Mac computer lab headaches! A script to handle keychain errors, docks, and users logged in in the background

I’m primarily a university-level ESL instructor. However, one of my responsibilities is to manage our English Language Institute’s computer lab, which has 20 iMacs. Here are some of the issues I’ve struggled with:

  • Keychain errors. My university uses Active Directory for usernames and passwords, and Macs don’t play nicely with Active Directory. Every time that students and faculty are forced to change their passwords through the university’s web interface, it breaks their keychains on all campus Macs, since the login password is no longer the same as the keychain password. Dealing with keychain errors is annoying enough under one-device-per-person circumstances, but when people use multiple computers over the course of multiple semesters and change their password multiple times, the problems snowball out of control.
  • Messing up the dock. It’s pretty straightforward to set up a default dock for new users. However, most of our students lack familiarity or comfort with Macs, so if a student accidentally drags an important icon (like, say, Microsoft Word) out of the dock, they may have difficulty finding the application again. Under these circumstances, it’s desirable to “reset” the dock to a known good state every time a user logs out so that any mistakes they made will be wiped away.
  • Users not logging out. This is a big one. If a user fails to log out properly and ends up with their whole session still stored in memory in the background, system performance plummets for anyone else who logs into that computer. This is a huge problem in a lab setting because it’s difficult to train users to always properly log out, and each computer is logged into so many times every day that it only takes a couple days for most computers to have at least one user still accidentally logged in in the background.

One solution to these kinds of issues is to have a very tightly controlled computer lab where no user data is stored and where the computers constantly restart and reset themselves to known good states. But I’m not comfortable doing that; I want students to be able to log back into a computer to retrieve a file if they accidentally saved it to the lab computer instead of their personal flash drive, for example.

So instead, I wrote a logoff script to do some basic maintenance to help me solve these issues. Macs don’t provide an easy built-in way to run logoff scripts, so I use Offset to run the script for me.

My script does the following:

  1. Delete the user’s keychain every time they log out. This prevents keychain errors and improves security, since it ensures we aren’t storing people’s passwords on our public computers.
  2. Replaces the user’s dock with a known good configuration. That way, if the user accidentally messed up the dock, it will be back to normal the next time they log in.
  3. Kicks off anyone who’s logged into the computer in the background. This dramatically improves system performance.
  4. Restarts the computer if it’s been on for more than a day. This is a necessary step to fully purge keychain files.

Here is the script I created. I am not a bash expert or a MacOS expert, and I make no warranty for the functionality or safety of this script; I’m presenting it only for example purposes to help others in similar positions. If you want to adapt this script, you will likely need to make changes.

#!/bin/bash

echo "$(date) - Script execution beginning" >> /Library/Logs/lab_logout_debug.log

# Step 0: Decide whether we need to run the script.
#         If we're at the login window, and if the script has not run
#         in the last 60 seconds, then we want to run it now.
#         Note: Checking when the script last ran prevents the script from 
#         killing the login window over and over and over again in a loop!
#         I chose 600 seconds because it would be unusual for someone to be
#         logged in for less than 1 minute.

echo "$(date) - initializing shouldrun to false" >> /Library/Logs/lab_logout_debug.log
shouldrun=false

echo "$(date) - trying to find the last time run log file" >> /Library/Logs/lab_logout_debug.log

# Can we find the log file that stores the last time the script was run?
if [ -f /Library/Logs/lab_logout_last_time.log ]
then
    # We found the file!
    echo "$(date) - found last time run log file" >> /Library/Logs/lab_logout_debug.log
    
    # Store the current Unix time in seconds
    currenttime=$(date +%s)

    # Read the Unix time in seconds that the script last ran
    lasttime=$(cat /Library/Logs/lab_logout_last_time.log)

    # Calculate the difference between the times: How long ago did the script last run?
    delta=$(expr $currenttime - $lasttime)

    echo "$(date) - Current time: " $currenttime >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Last time: " $lasttime >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Delta: " $delta >> /Library/Logs/lab_logout_debug.log

    # Did the script last run MORE than 60 seconds ago?
    if [ "$delta" -gt 60 ]
    then
        # Yes? We should run the script.
        shouldrun=true
        echo "$(date) - set shouldrun to true (delta large enough)" >> /Library/Logs/lab_logout_debug.log
    else
        # No? We should not run the script.
        echo "$(date) - keep shouldrun at false (delta too small)" >> /Library/Logs/lab_logout_debug.log
    fi
else
    # We didn't find the log file that stores the last time the script was run, so let's assume we need to run the script.
    echo "$(date) - didn't find file" >> /Library/Logs/lab_logout_debug.log
    shouldrun=true
    echo "$(date) - set shouldrun to true (file not found)" >> /Library/Logs/lab_logout_debug.log
fi

# Should we run the script?
if [ "$shouldrun" = "true" ]
then
    # Yes, we should run the script!
    echo "$(date) - shouldrun evaluated as true - executing remainder of script" >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Executing lab logout script." >> /Library/Logs/lab_logout.log

    ### Step 1: Delete the last user's keychain
    # Credit to https://github.com/aysiu/Mac-Scripts-and-Profiles/blob/master/RemoveLastUserKeychains

    echo "$(date) - Entering step 1" >> /Library/Logs/lab_logout_debug.log

    # Get the last user's username
    lastUserName=$(defaults read /Library/Preferences/com.apple.loginwindow lastUserName)

    # Remove the keychains for that user
    sudo rm -rf /Users/"$lastUserName"/Library/Keychains/*
    sudo rm -rf /Users/"$lastUserName"/Library/Keychains/.f*

    # Add to log file
    sudo echo "$(date) - Keychain deleted for $lastUserName" >> /Library/Logs/lab_logout.log

    ### Step 2: Copy the dock for the user

    echo "$(date) - Entering step 2" >> /Library/Logs/lab_logout_debug.log

    cp /Library/lab/com.apple.dock.plist /Users/$lastUserName/Library/Preferences/
    echo "$(date) - Dock copied for this user:" $lastUserName >> /Library/Logs/lab_logout.log

    ### Step 3: Record the current time as the last time the script ran

    echo "$(date) - Entering step 3" >> /Library/Logs/lab_logout_debug.log

    # Record the current time to the lab_logout_last_time file, overwriting any previous file content
    echo $(date +%s) > /Library/Logs/lab_logout_last_time.log

    echo "$(date) - Current time recorded" >> /Library/Logs/lab_logout_debug.log

    ### Step 4: Either restart (if uptime is at least 1 day) or kill loginwindow (to log out any background users)
    echo "$(date) - Entering step 4" >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Current uptime: $(uptime)" >> /Library/Logs/lab_logout_debug.log

    # Has the computer been on for at least one full day? 
    # (i.e. does the word "day" or "days" appear in the output of the "uptime" command?)
    if [[ $(uptime) =~ .*day.* ]] 
    then 
        # Uptime is at least one day, so let's restart. This will fully clear keychains and (obviously) log out all users.

        echo "$(date) - Uptime greater than a day; attempting a restart" >> /Library/Logs/lab_logout.log
        sudo shutdown -r now
    else 
        # Uptime is less than one day, so let's just kill the loginwindow process to make sure no one's
        # logged in in the background.

        echo "$(date) - Uptime less than a day; killing loginwindow." >> /Library/Logs/lab_logout.log

        # Kill loginwindow to log out any users who are logged in in the background
        sudo pkill loginwindow
    fi
    
else
    # No, we shouldn't run the script!
    echo "$(date) - shouldrun DID NOT evaluate as true" >> /Library/Logs/lab_logout_debug.log
fi
done

Basic installation instructions:

  1. Install Offset.
  2. Paste my script into a new file with a .sh extension.
  3. Make any necessary changes to the script. Note that it won’t run as-is; at the very least, you need to put a dock.plist file in the /Library/lab/ directory for step 2 of the script, or else remove that part of the script.
  4. Move the script file to /usr/local/offset/logout-every so that Offset will run it for you.
  5. Make the script file executable. I run this command in Terminal, and it seems to work, but I’m not an expert, so ymmv: sudo chmod 755 /usr/local/offset/logout-every/lab_logout.sh ; sudo chown root:wheel /usr/local/offset/logout-every/lab_logout.sh

That should do it!

Leave a Reply