Just-in-time macOS user deletion

Or, how I eliminated universally deployed admin accounts from my fleet and learned to love Jamf Connect.

January 20 2022 by

Sean Rabbitt

One of the great features of Jamf Connect is the ability to make a user account on demand simply by logging into the Mac. Jamf Connect will read an attribute from our identity provider (IdP) to determine if a user should be an Administrator or get standard rights.

For our security-conscious Mac Admins out there in the world (which should be all of you, I hope), this means that we can completely eliminate the “one ring to rule them all” type of admin accounts deployed to the fleet, usually stuck with some “secret” password that everyone in the company ends up knowing eventually. (I’m looking at you, Jamf1234.)

Now, this is great, but then we run into trouble - we have a user account on a machine that we just needed for five minutes to fix a one-off type of problem, and in two years when we go back to that machine to fix another random one-off problem, now we have a user account where the admin has zero ideas as to what the local user password could be, which represents a splintering of this larger problem for IT.

Until now, that is.

What the workflow does:

An administrator makes a just-in-time account with the Jamf Connect login mechanism. Could be a one-off fix, could be resetting a forgotten local password. Whatever it is, admin is done, now it’s time to clean up after ourselves as a good admin should.

  • The administrator opens Jamf Self Service and runs a Policy - this runs a script that looks for any account created by Jamf Connect in the last 60 minutes (which can be customized) and drops a touch file into a hidden directory, like /Library/Application Support/JAMF/Receipts.
  • Note: The target directory can be changed to another location, such as /private/tmp — or any other you wish to use so long as it contains the list of local short names that need to be deleted. For the purposes of this blog, we’ll refer to this as the “Deadpool” list. The script then runs a jamf recon command to update the computer inventory record.
  • An Extension Attribute (EA) is leveraged that looks for the existence of the file created above on scoped devices.
  • A Smart Computer Group is created which utilizes the results of the EA above to dynamically gather all the computers with this Deadpool file stored.
  • The Policy is set to run with an Execution Frequency of “Ongoing”, a trigger of “Reoccuring Check-in”, and scoped to the Smart Computer Group above.
  • The script executed by the policy above looks for the Deadpool list, runs a jamf deleteAccount command for every user in the list, moves the Deadpool list out to a separate file to make sure the script ran, and finally runs another jamf recon command to clear the extension attribute, removing the computer from the scope of the policy in one fell swoop.

Known gotchas - only standard users on the client:

When Apple introduced macOS Big Sur, they changed how FileVault SecureTokens can be distributed to users. Big Sur was the first OS that permitted a standard user account created as the first user and that user would receive a SecureToken to decrypt the machine without the additional burden of binding the Mac to a directory service, like Open Directory or Active Directory.

Again, being a security-conscious IT professional, you probably want to follow the CIS guidelines and limit access to administrator rights only when they’re explicitly needed. Chances are pretty good the first user account created is a standard account if you used Jamf Connect or an Automated Device Enrollment Prestage Configuration Profile. Following this process, the safest admin account on a device is the one that doesn’t exist until you need it, savvy?

As of macOS Monterey 12.1, macOS blocks you from deleting an administrator account with a SecureToken if it’s the only admin account with a SecureToken on that device. Wait, what?!

That’s right! Even though the MDM can hand out SecureTokens to newly created user accounts thanks to the wonders of the bootstrap token, macOS is going back to its pre-Catalina days of “protecting you from yourself” and preventing the admin account from deletion.

We’ve got a Hulk

aka “The Workaround”, reveals that just about any tool that elevates a standard user to an admin user, even just for a short period of time, will resolve this problem. And this lovely feature is built into our deletion script (found below).

The deletion script checks to see if deleting the list of users would remove all the administrator accounts from our client. If yes:

  • It then finds a standard user with a SecureToken
  • Temporarily elevates the user to an administrator
  • Deletes the unwanted admin accounts on Mac
  • Finally, it demotes the standard user back to its previous permissions

WARNING: There is a risk in this behavior, however, as you do need to give standard user admin rights that may be unwanted for a brief time. If you want to disable this behavior, simply change the variable named checkForOnlyOneAdmin from a “1” to a “0”.

Bonus Feature: Rotate your FileVault Recovery Keys

Since you’re taking the time to make a Smart Computer Group that looks to see if this Deadpool of users file exists, chances are the user account created was made to reset a forgotten password for one of your users. This required IT to have procured the FileVault Personal Recovery Key to get into the computer before the change could be made.

This means someone now knows the key — maybe it was you, but then again, maybe not.

But that’s ok because there’s a fix for that too!

Simply create a second Jamf Pro policy with the payload “Disk Encryption” to “Issue New Recovery Key” to the machine. Set the trigger to Re-occurring check-in and scope to all machines in the Smart Computer Group you made to detect the Deadpool file. BOOM! Two problems are solved at once: we get rid of the unnecessary admin account(s) and we rotate the recovery key to secure it once again. The new key gets automagically escrowed in Jamf Pro thanks to a configuration profile made that redirects keys back to the device record.

The Scripts

The latest version of these scripts are located at: https://github.com/sean-rabbitt/JIT-user-deletion-with-jamf-connect

Look for users created in the last 60 minutes

  1. Upload the script below to Jamf Pro.
  2. Create a Policy with Execution Frequency set to “Ongoing”, no Trigger and scoped to all computers.
  3. Add the Script payload to run the uploaded script.
  4. Go to the Self Service tab and allow the policy to be run from Self Service with an appropriate description and warnings.

Pro Tip: For added security, it is strongly recommended that this be gated behind a Self Service login requirement. Additionally, consider scoping access to only members of the IT team. After all, you may not wish to have unauthorized users calling this script without cause.

Create an extension attribute to check for the Deadpool list

  1. Navigate to Jamf Pro settings → Computer Management → Extension Attributes (EA).
  2. Create a new EA based on the result of a script and upload the following script:

Create a Smart Computer Group

Create a Smart Computer Group to list all computers where the extension attribute returned above is TRUE.

Create a policy to delete the Deadpool users

  1. Upload the following script to Jamf Pro.
  2. Create a new policy with “Ongoing” execution frequency, Trigger set to reoccurring check-in and scope set to only computers in the Smart Computer Group you defined above. The payload will be the script to run to clean up users.

Stop working harder…work smarter! With Jamf Pro, you have a powerful ally that helps IT to deploy, manage and secure Mac device fleet with ease.

Contact Jamf today, or your preferred reseller to start making short work of your admin tasks.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.