Yos Upgrade with osxcreateuserpkg

jwojda
Valued Contributor II

Just got a report from the deskside support guys that the upgrade wiped out 3 different peoples user profiles. i haven't found much in the postimagelog.txt or jam.log or install.log or anything else that would indicate that it as deleting.

the only thing in my FB script is that it looks fro the About Downloads and About Documents .pdf files and deletes those, but they return file not found - so my guess is by that time the user's folders are already gone.

This is the FB script that's being run, maybe you can see something in there that may cause it (or even just want to tweak/add nifty stuff i'm okay with that too)...

#!/bin/sh

#
# Initial setup script for Mac OS X 10.10.x
# John Wojda, Created October 8, 2014
# Last Modified October 21, 2014 for Yosemite Upgrade

# Initial setup script for Mac OS X 10.9.x
# Rich Trouton, created August 15, 2013
# Last modified 10-25-2013
#
# Adapted from Initial setup script for Mac OS X 10.8.x
# Rich Trouton, created July 4, 2012
# Last modified 7-10-2012
#
#

LOGPATH='/private/var/log'
JSSURL='https://not.your.jss'
JSSCONTACTTIMEOUT=120
FIRSTRUN='/Library/Application Support/JAMF/FirstRun/Enroll/enroll.sh'
ENROLLLAUNCHDAEMON='/Library/LaunchDaemons/com.jamfsoftware.firstrun.enroll.plist'
LOGFILE=/private/var/log/deployment-$(date +%Y%m%d-%H%M).logging

## Setup logging
# mkdir $LOGPATH
set -xv; exec 1> $LOGPATH/postimagelog.txt 2>&1
/usr/bin/say "Begining Post Image Script"

######################################################################################
# 
#       Tasks that do not require access to the JSS
# 
######################################################################################

####
# grab the OS version and Model, we'll need it later
####

osVersion=`sw_vers -productVersion | cut -d. -f1,2`
modelName=`system_profiler SPHardwareDataType | awk -F': ' '/Model Name/{print $NF}'`
shortModel=`system_profiler SPHardwareDataType | grep 'Model Name:' | awk '{ print $3 }'`

######################################################################################
# Dummy package with image date and computer Model
######################################################################################
/bin/echo "Creating imaging receipt..."
/bin/date
TODAY=`date +"%Y-%m-%d"`
touch /Library/Application Support/JAMF/Receipts/$modelName_Imaged_$TODAY.pkg

###############################################################################
#
#   S Y S T E M   P R E F E R E N C E S
#
# This section deals with system preference tweaks
#
###############################################################################
/bin/echo "Setting system preferences"
/bin/date

# now Activate Remote Desktop Sharing, enable access privileges for the users, grant full privileges for the users, restart arduser Agent and Menu extra:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users macadmin,jssdply -privs -all -restart -agent -menu

#
# Enable AirDrop over on all machines on all interfaces
#

/bin/echo "Enabling AirDrop..."
/bin/date
/usr/bin/defaults write com.apple.NetworkBrowser BrowseAllInterfaces 1 

# Disable Time Machine's pop-up message whenever an external drive is plugged in

defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

## Show on desktop
/bin/echo "Show on desktop"
/bin/date
defaults write com.apple.finder ShowMountedServersOnDesktop -bool true
defaults write com.apple.finder ShowExternalHardDrivesOnDesktop -bool true
defaults write com.apple.finder ShowHardDrivesOnDesktop -bool true

# Set default  screensaver settings

mkdir /System/Library/User Template/English.lproj/Library/Preferences/ByHost


# Disabling screensaver password requirement by commenting out this line - can be re-enabled later.
#
# defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "askForPassword" -int 1
#

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "idleTime" -int 900

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "moduleName" -string "Flurry"

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "modulePath" -string "/System/Library/Screen Savers/Flurry.saver"



###########
# TIME
###########
# enable network time
systemsetup -setusingnetworktime on

# set the time server
systemsetup -setnetworktimeserver kih.kmart.com,time.apple.com

# disable the save window state at logout
/usr/bin/defaults write com.apple.loginwindow 'TALLogoutSavesState' -bool false

###########
# SSH
###########
# enable remote log in, ssh
/bin/echo "Setting ssh"
/bin/date
/usr/sbin/systemsetup -setremotelogin on

###########
#  AFP
###########
# Turn off DS_Store file creation on network volumes
/bin/echo "Turn off DS_Store"
/bin/date
defaults write /System/Library/User Template/English.lproj/Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores true

##########################################
# Login Window Customizations
##########################################

# allow click thru clock to see IP, Host Name, OS version
/bin/echo "Setting click thru clock on loginwindow"
/bin/date
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

# Set the login window to name and password
/bin/echo "Setting loginwindow to name & password"
/bin/date
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

# Disable external accounts (i.e. accounts stored on drives other than the boot drive.)
/bin/echo "Disable external accounts"
/bin/date
defaults write /Library/Preferences/com.apple.loginwindow EnableExternalAccounts -bool false

### universal Access - enable access for assistive devices
## http://hints.macworld.com/article.php?story=20060203225241914
/bin/echo "Enable assistive devices"
/bin/date

/bin/echo -n 'a' | /usr/bin/sudo /usr/bin/tee /private/var/db/.AccessibilityAPIEnabled > /dev/null 2>&1 
/usr/bin/sudo /bin/chmod 444 /private/var/db/.AccessibilityAPIEnabled

### auto brightness adjustment off
# /bin/echo "Disable auto brightness"
# /bin/date
# /usr/bin/defaults write com.apple.BezelServices 'dAuto' -bool false

### time machine off
/bin/echo "Disable Time Machine"
/bin/date
/usr/bin/defaults write com.apple.TimeMachine 'AutoBackup' -bool false

###  Expanded print dialog by default
# <http://hints.macworld.com/article.php?story=20071109163914940>
#
/bin/echo "Expanded print dialog by default"
/bin/date
# expand the print window
defaults write /Library/Preferences/.GlobalPreferences PMPrintingExpandedStateForPrint2 -bool TRUE

##Disable Fast User Switching
/bin/echo "Disable Fast User Switching"
/bin/date
defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool FALSE


###########
#  Misc
###########


# Disable OS X OS Prerelease downloads for all users 
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AllowPreReleaseInstallation -bool false

# Make a symbolic link from /System/Library/CoreServices/Applications/Directory Utility.app 
# to /Applications/Utilities so that Directory Utility.app is easier to access.

if [[ ! -e "/Applications/Utilities/Directory Utility.app" ]]; then
   ln -s "/System/Library/CoreServices/Applications/Directory Utility.app" "/Applications/Utilities/Directory Utility.app"
fi

if [[ -L "/Applications/Utilities/Directory Utility.app" ]]; then
   rm "/Applications/Utilities/Directory Utility.app"
   ln -s "/System/Library/CoreServices/Applications/Directory Utility.app" "/Applications/Utilities/Directory Utility.app"
fi

# Make a symbolic link from /System/Library/CoreServices/Applications/Network Utility.app 
# to /Applications/Utilities so that Network Utility.app is easier to access.

if [[ ! -e "/Applications/Utilities/Network Utility.app" ]]; then
   ln -s "/System/Library/CoreServices/Applications/Network Utility.app" "/Applications/Utilities/Network Utility.app"
fi

if [[ -L "/Applications/Utilities/Network Utility.app" ]]; then
   rm "/Applications/Utilities/Network Utility.app"
   ln -s "/System/Library/CoreServices/Applications/Network Utility.app" "/Applications/Utilities/Network Utility.app"
fi

# Make a symbolic link from /System/Library/CoreServices/Screen Sharing.app 
# to /Applications/Utilities so that Screen Sharing.app is easier to access.

if [[ ! -e "/Applications/Utilities/Screen Sharing.app" ]]; then
   ln -s "/System/Library/CoreServices/Applications/Screen Sharing.app" "/Applications/Utilities/Screen Sharing.app"
fi

if [[ -L "/Applications/Utilities/Screen Sharing.app" ]]; then
   rm "/Applications/Utilities/Screen Sharing.app"
   ln -s "/System/Library/CoreServices/Applications/Screen Sharing.app" "/Applications/Utilities/Screen Sharing.app"
fi
# Turn off Gatekeeper

spctl --master-disable 

# Enable Application Firewall
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
defaults write /Library/Preferences/com.apple.alf loggingenabled -int 1
defaults write /Library/Preferences/com.apple.alf stealthenabled -int 0

# Terminal command-line access warning
/usr/bin/touch /etc/motd
/bin/chmod 644 /etc/motd
/bin/echo "" >> /etc/motd
/bin/echo "This Apple Workstation, including all related equipment belongs to Sears Holdings Corporation. Unauthorized access to this workstation is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected." >> /etc/motd
/bin/echo "" >> /etc/motd

##########################################
# /etc/authorization changes
##########################################

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.preferences.energysaver allow

######################################################################################
# 
#       Tasks that do require access to the JSS
# 
######################################################################################
###########################################
# Flush all previous policy history
###########################################

#/bin/echo "Flushing Policy History..."
#/bin/date
#/usr/sbin/jamf flushPolicyHistory -verbose

##########################################
# Install VPN if MacBook
##########################################
/bin/echo "Install VPN if MacBook"
/bin/date

# Detects if this Mac is a laptop or not by checking the model ID for the word "Book" in the name.

IS_LAPTOP=`/usr/sbin/system_profiler SPHardwareDataType | grep "Model Identifier" | grep "Book"`

if [[ $shortModel == "MacBook" ]]; then
    jamf policy -trigger F5VPN
else    
    /bin/echo "VPN Not Installed, desktop machine"
fi



########## Done installing software #################

#####################################################
#
#  Clean up procedures
#
#####################################################

##########################################
# Remove user folders from /Users
##########################################

find /Users -mindepth 1 -type d -maxdepth 1 -not -name Shared -exec rm -rf {} ;

##Remove apples info files.
rm -R /System/Library/User Template/Non_localized/Downloads/About Downloads.lpdf
rm -R /System/Library/User Template/Non_localized/Documents/About Stacks.lpdf

####
# Now we must purge the system log to get rid of any passwords that may be in plain text
####

# /bin/rm -rf /var/log/system.log

# /bin/echo "purged logs"

## remove from FirstBoot Group
# rm /Library/Application Support/JAMF/Receipts/firstboot.pkg
# jamf recon

## Fix Permissions
# /usr/sbin/jamf fixPermissions

/usr/bin/say "Finished Post Image Script"
4 REPLIES 4

bentoms
Release Candidate Programs Tester

@jwojda looks like it's:

##########################################
# Remove user folders from /Users
##########################################

find /Users -mindepth 1 -type d -maxdepth 1 -not -name Shared -exec rm -rf {} ;

Tbh, why isn't most of this set via profiles or MCX? also, if these macs are being updated.. this has been run once already.. so why run again?

bentoms
Release Candidate Programs Tester

Also, sorry.. but what has this to do with "osxcreateuserpkg"?

nessts
Valued Contributor II

i was also curious about all the defaults write com.apple... commands and why you would want to set all of that stuff for the root user.

jwojda
Valued Contributor II

@bentoms - just the delivery - full disclosure thing.