left my manually created and jamf hidden accounts all in tact. I found several other good ones out there, but this one honed in on what I needed best and was the simplest. Just create the relevant script/policy for deployment and you're good to go.

Now I can finally shred that dumb post-it note for how many hours 30 days is in epochs! 🙄

robertojok · ‎09-29-2022

Did you have luck with this? 😂 Jamf needs to document how this works

BrentP · ‎09-29-2022

The last I talked to Jamf they were going to submit this as a bug. I haven't heard anything about it since.

Here is the script they supplied us to use to remove mobile accounts.

#!/bin/bash

mobileAccountList=$( dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null)
if [ "${mobileAccountList}" == "" ]; then
 echo "No Mobile Accounts"
else
 echo "Deleting ${mobileAccountList}"
 for user in ${mobileAccountList}; do
  sysadminctl -deleteUser ${user}
 done
fi

exit 0

We created a policy that runs on a schedule to execute the script. We run it at a time when no one should be using the computer.

Doof · ‎09-29-2022

This never did work for me. I wound up just scripting it and making it a self-service policy available only to our site technicians so they can blow the mobile accounts out in the labs when requested.

Jamf Nation Community

Mobility: Account Expiry: Delete Mobile Accounts