Remove saved data at each login on the classrooms Mac with BigSur

jamflund
New Contributor III

Hello
We have some desktop iMac computers with BigSur that are in different classrooms that students log in to during their lessons. One and the same student account is used for each login. To clear students' saved data, we use a script that we published in SelfService that looks like below.

90501c5cea9c4e80901fca682e80bb84

The script works if the student himself who is logged in to a computer clicks on it in SelfService. If the script via Jamf policies to run at login, it will be incorrect. The log says this

53c264fb7ce548bd8c31cb72faa8e0a3

So the question is how do you make it work when logging in. I thank you for the feedback.

3 REPLIES 3

PaulHazelden
Valued Contributor

Save the script on the Mac in a general location, then use a LaunchAgent to launch the script. This will then run as every user account logs in.
I would however change the script to find the current logged in User account, and put that in the script in place of the * wildcard.

rm -Rf /Users/$Username/Desktop/*

With your first wildcard in there the script is trying to work on all folders it can find in the Users folder, and it wont have permission to do that so there will be a load of errors thrown up by the script.

PaulHazelden
Valued Contributor

A LaunchAgent would be along the lines of...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.Unique.name.for.agent</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Path/To/Script.sh</string>
        <string>-argument</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Save it as a plist file and put it in "Macintosh HD"/Library/LaunchAgents and it will run the script at log in for each user.
Set the permissions on the script to be 755, and permissions on the plist to be 644. This is important, it has to be right to work.
The script has to go somewhere, you can make a folder in /tmp, or in/var, and save the script in there.
As I said before I would go with something in the script to pull the users username for the home folder, and use that variable to be specific. You have used the ~ symbol for Home in one line, and then wild card for the others. ~ will find the owner of the running process and go to their Home, if that is root then that is where it goes. And the Wildcard will throw errors on permissions, which could cause problems.
Test it before you go live, and remember that there are some folders that the User account cant delete out of their Home folder, they are protected by the system.

jamflund
New Contributor III

Thanks PaulHazelden.