Help

Self Service Mobile Account Migration Script

Go to solution
spraguga
Contributor

Posted on ‎04-25-2014 09:51 AM

Hi All,

Does anyone already have a script for a user to initiate their own local to mobile account migration via Self Service? The machine will already be bound to AD.

The scenario will be:
1. User runs Local to Mobile Account Migration script via Self Service.
2. Rename computer to serial number
3. Log out the current user
4. Delete the current user's account keeping their local home directory.
5. User then logs in with their AD credentials picking up the local home directory. (all local usernames match AD usernames.)

Thanks! ;)

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
spraguga
Contributor

Posted on ‎06-04-2014 08:51 AM

This is what I ended up doing if anyone is interested! Hopefully it can help someone else out. You'd have to write in any exceptions you want to account for with your environment.

  1. Self Service Policy Script w/restart immediately
#!/bin/bash

# Get current user
CURUSERNAME=`ls -l /dev/console | cut -d " " -f 4`

# Create temp file with user path to migrate
echo /Users/$CURUSERNAME > /.what_ever_you_want_to_name_this_file

echo "PLEASE DO NOT HIT THE ACCEPT BUTTON BELOW OR LOGIN!!! Your account is migrating. Your machine will restart again in a few minutes." > /Library/Security/PolicyBanner.txt

exit 0
  1. Startup Trigger Script:
#!/bin/bash

# Check to see if migration file exists
# if so a policy script will be kicked off to migrate the user's local account to mobile

if [ -f "/.what_ever_you_want_to_name_this_file" ]
then
    /usr/sbin/jamf policy MigrateLocalAccountToMobile

    # Get current user from /.what_ever_you_want_to_name_this_file
    CURUSERPATH=`/usr/bin/awk '{print}' /.what_ever_you_want_to_name_this_file`

    # Get current username
    CURUSERNAME=${CURUSERPATH##*/}

    # Determine UID
    UIDNUMBER=`id $CURUSERNAME | /usr/bin/awk -F 'uid=' '{print $2}' | /usr/bin/awk -F '(' '{print $1}'`

    # Determine if local account
    if [ $UIDNUMBER -lt 1000 ] 
    then
        # move user directory
        /bin/mv $CURUSERPATH /Users/OLD_$CURUSERNAME

        # delete local account
        /usr/bin/dscl . -delete /Users/$CURUSERNAME

        # move user directory back
        /bin/mv /Users/OLD_$CURUSERNAME $CURUSERPATH

        # show only userpass & password text fields at login
        /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

        # sleep till move completes to adjust perms
        /bin/sleep 2

        # fix ownership
        /usr/sbin/chown -Rf $CURUSERNAME $CURUSERPATH

        # fix perms
        /bin/chmod -Rf 600 $CURUSERPATH
        /bin/chmod -Rf u+rwX $CURUSERPATH
        /bin/chmod og+rX $CURUSERPATH
        /bin/chmod -Rf og+rX $CURUSERPATH/Public
        /bin/chmod og=wX $CURUSERPATH/Public/Drop Box
        /bin/chmod +a "user:$CURUSERNAME allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" $CURUSERPATH/Public/Drop Box

       # Delete keychain files
       # Get Mac UUID
       system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}'

       # delete UUID Keychain folder
       rm -rf $CURUSERPATH/Library/Keychains/" & macUUID & "/*

       # delete keychain.login
       security delete-keychain $CURUSERPATH/Library/Keychains/login.keychain

        # remove files
        /bin/rm /.what_ever_you_want_to_name_this_file
        /bin/rm /Library/Security/PolicyBanner.txt

        # sleep to make sure files fully delete
        /bin/sleep 2

        # restart
        /sbin/shutdown -r now

    else
        exit 0
    fi
else
    exit 0
fi

Note: These migration scripts does not account for local vs AD username differences, ours already match.

View solution in original post

0 Kudos
Reply
2 REPLIES 2

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎04-25-2014 10:02 AM

I've got a script that handles step 3 in the list. If you're interested, it's available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_d...

0 Kudos
Reply

Go to solution
spraguga
Contributor

Posted on ‎06-04-2014 08:51 AM

This is what I ended up doing if anyone is interested! Hopefully it can help someone else out. You'd have to write in any exceptions you want to account for with your environment.

  1. Self Service Policy Script w/restart immediately
#!/bin/bash

# Get current user
CURUSERNAME=`ls -l /dev/console | cut -d " " -f 4`

# Create temp file with user path to migrate
echo /Users/$CURUSERNAME > /.what_ever_you_want_to_name_this_file

echo "PLEASE DO NOT HIT THE ACCEPT BUTTON BELOW OR LOGIN!!! Your account is migrating. Your machine will restart again in a few minutes." > /Library/Security/PolicyBanner.txt

exit 0
  1. Startup Trigger Script:
#!/bin/bash

# Check to see if migration file exists
# if so a policy script will be kicked off to migrate the user's local account to mobile

if [ -f "/.what_ever_you_want_to_name_this_file" ]
then
    /usr/sbin/jamf policy MigrateLocalAccountToMobile

    # Get current user from /.what_ever_you_want_to_name_this_file
    CURUSERPATH=`/usr/bin/awk '{print}' /.what_ever_you_want_to_name_this_file`

    # Get current username
    CURUSERNAME=${CURUSERPATH##*/}

    # Determine UID
    UIDNUMBER=`id $CURUSERNAME | /usr/bin/awk -F 'uid=' '{print $2}' | /usr/bin/awk -F '(' '{print $1}'`

    # Determine if local account
    if [ $UIDNUMBER -lt 1000 ] 
    then
        # move user directory
        /bin/mv $CURUSERPATH /Users/OLD_$CURUSERNAME

        # delete local account
        /usr/bin/dscl . -delete /Users/$CURUSERNAME

        # move user directory back
        /bin/mv /Users/OLD_$CURUSERNAME $CURUSERPATH

        # show only userpass & password text fields at login
        /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

        # sleep till move completes to adjust perms
        /bin/sleep 2

        # fix ownership
        /usr/sbin/chown -Rf $CURUSERNAME $CURUSERPATH

        # fix perms
        /bin/chmod -Rf 600 $CURUSERPATH
        /bin/chmod -Rf u+rwX $CURUSERPATH
        /bin/chmod og+rX $CURUSERPATH
        /bin/chmod -Rf og+rX $CURUSERPATH/Public
        /bin/chmod og=wX $CURUSERPATH/Public/Drop Box
        /bin/chmod +a "user:$CURUSERNAME allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" $CURUSERPATH/Public/Drop Box

       # Delete keychain files
       # Get Mac UUID
       system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}'

       # delete UUID Keychain folder
       rm -rf $CURUSERPATH/Library/Keychains/" & macUUID & "/*

       # delete keychain.login
       security delete-keychain $CURUSERPATH/Library/Keychains/login.keychain

        # remove files
        /bin/rm /.what_ever_you_want_to_name_this_file
        /bin/rm /Library/Security/PolicyBanner.txt

        # sleep to make sure files fully delete
        /bin/sleep 2

        # restart
        /sbin/shutdown -r now

    else
        exit 0
    fi
else
    exit 0
fi

Note: These migration scripts does not account for local vs AD username differences, ours already match.

0 Kudos
Reply