Jamf Blog

January 20, 2022 by Sean Rabbitt

Just-in-time macOS user deletion

Jamf Pro, Security

Or, how I eliminated universally deployed admin accounts from my fleet and learned to love Jamf Connect.

One of the great features of Jamf Connect is the ability to make a user account on demand simply by logging into the Mac. Jamf Connect will read an attribute from our identity provider (IdP) to determine if a user should be an Administrator or get standard rights.

For our security-conscious Mac Admins out there in the world (which should be all of you, I hope), this means that we can completely eliminate the “one ring to rule them all” type of admin accounts deployed to the fleet, usually stuck with some “secret” password that everyone in the company ends up knowing eventually. (I’m looking at you, Jamf1234.)

Now, this is great, but then we run into trouble - we have a user account on a machine that we just needed for five minutes to fix a one-off type of problem, and in two years when we go back to that machine to fix another random one-off problem, now we have a user account where the admin has zero ideas as to what the local user password could be, which represents a splintering of this larger problem for IT.

Until now, that is.

What the workflow does:

An administrator makes a just-in-time account with the Jamf Connect login mechanism. Could be a one-off fix, could be resetting a forgotten local password. Whatever it is, admin is done, now it’s time to clean up after ourselves as a good admin should.

The administrator opens Jamf Self Service and runs a Policy - this runs a script that looks for any account created by Jamf Connect in the last 60 minutes (which can be customized) and drops a touch file into a hidden directory, like /Library/Application Support/JAMF/Receipts.
Note: The target directory can be changed to another location, such as /private/tmp — or any other you wish to use so long as it contains the list of local short names that need to be deleted. For the purposes of this blog, we’ll refer to this as the “Deadpool” list. The script then runs a jamf recon command to update the computer inventory record.
An Extension Attribute (EA) is leveraged that looks for the existence of the file created above on scoped devices.
A Smart Computer Group is created which utilizes the results of the EA above to dynamically gather all the computers with this Deadpool file stored.
The Policy is set to run with an Execution Frequency of “Ongoing”, a trigger of “Reoccuring Check-in”, and scoped to the Smart Computer Group above.
The script executed by the policy above looks for the Deadpool list, runs a jamf deleteAccount command for every user in the list, moves the Deadpool list out to a separate file to make sure the script ran, and finally runs another jamf recon command to clear the extension attribute, removing the computer from the scope of the policy in one fell swoop.

Known gotchas - only standard users on the client:

When Apple introduced macOS Big Sur, they changed how FileVault SecureTokens can be distributed to users. Big Sur was the first OS that permitted a standard user account created as the first user and that user would receive a SecureToken to decrypt the machine without the additional burden of binding the Mac to a directory service, like Open Directory or Active Directory.

Again, being a security-conscious IT professional, you probably want to follow the CIS guidelines and limit access to administrator rights only when they’re explicitly needed. Chances are pretty good the first user account created is a standard account if you used Jamf Connect or an Automated Device Enrollment Prestage Configuration Profile. Following this process, the safest admin account on a device is the one that doesn’t exist until you need it, savvy?

As of macOS Monterey 12.1, macOS blocks you from deleting an administrator account with a SecureToken if it’s the only admin account with a SecureToken on that device. Wait, what?!

That’s right! Even though the MDM can hand out SecureTokens to newly created user accounts thanks to the wonders of the bootstrap token, macOS is going back to its pre-Catalina days of “protecting you from yourself” and preventing the admin account from deletion.

We’ve got a Hulk

aka “The Workaround”, reveals that just about any tool that elevates a standard user to an admin user, even just for a short period of time, will resolve this problem. And this lovely feature is built into our deletion script (found below).

The deletion script checks to see if deleting the list of users would remove all the administrator accounts from our client. If yes:

It then finds a standard user with a SecureToken
Temporarily elevates the user to an administrator
Deletes the unwanted admin accounts on Mac
Finally, it demotes the standard user back to its previous permissions

WARNING: There is a risk in this behavior, however, as you do need to give standard user admin rights that may be unwanted for a brief time. If you want to disable this behavior, simply change the variable named checkForOnlyOneAdmin from a “1” to a “0”.

Bonus Feature: Rotate your FileVault Recovery Keys

Since you’re taking the time to make a Smart Computer Group that looks to see if this Deadpool of users file exists, chances are the user account created was made to reset a forgotten password for one of your users. This required IT to have procured the FileVault Personal Recovery Key to get into the computer before the change could be made.

This means someone now knows the key — maybe it was you, but then again, maybe not.

But that’s ok because there’s a fix for that too!

Simply create a second Jamf Pro policy with the payload “Disk Encryption” to “Issue New Recovery Key” to the machine. Set the trigger to Re-occurring check-in and scope to all machines in the Smart Computer Group you made to detect the Deadpool file. BOOM! Two problems are solved at once: we get rid of the unnecessary admin account(s) and we rotate the recovery key to secure it once again. The new key gets automagically escrowed in Jamf Pro thanks to a configuration profile made that redirects keys back to the device record.

The Scripts

The latest version of these scripts are located at: https://github.com/sean-rabbitt/JIT-user-deletion-with-jamf-connect

Look for users created in the last 60 minutes

Upload the script below to Jamf Pro.
Create a Policy with Execution Frequency set to “Ongoing”, no Trigger and scoped to all computers.
Add the Script payload to run the uploaded script.
Go to the Self Service tab and allow the policy to be run from Self Service with an appropriate description and warnings.

Pro Tip: For added security, it is strongly recommended that this be gated behind a Self Service login requirement. Additionally, consider scoping access to only members of the IT team. After all, you may not wish to have unauthorized users calling this script without cause.

#!/bin/bash # PART ONE: Find a list of Jamf Connect users who were created in the last X # minutes # # WHY: Jamf Connect allows for just-in-time account creation on a macOS client. # So this means that an admin may want to just pop in and do some magic, log out # and go away. But there's no easy way to clean up after yourself, and like any # good Girl Scout, we should always leave our campsite better than when we found # it. # # HOW: Upload this script into Jamf Pro. Create a policy to run the script with # and ongoing excution frequency and set to run via Self Service. It may make # sense to restrict the app to specific users and require that IT folks sign in # to self service to prevent some users from running the script. # # WHAT: We'll search all the accounts that have passwords, see if it was created # with Jamf Connect, determine if the account was created within the last X # minutes (you can adjust the number below). If yes, will be added to a space # delimited list of user account short names to be written to # /private/tmp/.userCleanup (which you can also adjust below). # # Combine this with an extension attribute to read that file, a Smart Computer # Group to drop machines into a target group to run a policy at reoccuring # check-in, and a policy that reads that file and runs a jamf deleteAccount # command to kill that account. # # Special thanks to Allen Golbig and Steve Wood # # — SRABBITT 05JAN2022 #look for users created in the last X minutes userAge=60 # Touch file with list of users to be deleted DELETE_USER_TOUCH_FILE="/Library/Application Support/JAMF/Receipts/.userCleanup" # Location of the Jamf binary JAMF_BINARY="/usr/local/bin/jamf" # Declare list of users variable listOfUsers="" # Warn users of what is going to happen responseCode=$(/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper\ -heading "WARNING - THIS APPLICATION CAN DELETE USER DATA" \ -cancelButton 1\ -button2 "Continue"\ -button1 "ABORT"\ -windowType utility\ -description "This application will search for user accounts created in the last $userAge minutes. It will mark those accounts for deletion which will happen within the next check-in period to Jamf Pro. If you do NOT want to continue, press ABORT."\ -title "Jamf Connect Cleanup Script"\ -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ToolbarDeleteIcon.icns") # If a user hits the abort button, get ouf the script and declare an exit code # of 999. Policy will show as a failure in Jamf Pro logs. if [[ $responseCode = 0 ]]; then exit 999; fi # Convert userAge to seconds userAge=$((userAge * 60)) # For all users who have a password on this machine (eliminates service accounts # but includes the _mbsetupuser and Jamf management accounts...) for user in $(/usr/bin/dscl . list /Users Password | /usr/bin/awk '$2 != "*" {print $1}'); do # If a user has the attribute "OIDCProvider" in their user record, they are # a Jamf Connect user. MIGRATESTATUS=($(/usr/bin/dscl . -read /Users/$user | grep "OIDCProvider: " | /usr/bin/awk {'print $2'})) # If we didn't get a result, the variable is empty. Thus that user is not # a Jamf Connect Login user. if [[ -z $MIGRATESTATUS ]]; then # user is not a jamf connect user echo "$user is Not a Jamf Connect User" else create_time=$(/usr/bin/dscl . -readpl /Users/$user accountPolicyData creationTime | /usr/bin/awk '{ print $NF }') # Strip the annoying float and make it an int create_time=$( printf "%.0f" $create_time ) # Get the current time in Epoch format start_time=$(date +%s) # Remove the userAge number of seconds that we're looking for.... start_time=$(( start_time - userAge )) # If the user account was created AFTER the current time minus X # minutes, add the user UNIX short name to a list of users. if (( $start_time < $create_time)); then listOfUsers+=$(echo "$user ") fi fi done # If we didn't find anything, either our admin took a lot longer than 60 minutes # to fix the problem or something else went wrong. if [[ -z $listOfUsers ]]; then /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper\ -heading "ERROR - No users found"\ -button1 "Continue" \ -windowType utility \ -description "No local user accounts were created with Jamf Connect Login in the last $userAge seconds. User account may need to be deleted manually." \ -title "Jamf Connect Cleanup Script" \ -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ProblemReport.icns" else # Otherwise, we found someone - time to tell the user that it's # curtains... lacy, wafting curtains for that user. ### ### YOU CAN EDIT THIS WARNING MESSAGE TO LOCALIZE FOR YOUR IT TEAM HERE ### warningMessage="The following accounts will be deleted within 15 minutes of this policy running: $listOfUsers Press ABORT to stop." # Give users one last chance to avoid the end times for that user... responseCode=$(/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \ -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" \ -button2 "Continue" \ -description "$warningMessage" \ -heading "User Account Deletion" \ -windowType utility \ -cancelButton 1 \ -button1 "ABORT" \ -title "WARNING - POTENTIAL FOR DATA LOSS") # If a user hits the abort button, get ouf the script and declare an exit # code of 666 Policy will show as a failure in Jamf Pro logs. if [[ $responseCode = 0 ]]; then exit 666; fi /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \ -heading "How to abort" \ -button1 "Continue" \ -windowType utility \ -description "If you change your mind, delete the file located at $DELETE_USER_TOUCH_FILE immediately." \ -title "Jamf Connect Cleanup Script" \ -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" fi # Write the list of doomed users to the doomed user file. echo "$listOfUsers" > "$DELETE_USER_TOUCH_FILE" # Run a recon so we update the extension attribute # and alert Jamf Pro that this list exists $JAMF_BINARY recon

Create an extension attribute to check for the Deadpool list

Navigate to Jamf Pro settings → Computer Management → Extension Attributes (EA).
Create a new EA based on the result of a script and upload the following script:

#!/bin/bash # PART TWO: Extension Attribute - Does the deadpool file exist # # WHY: Jamf Connect allows for just-in-time account creation on a macOS client. # So this means that an admin may want to just pop in and do some magic, log out # and go away. But there's no easy way to clean up after yourself, and like any # good Girl Scout, we should always leave our campsite better than when we found # it. # HOW: 1) Create an extension attribute with this script to look for the # presence of file located at $DELETE_USER_TOUCH_FILE (defined below) # 3) Create a Smart Computer Group based on the extension attribute above # and that the file exists # 4) Create a policy that runs at reoccuring checkin, scoped to computers # that belong to the Smart Computer Group above. Tell the policy to # the delete a list of users script.. # WHAT: EA will return "TRUE" if the deadpool file user list exists. # — SRABBITT 21DEC2021 # Location of user deadpool list DELETE_USER_TOUCH_FILE="/Library/Application\ Support/JAMF/Receipts/.userCleanup" if [ -f "$DELETE_USER_TOUCH_FILE" ]; then echo "<result>TRUE</result>" else echo "<result>FALSE</result>" fi

Create a Smart Computer Group

Create a Smart Computer Group to list all computers where the extension attribute returned above is TRUE.

Create a policy to delete the Deadpool users

Upload the following script to Jamf Pro.
Create a new policy with “Ongoing” execution frequency, Trigger set to reoccurring check-in and scope set to only computers in the Smart Computer Group you defined above. The payload will be the script to run to clean up users.

#!/bin/bash # PART THREE: Delete a list of users # # WHY: Jamf Connect allows for just-in-time account creation on a macOS client. # So this means that an admin may want to just pop in and do some magic, log out # and go away. But there's no easy way to clean up after yourself, and like any # good Girl Scout, we should always leave our campsite better than when we found # it. # HOW: 1) Upload this script into Jamf Pro. # 2) Create an extension attribute to look for the presence of a file # located at $DELETE_USER_TOUCH_FILE (defined below) # 3) Create a Smart Computer Group based on the extension attribute above # and that the file exists # 4) Create a policy that runs at reoccuring checkin, scoped to computers # that belong to the Smart Computer Group above. Tell the policy to # run this script. ### NOTE: THE JAMF BINARY COMMAND TO DELETE USERS IS COMMENTED OUT BELOW. YOU MUST UNCOMMENT THIS. POTENTIAL FOR DATA LOSS!!! ### # WHAT: Script will read the list of users at $DELETE_USER_TOUCH_FILE and run # the jamf binary command to delete that user and all its home directory # data. It also does a jamf recon at the end to update the extension # attribute. No additional inventory update needed. ##### IMPORTANT FEATURE / BUG WORKAROUND ##### # # macOS Big Sur and Monterey do not care if there is a bootstrap token or not, # if there is only one administrator account, you can't delete it. # # To get around this, we can check for a scenario where there is only one # admin account with a SecureToken, grant admin rights to a standard user for # a few cycles/seconds, delete the admin account we want to be gone, and then # revoke admin rights from that standard account. # # THE RISK IS THAT A STANDARD ACCOUNT WILL HAVE ADMIN RIGHTS FOR A FEW SECONDS # # If you don't want this check and privilege escallation to take place, # modify the variable below - checkForOnlyOneAdmin - to 0 from 1. # — SRABBITT 05JAN2022 # - Thanks to Steve Wood for suggestions on this script. # SEE NOTES ABOVE - If you want to check for only one admin, set to "1" # If you don't care if there's only a single admin and this script may # fail OR if your environment simply uses all Mac admin accounts anyway, set to "0" checkForOnlyOneAdmin=1 # Location of user deadpool list DELETE_USER_TOUCH_FILE="/Library/Application Support/JAMF/Receipts/.userCleanup" # Credit: Steve Wood # Location of the user deadpool list after running script (confirmation file # for auditing) CONFIRM_USER_TOUCH_FILE="/private/tmp/.userDeleted" # Location of the Jamf binary JAMF_BINARY=$( which jamf ) # Convert the space separated list of users into an array for looping through listOfUsers=$(cat "$DELETE_USER_TOUCH_FILE") arrayOfUsers=($listOfUsers) # If we're sanity checking for the "one admin" scenarion, look for if there # is only one admin with a SecureToken. If true, find any standard account # with a SecureToken and mark them for elevation. if [[ "$checkForOnlyOneAdmin" -eq 1 ]]; then adminUserCount=0 # For all users who have a password on this machine (eliminates service accounts # but includes the _mbsetupuser and Jamf management accounts...) for user in $(/usr/bin/dscl . list /Users Password | /usr/bin/awk '$2 != "*" {print $1}'); do # Is the user an admin isUserAdmin=$(/usr/sbin/dseditgroup -m "$user" -o checkmember admin | /usr/bin/awk {'print $1'}) if [ "$isUserAdmin" = "yes" ]; then # Check for SecureToken status secureTokenStatus=$(/usr/bin/dscl . -read /Users/"$user" AuthenticationAuthority | /usr/bin/grep -o "SecureToken") # If the account has a SecureToken, increase the SecureToken counter if [ "$secureTokenStatus" = "SecureToken" ]; then ((adminUserCount++)) fi fi done # If our admin count is less than or equal to 1 (which daymn, if we're less # than one admin account on the box, we've got serious issues and shouldn't # even be here today...) OR if the number of users with a SecureToken is # equal to the size of the array of users to be deleted... echo "Admin User Count is: $adminUserCount. Array size is: '${#arrayOfUsers[@]}'" if [[ "$adminUserCount" -le "1" || "$adminUserCount" -eq "${#arrayOfUsers[@]}" ]] ; then # Welp, we're here now, now it's time to find a standard user with # a SecureToken so we can elevate them for a second. # For all users who have a password on this machine (eliminates service accounts # but includes the _mbsetupuser and Jamf management accounts...) for user in $(/usr/bin/dscl . list /Users Password | /usr/bin/awk '$2 != "*" {print $1}'); do # Is the user an admin isUserAdmin=$(/usr/sbin/dseditgroup -m "$user" -o checkmember admin | /usr/bin/awk {'print $1'}) if [ "$isUserAdmin" = "no" ]; then # Check for SecureToken status secureTokenStatus=$(/usr/bin/dscl . -read /Users/"$user" AuthenticationAuthority | /usr/bin/grep -o "SecureToken") # If the account has a SecureToken, increase the SecureToken counter if [ "$secureTokenStatus" = "SecureToken" ]; then # we found an eligible canidate elevateThisUser="$user" echo "We found an eligible user: $elevateThisUser" # No reason to look for more users... get me out of this loop! break; fi fi done if [[ -z $elevateThisUser ]]; then # Error checking for no eligible users: echo "Something went horribly wrong and there are no eligible standard users with a SecureToken found.\ This means we'd be deleting all the users on this machine and leave it in an unstable state. \ Now, theoretically this should be okay because Jamf Connect can always make new users but \ nobody could decrypt the FileVault drive without the PRK and Apple donna like that. Aborting." exit 999; fi else echo "Something went horribly wrong and there are no admin users with a SecureToken found. We should never, ever get to this point. Aborting." exit 666; fi # Elevate our eligible account. echo "Elevating $elevateThisUser" /usr/sbin/dseditgroup -o edit -a "$elevateThisUser" -t user admin fi # For every user in the list, delete the user account with the Jamf binary for user in ${arrayOfUsers[@]}; do echo "Deleting $user" ############################################################################ ############################################################################ ### HERE'S WHERE YOU UNCOMMENT STUFF FOR DATA LOSS TO PURPOSELY HAPPEN!! ### ############################################################################ ############################################################################ # It's not that I don't trust you. I don't trust anyone. echo "$JAMF_BINARY deleteAccount -username $user -deleteHomeDirectory" #$JAMF_BINARY deleteAccount -username "$user" -deleteHomeDirectory done # Demote our user back to standard user if needed if [[ -z "$elevateThisUser" ]]; then echo "We didn't have to elevate a user in this case." else echo "Demoting $elevateThisUser to standard account" /usr/sbin/dseditgroup -o edit -d "$elevateThisUser" -t user admin fi # Move the delete file for auditing purposes /bin/mv "$DELETE_USER_TOUCH_FILE" "$CONFIRM_USER_TOUCH_FILE" # Run a recon to clear out the extension attribute / smart computer group for # running this process. $JAMF_BINARY recon

Stop working harder…work smarter! With Jamf Pro, you have a powerful ally that helps IT to deploy, manage and secure Mac device fleet with ease.

Contact Jamf today, or your preferred reseller to start making short work of your admin tasks.

Request Trial

Sean Rabbitt

Previous Blog Post:
Prev
Configurator for iPhone: Point at Mac, move to Jamf, there is no step 3! Blog Homepage
Next Blog Post:
Next
Jamf Connect how-to: Managing license files

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

Email Address (Work)

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.