Removing user home folder on logout Mojave

mediacollege
New Contributor III

For years we used a logouthook to remove Student homefolders on logout. after some issues in high sierra we created a combination of launchagents/deamons to accomplish this. But in Mojave we encounter the operation is not permitted when de script tries to delete the homefolder. this is caused by the new PPPC security.
How can i whitelist a script so it is able to completely remove the homefolder(s) on logout? i know you can do some tweaking with a pppc policy but really dont know how this works in our situation.

1 ACCEPTED SOLUTION

mediacollege
New Contributor III

After trying several methods i concluded that non of the commands where reliable, the homefolder wasn't removed all the time so i came up with this script which tries to delete the homefolder and if this failes, it will retry several attempts. For us it seems to work, maybe not the most efficient solution but it seems to be more reliable.

#!/bin/sh /usr/local/bin/jamf deleteAccount -username student

second attempt

if [[ -e "/Users/Student" ]]; then sysadminctl -deleteUser student chflags -R nouchg /Users/student chmod -R 777 /Users/student rm -Rf /Users/student fi

third attempt

if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf runScript -script removehomedir.sh -path /Library/Scripts/ fi

fourth attempt

if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf deleteAccount -username student fi /usr/local/bin/jamf createAccount -username "student" -realname "Student" -password "" -picture /Library/User Pictures/Fun/Ma.png exit

View solution in original post

16 REPLIES 16

thebrucecarter
Contributor II

We have a similar procedure (we have a rolling delete that keeps the last X users just in case something goes awry). You need to delete the account first, then it will release the home directory. Following is the salient portion of my script (there are some variables defined elsewhere, but I think they are fairly obvious, let me know if not):

# delete user
/usr/bin/dscl . delete "${baseDirectory}${homeFolder}" > /dev/null 2>&1
# delete home directory
/usr/bin/chflags -Rf nouchg "${baseDirectory}${homeFolder}"
/bin/rm -Rf "${baseDirectory}${homeFolder}"
WriteLog "PurgeOldHomes" "${baseDirectory}"${homeFolder}" was deleted"

mediacollege
New Contributor III

Thanks for your reply. I came up with this logouthook script:

delete user

/usr/bin/dscl . delete /Users/student

delete home directory

/usr/bin/chflags -Rf nouchg /Users/student
/bin/rm -Rf /Users/student

create user

/usr/bin/dscl . create /Users/student
/usr/bin/dscl . create /Users/student shell /bin/bash
/usr/bin/dscl . create /Users/student RealName "student" /usr/bin/dscl . create /Users/student UniqueID "1010"
/usr/bin/dscl . create /Users/student PrimaryGroupID 20
/usr/bin/dscl . create /Users/student NFSHomeDirectory /Users/student
/usr/bin/dscl . create /Users/student picture "/Library/User Pictures/Fun/Ma.png"
/usr/bin/dscl . passwd /Users/student ""

Still needs some testing but it seems to do the Job.
Thanks!

allanp81
Valued Contributor

Apparently it's better to use sysadminctl to do this rather than dscl.

mediacollege
New Contributor III

Okay but how would you translate the above script to sysadminctl?

allanp81
Valued Contributor

I think it's something like:

sysadminctl -deleteUser username

you can add -secure to securely delete the folder if you want to.

mediacollege
New Contributor III

Yes i tried that but the homefolder is not deleted, it must be run as root. maybe it will work if i let a Launchdeamon launch the script but haven't tried that yet.
With dscl it seemed to work but it's not reliable. it doesn't always delete the folder so i need to find a way to make it reliable.

jcarr
Contributor III

The Jamf binary is granted access by default for enrolled devices. You should be able to use it to remove the user and the home directory on logout.

/usr/local/bin/jamf deleteAccount -username student -deleteHomeDirectory

allanp81
Valued Contributor

sysadminctl should work fine if you run it via a launch daemon.

grecopj
Contributor

I've been using a script on logout to remove any home directories other than the ones specified in the script. I just started testing it with Mojave and all seems to work. However I've found that it deletes the contents of the home folder first on logout and then will delete that folder after another restart or when another user logs in and logs out..

mediacollege
New Contributor III

I tried using a launchdeamon to launch the script but it resulted in:
"it's either last admin user or last secure token user neither of which can be deleted"

However thanks to the suggestion of jcarr is was able to delete the useraccount.

mediacollege
New Contributor III

This is what i came up with:

The logouthook:
touch /Users/Shared/studentloggedout

The Launchdeamon:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>Label</key> <string>com.ma.cleanuphomedirwatcher.plist</string> <key>ProgramArguments</key> <array> <string>/Library/Scripts/cleanuphomedir.sh</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/>
</dict>
</plist>

the script:

!/bin/sh

if [ -f /Users/Shared/studentloggedout ];
then
/usr/local/bin/jamf deleteAccount -username student -deleteHomeDirectory
sysadminctl -addUser student -fullName "student" -password "" -picture /Library/User Pictures/Fun/Ma.png
pkill loginwindow
rm -f /Users/Shared/studentloggedout
else
exit 0
fi

exit

mediacollege
New Contributor III

Above launchdeamon approach seemed to work fine but after restart the system hangs at startup. i geuss the script is not finished in time before the restart takes place.

Seems like the best option is to use the good old logouthook to run:
/usr/local/bin/jamf deleteAccount -username student -deleteHomeDirectory
sysadminctl -addUser student -fullName "student" -password "" -picture /Library/User Pictures/Fun/Ma.png

Is there a way to make Jamf just delete the homedirectory? it is not neccesary to delete the user, so the re-creation of the user can be skipped.

claudiogardini
Contributor

We are using a Script to delete the Home Directory on Logout. From 10.14 onwards the following PPPC Whitelist is necessary for it to work.

63d7a0996ce64157a72155b17b635f6e

mediacollege
New Contributor III

Thanks, i'll keep that in mind for future purposes.

mediacollege
New Contributor III

claudiogardini can you share the script you use?

mediacollege
New Contributor III

After trying several methods i concluded that non of the commands where reliable, the homefolder wasn't removed all the time so i came up with this script which tries to delete the homefolder and if this failes, it will retry several attempts. For us it seems to work, maybe not the most efficient solution but it seems to be more reliable.

#!/bin/sh /usr/local/bin/jamf deleteAccount -username student

second attempt

if [[ -e "/Users/Student" ]]; then sysadminctl -deleteUser student chflags -R nouchg /Users/student chmod -R 777 /Users/student rm -Rf /Users/student fi

third attempt

if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf runScript -script removehomedir.sh -path /Library/Scripts/ fi

fourth attempt

if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf deleteAccount -username student fi /usr/local/bin/jamf createAccount -username "student" -realname "Student" -password "" -picture /Library/User Pictures/Fun/Ma.png exit

View solution in original post