time bomb accounts on a smart group

Honored Contributor

So, the last two years of our 1:1 has been fun. There is one problem that I have though that takes up a lot of my time and there is no good solution. That is when I give out a spare laptop to a user while theirs is in for repair. These laptops are inventoried for the purpose of being loaners. So, to rather constantly be updating my inventory and constantly reassigning users to specific machines we give out spares.

Next school year I plan on naming every spare with a unique naming convention and then making a smart group of these spare machines. I want to make it so that every 30 days a policy runs that disables all local user accounts, thus forcing the user to come see me for support thus allowing me to get their spare back form them and into my inventory.

I have had students refuse to give me back spares because they don't want to give up their 5 gigs of songs they ripped to them. I also am going to have active search and destroy policies that limit the files being saved on spares.

Basically, I want spare machines to not be as fun as their actual machine so they have lots of incentive to bring me back the spare. I figure I could just loop all user accounts and change their passwords to something ridiculous (random 30 character string) and then force a reboot. They won't be able to log in and they will come see me immediately if they can't log in.

I think this is pretty simple to do, but I would like any feed back from anyone on the list who has done something like this before.

Thanks in advance, and have a good weekend.

Thomas Larkin
TIS Department
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351


Valued Contributor

Sounds like you need an Acceptable Use Policy that has support and
enforcement from the school board/district.
When I worked at a K-12, a student refusing to return school equipment for
any reason, nevermind a non-school related reason, was grounds for
disciplinary action.

As for disabling the machine, you could run a script that deletes all
accounts from the local directory service (except your admin account and
root), and deletes all directory bindings. Deleting the account info from
the DS will leave /Users alone, so students can't accuse you of deleting
their work. You could also chown /Users to your admin account and the admin
group. You should also have a firmware password in place to keep them from
booting into target mode. If they're *really* savvy, they can change the
RAM config and get past the firmware password, but at that point, they've
clearly entered the realm of wrongdoing.

Though it occurs to me, if the hard disk is functioning when you have to
send a machine for repair, why not clone or even physically swap the drive
into a "loaner" machine, and then update the inventory such that the student
is now assigned the "loaner" as their machine? It seems like a lot less

Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
voice: 1-347-277-7321
miles.leacy at themacadmin.com

Honored Contributor

Considering I send probably 50 units in a week for HD failure that is
not really an option. Plus I barely have time to admin the 30 servers,
do all the casper packages plus admin the casper servers, create
users/groups and manage the LDAP, update the images, let alone do any
sort of hardware repair. They hired me to pretty much do everything
here and I pretty much do everything from end user support all the way
up do directory administration, casper stuff, you name it I probably
most likely do it. We have an AUP in place, however I am not
educational administration so I can't do any sort of discipline nor do I
want to. The principals actually work well with us, and it always comes
down to me having them force kids to come bring in their spare. I want
to avoid getting people involved to force kids to come trade their spare
in. Plus the admins already deal with tons of AUP infractions every
day, like students using their laptops to do unacceptable things, which
I won't go into because you know what I am talking about.

Also as a standard to the troubleshooting process and to ensure they
have the most up to date software a machine with issues gets wiped and
reimaged anyway, and home sync should only sync their documents folder
and there are clean up scripts that delete any music and movies on their
home directory plus their disk quota is 200 megabytes.

We also have our own custom built inventory system that ties into Casper
our software developers made. It ties in student information from the
SILK program they use for the student database as well as serial number
and asset tag of the machine that I dumped out of the Casper database. There is also a built in ticket system for repair history and work
orders and an assign system for assigning machines to the repair center
for repair or for a student to be assigned a spare. If I didn't have to
deal with end user support on top of everything else I do, could
possibly reassign, however that is not a timely option at this point in
time. Each machine is labeled with stickers of the student name and the
learning community they belong to. So, I would have to use some sort of
goo be gone to clean off the labels, relabel it, reivnetory it, un
assign the current user to their machine, and then repeat 40 to 60 times
per a week as that is my average of machines that go out for repair.

I think in our set up, a every 30 day policy assigned to spare machines
that cleans them out is probably the best bet. Students also have
access to an online web based product called "school loop" which allows
them to store their school work on their locker on line, and it
apparently has unlimited space. However, there is a file size limit of
like 5 megabytes. So, with home folder sync and school loop they have
the means to back up their data.

Sorry for the long novel like explanation but given out current
structure the time bomb effect would be best practice.

I was thinking of just changing all passwords on the machine to
something ridiculous or using dscl or jamf binary to just delete them. Our admin accounts live in /private/var for a reason, mainly being so
that I can kill all users in /Users and never worry about deleting our
local admin account or root.

Thanks again for any input and for reading this sort of a rant of an

Thomas Larkin
TIS Department
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Release Candidate Programs Tester

It looks like you have thought about this, but in our 1-1 program, we just have them barcoded. The only unique thing on the laptop is the students account and we 'check out' the laptop to the student in our Library circulation system. So, when we give them a spare, that becomes their new computer and when the fixed laptop comes back from AppleCare, it gets thrown in the spare pile to be imaged whenever we get to it and image a bunch. This should help avoid the issue of needing to collect laptops back as I can see from both sides the inconvenience of that.


Not applicable

The metal tag that holds our asset number is a part of the theft tag program that we work
with that helps in tracking down stolen or reported missing laptops. It is barcoded as well.


Mark Hughes, Apple Technician
TIS Department, KCKPS USD500
Cell 913-449-7791
mahughe at kckps.org