Self Service Mobile Account Migration Script

spraguga
Contributor

Hi All,

Does anyone already have a script for a user to initiate their own local to mobile account migration via Self Service? The machine will already be bound to AD.

The scenario will be:
1. User runs Local to Mobile Account Migration script via Self Service.
2. Rename computer to serial number
3. Log out the current user
4. Delete the current user's account keeping their local home directory.
5. User then logs in with their AD credentials picking up the local home directory. (all local usernames match AD usernames.)

Thanks! ;)

1 ACCEPTED SOLUTION

spraguga
Contributor

This is what I ended up doing if anyone is interested! Hopefully it can help someone else out. You'd have to write in any exceptions you want to account for with your environment.

  1. Self Service Policy Script w/restart immediately
#!/bin/bash

# Get current user
CURUSERNAME=`ls -l /dev/console | cut -d " " -f 4`

# Create temp file with user path to migrate
echo /Users/$CURUSERNAME > /.what_ever_you_want_to_name_this_file

echo "PLEASE DO NOT HIT THE ACCEPT BUTTON BELOW OR LOGIN!!! Your account is migrating. Your machine will restart again in a few minutes." > /Library/Security/PolicyBanner.txt

exit 0
  1. Startup Trigger Script:
#!/bin/bash

# Check to see if migration file exists
# if so a policy script will be kicked off to migrate the user's local account to mobile

if [ -f "/.what_ever_you_want_to_name_this_file" ]
then
    /usr/sbin/jamf policy MigrateLocalAccountToMobile

    # Get current user from /.what_ever_you_want_to_name_this_file
    CURUSERPATH=`/usr/bin/awk '{print}' /.what_ever_you_want_to_name_this_file`

    # Get current username
    CURUSERNAME=${CURUSERPATH##*/}

    # Determine UID
    UIDNUMBER=`id $CURUSERNAME | /usr/bin/awk -F 'uid=' '{print $2}' | /usr/bin/awk -F '(' '{print $1}'`

    # Determine if local account
    if [ $UIDNUMBER -lt 1000 ] 
    then
        # move user directory
        /bin/mv $CURUSERPATH /Users/OLD_$CURUSERNAME

        # delete local account
        /usr/bin/dscl . -delete /Users/$CURUSERNAME

        # move user directory back
        /bin/mv /Users/OLD_$CURUSERNAME $CURUSERPATH

        # show only userpass & password text fields at login
        /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

        # sleep till move completes to adjust perms
        /bin/sleep 2

        # fix ownership
        /usr/sbin/chown -Rf $CURUSERNAME $CURUSERPATH

        # fix perms
        /bin/chmod -Rf 600 $CURUSERPATH
        /bin/chmod -Rf u+rwX $CURUSERPATH
        /bin/chmod og+rX $CURUSERPATH
        /bin/chmod -Rf og+rX $CURUSERPATH/Public
        /bin/chmod og=wX $CURUSERPATH/Public/Drop Box
        /bin/chmod +a "user:$CURUSERNAME allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" $CURUSERPATH/Public/Drop Box

       # Delete keychain files
       # Get Mac UUID
       system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}'

       # delete UUID Keychain folder
       rm -rf $CURUSERPATH/Library/Keychains/" & macUUID & "/*

       # delete keychain.login
       security delete-keychain $CURUSERPATH/Library/Keychains/login.keychain

        # remove files
        /bin/rm /.what_ever_you_want_to_name_this_file
        /bin/rm /Library/Security/PolicyBanner.txt

        # sleep to make sure files fully delete
        /bin/sleep 2

        # restart
        /sbin/shutdown -r now

    else
        exit 0
    fi
else
    exit 0
fi

Note: These migration scripts does not account for local vs AD username differences, ours already match.

View solution in original post

2 REPLIES 2

rtrouton
Release Candidate Programs Tester

I've got a script that handles step 3 in the list. If you're interested, it's available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_d...

spraguga
Contributor

This is what I ended up doing if anyone is interested! Hopefully it can help someone else out. You'd have to write in any exceptions you want to account for with your environment.

  1. Self Service Policy Script w/restart immediately
#!/bin/bash

# Get current user
CURUSERNAME=`ls -l /dev/console | cut -d " " -f 4`

# Create temp file with user path to migrate
echo /Users/$CURUSERNAME > /.what_ever_you_want_to_name_this_file

echo "PLEASE DO NOT HIT THE ACCEPT BUTTON BELOW OR LOGIN!!! Your account is migrating. Your machine will restart again in a few minutes." > /Library/Security/PolicyBanner.txt

exit 0
  1. Startup Trigger Script:
#!/bin/bash

# Check to see if migration file exists
# if so a policy script will be kicked off to migrate the user's local account to mobile

if [ -f "/.what_ever_you_want_to_name_this_file" ]
then
    /usr/sbin/jamf policy MigrateLocalAccountToMobile

    # Get current user from /.what_ever_you_want_to_name_this_file
    CURUSERPATH=`/usr/bin/awk '{print}' /.what_ever_you_want_to_name_this_file`

    # Get current username
    CURUSERNAME=${CURUSERPATH##*/}

    # Determine UID
    UIDNUMBER=`id $CURUSERNAME | /usr/bin/awk -F 'uid=' '{print $2}' | /usr/bin/awk -F '(' '{print $1}'`

    # Determine if local account
    if [ $UIDNUMBER -lt 1000 ] 
    then
        # move user directory
        /bin/mv $CURUSERPATH /Users/OLD_$CURUSERNAME

        # delete local account
        /usr/bin/dscl . -delete /Users/$CURUSERNAME

        # move user directory back
        /bin/mv /Users/OLD_$CURUSERNAME $CURUSERPATH

        # show only userpass & password text fields at login
        /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

        # sleep till move completes to adjust perms
        /bin/sleep 2

        # fix ownership
        /usr/sbin/chown -Rf $CURUSERNAME $CURUSERPATH

        # fix perms
        /bin/chmod -Rf 600 $CURUSERPATH
        /bin/chmod -Rf u+rwX $CURUSERPATH
        /bin/chmod og+rX $CURUSERPATH
        /bin/chmod -Rf og+rX $CURUSERPATH/Public
        /bin/chmod og=wX $CURUSERPATH/Public/Drop Box
        /bin/chmod +a "user:$CURUSERNAME allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" $CURUSERPATH/Public/Drop Box

       # Delete keychain files
       # Get Mac UUID
       system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}'

       # delete UUID Keychain folder
       rm -rf $CURUSERPATH/Library/Keychains/" & macUUID & "/*

       # delete keychain.login
       security delete-keychain $CURUSERPATH/Library/Keychains/login.keychain

        # remove files
        /bin/rm /.what_ever_you_want_to_name_this_file
        /bin/rm /Library/Security/PolicyBanner.txt

        # sleep to make sure files fully delete
        /bin/sleep 2

        # restart
        /sbin/shutdown -r now

    else
        exit 0
    fi
else
    exit 0
fi

Note: These migration scripts does not account for local vs AD username differences, ours already match.