Students are leaving and I want to remove the management account.

New Contributor III

Does the simple command line account removal work for this or is it in a special location?

There was a script for this but I can no longer find it in the knowledge base.


Valued Contributor

Do you mean that the students are leaving with the devices?
Don't really understand your question?

Honored Contributor II
Honored Contributor II

The sysadminctl command should do it. It just needs the username specified to identify the account:

dave$ sysadminctl
2017-05-17 17:05:10.222 sysadminctl[45691:1590277] Usage: sysadminctl
    -deleteUser <user name> [-secure || -keepHome]
    -newPassword <new password> -oldPassword <old password> [-passwordHint <password hint>]
    -resetPasswordFor <local user name> -newPassword <new password> [-passwordHint <password hint>]
    -addUser <user name> [-fullName <full name>] [-UID <user ID>] [-shell <path to shell>] [-password <user password>] [-hint <user hint>] [-home <full path to home>] [-admin] [-picture <full path to user image>]
    -guestAccount <on || off || status>
    -afpGuestAccess <on || off || status>
    -smbGuestAccess <on || off || status>

Contributor II

[davidacland], great tip, thank you.

[kerouak]: If you are leaving the institution and you want to be nice to your successor, just delete the admin account's home directory and leave it there. Or create a new admin account and document the password. Just guessing here, but it should go without saying that the IT world is a much smaller place than the real world so it always pays to leave on good terms. Or perhaps I am misunderstanding the question.


Contributor II

Got a weird proxy error posting that last and then a duplicate post. ;)

Valued Contributor II

There are a lot of things to consider when off-boarding. Particularly BYOD devices where your school may also need to remove:
- Licensed Software
- Profiles
- jamf binary
- etc...

We've been successfully performing this for years. I'll be skipping right to removing the management account, framework and jss record, though I'm happy to share our entire process if you wish.

•• As part of our policy that elevates our student users to 'admin' and remove a number of applications, we load a script into /private/tmp. This script is called at the very end of the policy ("execute command", under files and processes). This script does a few things t like Unloading PaperCut and Cylance launch agents, general cleanup, delete MS Office, and other fun adobe stuff. Part of that script handles what you're asking about, plus removal of the jss record. Here's what we have for that.

#This will remove the computers record from the JSS.
CAM=`networksetup -getmacaddress en1 | cut -c19-35 |sed 's/:/./g'`

curl -k -v -u Delete:PASSWORD-HERE$CAM -X DELETE

JAM=`networksetup -getmacaddress en0 | cut -c19-35 |sed 's/:/./g'`

curl -k -v -u Delete:PASSWORD-HERE$JAM -X DELETE

ioreg -c "IOPlatformExpertDevice" | awk -F '"' '/IOPlatformSerialNumber/ {print $4}'

# This should quit Self-Service.
killall "Self Service"

# This will uninstall the JAMF binary       
/usr/local/jamf/bin/jamf -removeFramework

# This will delete the left over Admin account
/usr/bin/dscl . -delete /Users/admin
/usr/bin/dscl . -delete /Users/lrc

I do apologize as it's poorly commented. Most of the CURL comes from previous solutions posted to jamfnation (Thanks, all). That said, I should be moving towards sysadminctl.

New Contributor

@Chris_Hafner , I'd be very interested in knowing your whole process to off-board devices. We had student buy their devices from us this year and just to guarantee things we deleted everything off the device and reinstalled an OS. I think it would be nicer to our students to use something like this.


Valued Contributor II

FYI, I am working on this new writeup for you. ;-)

Valued Contributor II

FYI, I am working on this new writeup for you. ;-)

Valued Contributor II

Here are the basics of my process. • The policy is scoped to a SMART group that looks for a specific department (Students-to-be-offboarded)
• Student computers are shifted to this department just before our off-boarding process -Note: Since our VPN profile is scoped to their original department (Student), it is removed automatically at this point as would any other profiles scoped to them.

• The policy starts with a script that helps quit common applications (Mostly MS Office/iLife apps)
• The policy then run’s any Composer created uninstall processes that I’ve created out of lack of a good one from the original vendor.
• The policy installs/runs any vendor supplied uninstaller packages
• The policy Installs the “Adobe Cleaner Tool”
• The policy installs all cached packages (Which are ONLY uninstallers in my environment, at this point)
• The policy installs a script to /private/tmp
• The policy calls the script
• The script performs the following tasks

  • Sets Current User as Variable
  • Unloads PaperCut and Cylance Launch Agents
  • Quits PCClient and Cylance Agent
  • Performs file Cleanup of items left over from awkward uninstaller(s), Here’s looking at you Adobe
  • Resets the software update.plist, just in case
  • Initiates Cylance UnInstaller
  • Uses a CURL command to detect the computers MAC address, and uses that to delete it’s record form the JSS
  • Quit Self-Service
  • Uninstall the jamf Binary
  • Delete management and repair accounts
  • Reboot the computer

Valued Contributor II

I'm writing out the details a bit mroe slowly, so I figured I'd send this along in the mean time. The important thing is to identify what 'specifically' needs to be done. i.e. we have plenty of software to uninstall but I'll sometimes use a vendor supplied uninstaller, sometimes I'll make one with composer and other times you have to follow a bit of weirdness, like with Adobe CC packages. With those I do some non standard things. For isntance, we create adobe CC installers using AAMEE. I also create the unisntaller with AAMEE which get cached when a user installs whatever Adobe app we're talking about.. The idea being that, in my environment, only uninstaller packages are cached persistantly. Therefore, part of my off boarding process simply isntalls any cached isntallers. That would NOT work in an environment where other cached packages might exist during an offboarding process.