Self Service solution to "clean" a loaner laptop without deleting user.

jclark27
New Contributor III

Greetings!

Wondering if anyone has any thoughts or potential workflows for something we want to accomplish.

  1. The user receives a loaner computer with a local account/password of a standard account. let's say for example it's "library-guest"
  2. The user uses the machine for an hour, brings it back and the techs run a self-service policy from the admin account to delete the home folder, in essence, "clearing" any user info but not having to do a whole reprovision process.

We are seeing issues with our initial policy which ran a quick sudo rm -rf "home folder" , due to the permissions on some files in the user folder. For some it would work, for others, it would just error out thus not clearing all files.

I know there's a "Delete user" and "create new user"  policy in JAMF but since we have FV2 on for the devices, the guest account would then have to be manually enabled for FV2, right? Just trying to see if there's a quick automated way to accomplish this.

6 REPLIES 6

ljcacioppo
Contributor III

Is it typical for the use period to only be an hour? If so, have you thought of utilizing the built in guest account that deletes files upon logout?

jclark27
New Contributor III

Great question. So the department doesn't want that option just in case someone logs out and they lose their information. And yeah it can potentially be more than an hour/throughout the day. 

got it. Are you also running a dscl . -delete to delete the user account before deleting the home folder? Or have you been previously trying to delete the home folder without deleting the user account?

jclark27
New Contributor III

So currently no, dscl is not being leveraged to delete the acct before, which totally makes sense to do.

My main thought about that is...if deleting the account through dscl, would that then remove its FV2 enabled status? 

Appreciate the time you've taken btw

I do believe that would remove the FV2 enabled status as the user account wouldn't exist at that point. I feel like that's the cleanest method though, since either you're going to delete too much out of that home folder to where it won't really work, or you won't delete enough and there could still be user data in a directory that wasn't erased if you limit the script to Docs/Desktop,etc,

I know most methods of user creation on big sur do result in a securetoken, but I haven't checked if a dscl . -create does. I mean, if that doesn't work, I understand the one button is very convenient, but it also seems using system preferences to just delete and recreate the account would work, and accounts created through sysprefs definitely get a secure token and would be able to unlock FV2

jclark27
New Contributor III

For sure, I think you're basically giving me a sanity check because that at the end of the day is what I think we need to do. I appreciate your time man!