Remove and Recreate User Account When Restarting

Contributor III


We will be getting new iMacs this summer with SSDs running macOS 10.13. In our labs and classrooms we have historically used Deep Freeze to get a Mac back to a clean state with a simple restart. Unfortunately, Deep Freeze doesn't currently work with APFS formatted drives.

I have examined reformatting the drives to HFS+, but there is automatic way to do this that I know of, it goes against the flow of where Apple is going, and APFS has some real benefits.

Currently our Macs are not bound to AD and use local user accounts.

I am now trying to create a setup where we have a hidden admin user account on the Macs, and a standard user account for the students which is erased whenever the Mac is shutdown, and recreated when the Mac is restarted. I have two policies in JSS, one to delete the user account with a logout trigger, and one to create it with a startup trigger.

However, I can't get the "Delete User Account" policy to trigger upon a shutdown. The logout trigger is not working when shutting down the Mac.

Anyone have any suggestions as to how to get the "Delete User Account" policy to trigger when the Mac is shutdown, or an alternate way to accomplish my main objective of a Deep Freeze replacement?


Contributor II

Just a thought based upon what you are trying to do, why not just set up the policy to delete (rm -R) the standard user's home directory?
It should recreate the account on login fresh.

Honored Contributor II
Honored Contributor II

I don't think the default policy payload to delete the user would remove the home directory (although I haven't tried it recently).

You could have a script do it using sysadminctl and using rm-R on the home directory.

If it can't do it on shutdown, you can do it all on startup.

Valued Contributor III

I’ll ask two questions:

In your scenario should someone be able to simply walk up and log in? (In other words...does everyone know the password for this account?)

Does the account have admin rights (assumed not, but have to ask)?

If yes to both, consider enabling the guest account...the home folder is wiped by Apple at login and logout...policies should still run. In this event you would still want to tuck a local admin account on there to administer, but you could probably avoid that and let Jamf and the management account handle that if you are really adventurous.

Contributor III

we have a similar required for our shared build devices which have a "kiosk" user which is basically a guest account but with different network settings.
using consoleuserwarden we have scripts that run at login that delete and replace the home folder and make a few other settings required.
the same mechanisms are used to flip the networks round at startup, login and logout so the devices always are at the required state dependent upon whoever is, or isn't logged in.

Valued Contributor III

A workmate at my previous employer created a Standard user where all had the password, but located the home folder in /tmp (right click the username in System Preferences for Advanced Options). Every restart automatically deletes the Home Folder, no policies required.

Contributor III

So I am trying to use this script with a standard user account, but I can't seem to get it to deploy:


rm -Rf /Users/home-folder-name
cp -R /System/Library/User Template/English.lproj /Users/
mv /Users/English.lproj /Users/home-folder-name
chown -R home-folder-name /Users/home-folder-name

exit 0"

I have it set to trigger for login, logout, startup, in the hopes one of them would work, but no joy. Any suggestions?


Contributor II

I'm looking to do a similar task as I have a few lab environments where students login with LDAP credentials and I don't want anything to linger after they log off. In lieu of DeepFreeze which @dtmille2 mentioned doesn't work with APFS, is there any other simple way of ensure each time a user logs in they get a clean workspace?

New Contributor III

@kricotta @dtmille2

As of November 2nd or so, DeepFreeze works on APFS. Just tested it on a Mojave machine we have here that we want to act as a loaner machine for employees who forget their laptop, etc. and works as we desired.