- Jamf Nation Community
- Products
- Jamf Pro
- Re: Remove and Recreate User Account When Restarti...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Remove and Recreate User Account When Restarting
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2018 07:54 AM
Hello,
We will be getting new iMacs this summer with SSDs running macOS 10.13. In our labs and classrooms we have historically used Deep Freeze to get a Mac back to a clean state with a simple restart. Unfortunately, Deep Freeze doesn't currently work with APFS formatted drives.
I have examined reformatting the drives to HFS+, but there is automatic way to do this that I know of, it goes against the flow of where Apple is going, and APFS has some real benefits.
Currently our Macs are not bound to AD and use local user accounts.
I am now trying to create a setup where we have a hidden admin user account on the Macs, and a standard user account for the students which is erased whenever the Mac is shutdown, and recreated when the Mac is restarted. I have two policies in JSS, one to delete the user account with a logout trigger, and one to create it with a startup trigger.
However, I can't get the "Delete User Account" policy to trigger upon a shutdown. The logout trigger is not working when shutting down the Mac.
Anyone have any suggestions as to how to get the "Delete User Account" policy to trigger when the Mac is shutdown, or an alternate way to accomplish my main objective of a Deep Freeze replacement?
Labels:
- Labels:
-
Jamf Pro
-
Policies
-
Usage Management
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2018 09:07 AM
Just a thought based upon what you are trying to do, why not just set up the policy to delete (rm -R) the standard user's home directory?
It should recreate the account on login fresh.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2018 09:14 AM
I don't think the default policy payload to delete the user would remove the home directory (although I haven't tried it recently).
You could have a script do it using sysadminctl and using rm-R on the home directory.
If it can't do it on shutdown, you can do it all on startup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-21-2018 08:28 AM
I’ll ask two questions:
In your scenario should someone be able to simply walk up and log in? (In other words...does everyone know the password for this account?)
Does the account have admin rights (assumed not, but have to ask)?
If yes to both, consider enabling the guest account...the home folder is wiped by Apple at login and logout...policies should still run. In this event you would still want to tuck a local admin account on there to administer, but you could probably avoid that and let Jamf and the management account handle that if you are really adventurous.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-21-2018 09:43 AM
we have a similar required for our shared build devices which have a "kiosk" user which is basically a guest account but with different network settings.
using consoleuserwarden we have scripts that run at login that delete and replace the home folder and make a few other settings required.
the same mechanisms are used to flip the networks round at startup, login and logout so the devices always are at the required state dependent upon whoever is, or isn't logged in.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-29-2018 09:49 AM
A workmate at my previous employer created a Standard user where all had the password, but located the home folder in /tmp (right click the username in System Preferences for Advanced Options). Every restart automatically deletes the Home Folder, no policies required.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-03-2018 12:45 PM
So I am trying to use this script with a standard user account, but I can't seem to get it to deploy:
"#!/bin/sh
rm -Rf /Users/home-folder-name
cp -R /System/Library/User Template/English.lproj /Users/
mv /Users/English.lproj /Users/home-folder-name
chown -R home-folder-name /Users/home-folder-name
exit 0"
I have it set to trigger for login, logout, startup, in the hopes one of them would work, but no joy. Any suggestions?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-25-2018 09:03 AM
I'm looking to do a similar task as I have a few lab environments where students login with LDAP credentials and I don't want anything to linger after they log off. In lieu of DeepFreeze which @dtmille2 mentioned doesn't work with APFS, is there any other simple way of ensure each time a user logs in they get a clean workspace?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-16-2018 02:31 PM
As of November 2nd or so, DeepFreeze works on APFS. Just tested it on a Mojave machine we have here that we want to act as a loaner machine for employees who forget their laptop, etc. and works as we desired.
(https://faronics.kayako.com/News/NewsItem/View/182/deep-freeze-70-released-providing-apfs-support)
