Removing Accounts from Internet Accounts

apizz
Valued Contributor

We have the Internet Accounts system preference pane disabled, but our users are still able to add accounts to Internet Accounts. I think this is being done via Safari because IIRC, it will ask you if you want to add a supported account when you sign in to that account through the browser.

Does anyone know via the command line how to remove these accounts? Or do we just have to temporarily allow access to the Internet Accounts preference pane in order to remove these?

2 ACCEPTED SOLUTIONS

apizz
Valued Contributor

UPDATE: I've since updated the method for collecting the logged-in user per Apple's recommended method via bash

So I grabbed a free copy of the sqlitebrowser and determined that the Internet Account info is stored in the ~/Library/Accounts/Accounts3.sqlite database in a table called ZACCOUNT.

I successfully tested the script below with a logged-in user (although I imagine you could also configure to run for all user accounts, or just users you explicitly specify) to remove all entries from the ZACCOUNT table (while keeping the table intact), which removes the account entries in Internet Accounts and prevents any data that may have been loaded previously from being displayed in the respective apps. I personally only tested this with Calendar data.

#!/bin/bash

# Grabs logged-in user
USER=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}')
# Path to user's accounts database
DB="/Users/$USER/Library/Accounts/Accounts3.sqlite"

# Remove all records from ZACCOUNT table
/usr/bin/sqlite3 "$DB" 'DELETE FROM ZACCOUNT'

if [ $? = 0 ]; then
    /bin/echo "Successfully removed all Internet Accounts for ${USER} from sqlite db!"
else
    /bin/echo "Failed to remove all Internet Accounts for ${USER} from sqlite db."
fi

exit

I did notice that the notification icon for the Calendar app did not go away until I rebooted, so that may something you configure with a policy.

Also, I verified that the permissions on the Accounts3 database are not changed to root, so you shouldn't have to run the sqlite3 command as the user.

Hope this helps people!

View solution in original post

apizz
Valued Contributor

@FlashMoney no worries, thanks for pointing that out. Something I probably wouldn't have checked when we do move to 10.12 this summer. I've updated the script on my Github so it checks for 10.11 vs 10.12

View solution in original post

22 REPLIES 22

mm2270
Legendary Contributor III

Posting here just to be informed of responses. We run into the same issue here and I have not been able to find any command line way of removing those accounts. Granted, I haven't dug too deeply, so i may take another crack at trying to find some method for this.

What we do for now is temporarily unlock the Internet Accounts preference pane for the user and they go in and remove the account they created. Then we lock it again by re-applying the Configuration Profile. Of course, the same thing could happen again a month or so later, so we sometimes go around in circles on this.
I wish Apple would give us some way of truly preventing any of those accounts from being created in the first place. Its rather annoying that they have put this account creation process into so many locations in the OS that its nearly impossible to fully block it.

bvrooman
Valued Contributor

There are some database files in ~/Library/Accounts/ that can be deleted. On next login, the accounts will be gone.

apizz
Valued Contributor

While I haven't dug very deep either, I did find a preventive measure that I just tested successfully via Configuration Profile at the computer-level that stops Safari from prompting users to add an account to Internet Accounts. I've confirmed from at least one other admin on Slack who's configured this at the user-level successfully as well. I used this gist as a template.

Safari plist (~/Library/Preferences/com.apple.Safari.plist) can reference an array tied to a DomainsToNeverSetUp key specifying the domains to not setup. Example below:

    <key>DomainsToNeverSetUp</key>
    <array>
         <string>apple.com</string>
         <string>google.com</string>
         <string>facebook.com</string>
    </array>

apizz
Valued Contributor

UPDATE: I've since updated the method for collecting the logged-in user per Apple's recommended method via bash

So I grabbed a free copy of the sqlitebrowser and determined that the Internet Account info is stored in the ~/Library/Accounts/Accounts3.sqlite database in a table called ZACCOUNT.

I successfully tested the script below with a logged-in user (although I imagine you could also configure to run for all user accounts, or just users you explicitly specify) to remove all entries from the ZACCOUNT table (while keeping the table intact), which removes the account entries in Internet Accounts and prevents any data that may have been loaded previously from being displayed in the respective apps. I personally only tested this with Calendar data.

#!/bin/bash

# Grabs logged-in user
USER=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}')
# Path to user's accounts database
DB="/Users/$USER/Library/Accounts/Accounts3.sqlite"

# Remove all records from ZACCOUNT table
/usr/bin/sqlite3 "$DB" 'DELETE FROM ZACCOUNT'

if [ $? = 0 ]; then
    /bin/echo "Successfully removed all Internet Accounts for ${USER} from sqlite db!"
else
    /bin/echo "Failed to remove all Internet Accounts for ${USER} from sqlite db."
fi

exit

I did notice that the notification icon for the Calendar app did not go away until I rebooted, so that may something you configure with a policy.

Also, I verified that the permissions on the Accounts3 database are not changed to root, so you shouldn't have to run the sqlite3 command as the user.

Hope this helps people!

apizz
Valued Contributor

Went one further, and created an extension attribute which reads all users' ~/Library/Accounts/Accounts3.sqlite file if it exists, reads the data, and prints to an array for reading by the JSS (so long as the array is not empty).

EA:

#!/bin/bash

RESULT=()

for USER in /Users/* ; do
    if [ -f "$USER/Library/Accounts/Accounts3.sqlite" ]; then
        INTERNET_ACCOUNTS=$(sqlite3 "$USER/Library/Accounts/Accounts3.sqlite" 'SELECT ZUSERNAME, ZACCOUNTDESCRIPTION FROM ZACCOUNT' | tr '|' ' ' | awk NF | tr ' ' '|')
        if [ "$INTERNET_ACCOUNTS" != "" ]; then
            RESULT+=(===$(basename $USER)===)
            RESULT+=("$INTERNET_ACCOUNTS")
        fi
    else
        /bin/echo "No SQLITE database exists for user $(basename $USER)."
    fi
done

if [ "$RESULT" = "" ]; then
    /bin/echo "<result>No Internet Accounts Detected</result>"
else
    /bin/echo "<result>$(printf '%s
' ${RESULT[@]})</result>"
fi

exit

Sample output:
dc79736dd3984a3f8c7e713b91bb8871

Smart Group that checks the status:
9e011c941df6429084dad53ebe1babee

FlashMoney
New Contributor

@aporlebeke So I tried out the script/EA you posted and I keep getting an error that states the table ZACCOUNT does not exist. I have accounts setup in Internet Accounts. Do different types of accounts setup different tables?

apizz
Valued Contributor

@FlashMoney hmmm. You might try grabbing a copy of the sqlitebrowser I linked to in my answer and taking a look at your sqlite database.

IIRC all accounts get configured in the ZACCOUNT table. I haven't yet tested this with 10.12, only 10.11, so can't confirm whether something is different or not.

FlashMoney
New Contributor

@aporlebeke My bad did not see that. Looks like in 10.12 they changed the file name to Accounts4.sqlite. Thank you!!!!!

apizz
Valued Contributor

@FlashMoney no worries, thanks for pointing that out. Something I probably wouldn't have checked when we do move to 10.12 this summer. I've updated the script on my Github so it checks for 10.11 vs 10.12

apizz
Valued Contributor

@FlashMoney no worries, thanks for pointing that out. Something I probably wouldn't have checked when we do move to 10.12 this summer. I've updated the script on my Github so it checks for 10.11 vs 10.12

Pollitt
New Contributor

Hi @aporlebeke ]

Do you know if it is possible to add a user to internet accounts by reversing this method?

THanks

apizz
Valued Contributor

@Pollitt don't know and haven't tried. Sorry :/

gustavo
New Contributor

Hi @aporlebeke

Do you know if is it possible to only remove only one account? Trying to remove only the corporate account since Outlook is our prefer method but allowing users to set their personal email in Apple Mail.

Thanks,

Gustavo

apizz
Valued Contributor

@gustavo Yes. I'm not super familiar with SQL or sqlite, but with the logged-in user and your org's standard email / account naming convention you could remove only that one element from the table. May find this helpful: https://www.sqlitetutorial.net/sqlite-delete/

gustavo
New Contributor

For those interested, I took @aporlebeke and edit the script to only delete the corporate account. You will need to replace "acme" with your own corporate name, no need to add ".com".

#!/bin/zsh

# This script has been developed to detect if corporate exchange account is set up in System Preferences Internet Accounts. If account exist it will be removed.
# Created by Gustavo Díaz-Angleró
# Original taken from https://github.com/apizz/Mac_Scripts/blob/master/OSX_Internet_Account_Removal/OSX_Internet_Account_Removal_ALL_USERS.sh

###################### Start of Script ####################

###################### Variables ####################

#Gets login user information
CONSOLE_USER=$(ls -l /dev/console | awk '{ print $3 }')

#Gets macOS information
macOS_VERSION=$(sw_vers -productVersion | cut -d. -f2)

#Gets DB information.  In 10.12 OS X, Apple changed Accounts number to 4.
if [ "$macOS_VERSION" -le 11 ]; then
    DB="Library/Accounts/Accounts3.sqlite"
elif [ "$macOS_VERSION" -ge 12 ]; then
    DB="Library/Accounts/Accounts4.sqlite"
fi

# Defines Log location for script
LOG_LOCATION="/usr/local/corporate/logs/exchangeaccount.log"

# Exchange account
EXCHANGE_ACCOUNT=$(/usr/bin/sqlite3 /Users/"$CONSOLE_USER"/$DB 'SELECT ZUSERNAME FROM ZACCOUNT' | grep "@acme")

###################### Function ####################

LogScript(){

        DATE=$(date +%Y-%m-%d %H:%M:%S)
        LOG="$LOG_LOCATION"

    sudo echo "$DATE " "$1" >> $LOG
}

###################### Script ####################

LogScript "Detecting if Corporate Exchange account is set up in System Preferences Internet Accounts"

if [ -f "/Users/$CONSOLE_USER/$DB" ]; then
    INTERNET_ACCOUNTS=$(/usr/bin/sqlite3 /Users/"$CONSOLE_USER"/$DB 'SELECT ZUSERNAME FROM ZACCOUNT' | grep -c "@acme")
    if [ "$INTERNET_ACCOUNTS" -ge 1 ]; then
        LogScript "Exchange account exist --> deleting account."
        # Command to remove account
        /usr/bin/sqlite3 /Users/"$CONSOLE_USER"/$DB 'DELETE FROM ZACCOUNT WHERE ZUSERNAME = '"'$EXCHANGE_ACCOUNT'"''
    else
    LogScript "No Exchange account exists for user $CONSOLE_USER."
    fi
    else
    LogScript "No SQL database exists for user $CONSOLE_USER."
fi

exit 0

beeboo
Contributor

@gustavo do you know what the ZOWNINGBUNDLEID identifiers mean?

i have a few that are AKD but im not sure what that represents - could be web email related?

kwmc-lucas
New Contributor II

Thank you @gustavo, that's exactly what I was looking for. It doesn't seem to work on 10.15.5 for me, has something changed? I tried @aporlebeke 's and that didn't work either. I've tried running both locally but to no avail.

To run yours locally, I had to change the log location as that was throwing up an error. Put it in /var/log/ is that a sensible place?

fponcelin
New Contributor II
i have a few that are AKD but im not sure what that represents - could be web email related?

@beeboo I also found that on my own computer. With a bit of investigation I figured it's related to AuthKit. In my case I have my work address used as an AppleID in Xcode - that created a record in the database with "akd" as the ZOWNINGBUNDLEID.

Interestingly enough, deleting all records of my work email from the database didn't remove it from Xcode Preferences and didn't seem to impair it in any way (I'm not super well versed in how Xcode uses a developer AppleID and features like signing, so take this with a grain of salt).

proche9
New Contributor

Hi, 
Just checking if anyone has used this recently in Monterey? I have tried it and the codes does not appear to work anymore. 

Hello, 

replace this part:

DB="/Users/$USER/Library/Accounts/Accounts4.sqlite"

then it should work

davidi4
Contributor

This no longer appears to work in Sonoma - Accounts4.sqlite can be read but not opened or modified. I get this error opening my own user's file:

Error: unable to open database

 

file permissions look correct. Sudo doesn't help. We are getting tickets for users on Sonoma who get prompted to provide a password for a cached email address, but we lock down the Internet Accounts setting pane AND the Mail and Messages apps. I have to remove all of the restrictions so the user can delete the offending Internet Account manually.

 

Thoughts? 

No luck here, we had to do the same thing which is not an ideal solution. We've ended up adding a static group to the Exclusion scope for configs so we can quickly add and remove a user without messing with other scoped to a config and it works.