Jamf Nation Community

There are some database files in ~/Library/Accounts/ that can be deleted. On next login, the accounts will be gone.

While I haven't dug very deep either, I did find a preventive measure that I just tested successfully via Configuration Profile at the computer-level that stops Safari from prompting users to add an account to Internet Accounts. I've confirmed from at least one other admin on Slack who's configured this at the user-level successfully as well. I used this gist as a template.

Safari plist (~/Library/Preferences/com.apple.Safari.plist) can reference an array tied to a DomainsToNeverSetUp key specifying the domains to not setup. Example below:

    <key>DomainsToNeverSetUp</key>
    <array>
         <string>apple.com</string>
         <string>google.com</string>
         <string>facebook.com</string>
    </array>

Went one further, and created an extension attribute which reads all users' ~/Library/Accounts/Accounts3.sqlite file if it exists, reads the data, and prints to an array for reading by the JSS (so long as the array is not empty).

EA:

#!/bin/bash

RESULT=()

for USER in /Users/* ; do
    if [ -f "$USER/Library/Accounts/Accounts3.sqlite" ]; then
        INTERNET_ACCOUNTS=$(sqlite3 "$USER/Library/Accounts/Accounts3.sqlite" 'SELECT ZUSERNAME, ZACCOUNTDESCRIPTION FROM ZACCOUNT' | tr '|' ' ' | awk NF | tr ' ' '|')
        if [ "$INTERNET_ACCOUNTS" != "" ]; then
            RESULT+=(===$(basename $USER)===)
            RESULT+=("$INTERNET_ACCOUNTS")
        fi
    else
        /bin/echo "No SQLITE database exists for user $(basename $USER)."
    fi
done

if [ "$RESULT" = "" ]; then
    /bin/echo "<result>No Internet Accounts Detected</result>"
else
    /bin/echo "<result>$(printf '%s
' ${RESULT[@]})</result>"
fi

exit

Sample output:

Smart Group that checks the status:

@aporlebeke So I tried out the script/EA you posted and I keep getting an error that states the table ZACCOUNT does not exist. I have accounts setup in Internet Accounts. Do different types of accounts setup different tables?

@FlashMoney hmmm. You might try grabbing a copy of the sqlitebrowser I linked to in my answer and taking a look at your sqlite database.

IIRC all accounts get configured in the ZACCOUNT table. I haven't yet tested this with 10.12, only 10.11, so can't confirm whether something is different or not.

@aporlebeke My bad did not see that. Looks like in 10.12 they changed the file name to Accounts4.sqlite. Thank you!!!!!

@FlashMoney no worries, thanks for pointing that out. Something I probably wouldn't have checked when we do move to 10.12 this summer. I've updated the script on my Github so it checks for 10.11 vs 10.12

Hi @aporlebeke ]

Do you know if it is possible to add a user to internet accounts by reversing this method?

THanks

@Pollitt don't know and haven't tried. Sorry :/

Hi @aporlebeke

Do you know if is it possible to only remove only one account? Trying to remove only the corporate account since Outlook is our prefer method but allowing users to set their personal email in Apple Mail.

Thanks,

Gustavo

@gustavo Yes. I'm not super familiar with SQL or sqlite, but with the logged-in user and your org's standard email / account naming convention you could remove only that one element from the table. May find this helpful: https://www.sqlitetutorial.net/sqlite-delete/

For those interested, I took @aporlebeke and edit the script to only delete the corporate account. You will need to replace "acme" with your own corporate name, no need to add ".com".

#!/bin/zsh

# This script has been developed to detect if corporate exchange account is set up in System Preferences Internet Accounts. If account exist it will be removed.
# Created by Gustavo Díaz-Angleró
# Original taken from https://github.com/apizz/Mac_Scripts/blob/master/OSX_Internet_Account_Removal/OSX_Internet_Account_Removal_ALL_USERS.sh

###################### Start of Script ####################

###################### Variables ####################

#Gets login user information
CONSOLE_USER=$(ls -l /dev/console | awk '{ print $3 }')

#Gets macOS information
macOS_VERSION=$(sw_vers -productVersion | cut -d. -f2)

#Gets DB information.  In 10.12 OS X, Apple changed Accounts number to 4.
if [ "$macOS_VERSION" -le 11 ]; then
    DB="Library/Accounts/Accounts3.sqlite"
elif [ "$macOS_VERSION" -ge 12 ]; then
    DB="Library/Accounts/Accounts4.sqlite"
fi

# Defines Log location for script
LOG_LOCATION="/usr/local/corporate/logs/exchangeaccount.log"

# Exchange account
EXCHANGE_ACCOUNT=$(/usr/bin/sqlite3 /Users/"$CONSOLE_USER"/$DB 'SELECT ZUSERNAME FROM ZACCOUNT' | grep "@acme")

###################### Function ####################

LogScript(){

        DATE=$(date +%Y-%m-%d %H:%M:%S)
        LOG="$LOG_LOCATION"

    sudo echo "$DATE " "$1" >> $LOG
}

###################### Script ####################

LogScript "Detecting if Corporate Exchange account is set up in System Preferences Internet Accounts"

if [ -f "/Users/$CONSOLE_USER/$DB" ]; then
    INTERNET_ACCOUNTS=$(/usr/bin/sqlite3 /Users/"$CONSOLE_USER"/$DB 'SELECT ZUSERNAME FROM ZACCOUNT' | grep -c "@acme")
    if [ "$INTERNET_ACCOUNTS" -ge 1 ]; then
        LogScript "Exchange account exist --> deleting account."
        # Command to remove account
        /usr/bin/sqlite3 /Users/"$CONSOLE_USER"/$DB 'DELETE FROM ZACCOUNT WHERE ZUSERNAME = '"'$EXCHANGE_ACCOUNT'"''
    else
    LogScript "No Exchange account exists for user $CONSOLE_USER."
    fi
    else
    LogScript "No SQL database exists for user $CONSOLE_USER."
fi

exit 0

@gustavo do you know what the ZOWNINGBUNDLEID identifiers mean?

i have a few that are AKD but im not sure what that represents - could be web email related?

Thank you @gustavo, that's exactly what I was looking for. It doesn't seem to work on 10.15.5 for me, has something changed? I tried @aporlebeke 's and that didn't work either. I've tried running both locally but to no avail.

To run yours locally, I had to change the log location as that was throwing up an error. Put it in /var/log/ is that a sensible place?

i have a few that are AKD but im not sure what that represents - could be web email related?

@beeboo I also found that on my own computer. With a bit of investigation I figured it's related to AuthKit. In my case I have my work address used as an AppleID in Xcode - that created a record in the database with "akd" as the ZOWNINGBUNDLEID.

Interestingly enough, deleting all records of my work email from the database didn't remove it from Xcode Preferences and didn't seem to impair it in any way (I'm not super well versed in how Xcode uses a developer AppleID and features like signing, so take this with a grain of salt).

Hi, 
Just checking if anyone has used this recently in Monterey? I have tried it and the codes does not appear to work anymore. 

This no longer appears to work in Sonoma - Accounts4.sqlite can be read but not opened or modified. I get this error opening my own user's file:

Error: unable to open database

file permissions look correct. Sudo doesn't help. We are getting tickets for users on Sonoma who get prompted to provide a password for a cached email address, but we lock down the Internet Accounts setting pane AND the Mail and Messages apps. I have to remove all of the restrictions so the user can delete the offending Internet Account manually.

Thoughts?