Mac computer lab headaches! A script to handle keychain errors, docks, and users logged in in the background

I’m primarily a university-level ESL instructor. However, one of my responsibilities is to manage our English Language Institute’s computer lab, which has 20 iMacs. Here are some of the issues I’ve struggled with:

  • Keychain errors. My university uses Active Directory for usernames and passwords, and Macs don’t play nicely with Active Directory. Every time that students and faculty are forced to change their passwords through the university’s web interface, it breaks their keychains on all campus Macs, since the login password is no longer the same as the keychain password. Dealing with keychain errors is annoying enough under one-device-per-person circumstances, but when people use multiple computers over the course of multiple semesters and change their password multiple times, the problems snowball out of control.
  • Messing up the dock. It’s pretty straightforward to set up a default dock for new users. However, most of our students lack familiarity or comfort with Macs, so if a student accidentally drags an important icon (like, say, Microsoft Word) out of the dock, they may have difficulty finding the application again. Under these circumstances, it’s desirable to “reset” the dock to a known good state every time a user logs out so that any mistakes they made will be wiped away.
  • Users not logging out. This is a big one. If a user fails to log out properly and ends up with their whole session still stored in memory in the background, system performance plummets for anyone else who logs into that computer. This is a huge problem in a lab setting because it’s difficult to train users to always properly log out, and each computer is logged into so many times every day that it only takes a couple days for most computers to have at least one user still accidentally logged in in the background.

One solution to these kinds of issues is to have a very tightly controlled computer lab where no user data is stored and where the computers constantly restart and reset themselves to known good states. But I’m not comfortable doing that; I want students to be able to log back into a computer to retrieve a file if they accidentally saved it to the lab computer instead of their personal flash drive, for example.

So instead, I wrote a logoff script to do some basic maintenance to help me solve these issues. Macs don’t provide an easy built-in way to run logoff scripts, so I use Offset to run the script for me.

My script does the following:

  1. Delete the user’s keychain every time they log out (step 1 of script). This prevents keychain errors and improves security, since it ensures we aren’t storing people’s passwords on our public computers.
  2. Replaces the user’s dock with a known good configuration (step 3 of script). That way, if the user accidentally messed up the dock, it will be back to normal the next time they log in. Yes, this does mean that users cannot customize their docks– but in a lab setting, what a student customizes on one computer won’t carry over to another computer anyway, so why give them the illusion of choice? Better to keep things standardized.
  3. Kicks off anyone who’s logged into the computer in the background (step 5 of script). This dramatically improves system performance.
  4. Restarts the computer if it’s been on for more than a day (step 5 of script). This is a necessary step to fully purge keychain files.

Here is the script I created. I am not a bash expert or a MacOS expert, and I make no warranty for the functionality or safety of this script; I’m presenting it only for example purposes to help others in similar positions. If you want to adapt this script, you will likely need to make changes.

echo "$(date) - Script execution beginning" >> /Library/Logs/lab_logout_debug.log

### Step 1: Delete the last user's keychain; we always want to do this upon logout no matter what
# Credit to
echo "$(date) - Entering step 1" >> /Library/Logs/lab_logout_debug.log
# Get the last user's username
lastUserName=$(defaults read /Library/Preferences/ lastUserName)
# Remove the keychains for that user
sudo rm -rf /Users/"$lastUserName"/Library/Keychains/*
sudo rm -rf /Users/"$lastUserName"/Library/Keychains/.f*
# Add to log file
sudo echo "$(date) - Keychain deleted for $lastUserName" >> /Library/Logs/lab_logout.log

### Step 2: Decide whether we need to run the rest of the script.
#           If we're at the login window, and if the script has not run
#           in the last 120 seconds, then we want to run it now.
#           Note: Checking when the script last ran prevents the script from 
#           killing the login window over and over and over again in a loop!
#           I chose 120 seconds because it would be unusual for someone to be
#           logged in for less than 2 minutes.

echo "$(date) - Entering step 2" >> /Library/Logs/lab_logout_debug.log
echo "$(date) - initializing shouldrun to false" >> /Library/Logs/lab_logout_debug.log
echo "$(date) - trying to find the last time run log file" >> /Library/Logs/lab_logout_debug.log
# Can we find the log file that stores the last time the script was run?
if [ -f /Library/Logs/lab_logout_last_time.log ]
    # We found the file!
    echo "$(date) - found last time run log file" >> /Library/Logs/lab_logout_debug.log
    # Store the current Unix time in seconds
    currenttime=$(date +%s)
    # Read the Unix time in seconds that the script last ran
    lasttime=$(cat /Library/Logs/lab_logout_last_time.log)
    # Calculate the difference between the times: How long ago did the script last run?
    delta=$(expr $currenttime - $lasttime)
    echo "$(date) - Current time: " $currenttime >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Last time: " $lasttime >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Delta: " $delta >> /Library/Logs/lab_logout_debug.log
    # Did the script last run MORE than 120 seconds ago?
    if [ "$delta" -gt 120 ]
        # Yes? We should run the rest of this script.
        echo "$(date) - set shouldrun to true (delta large enough)" >> /Library/Logs/lab_logout_debug.log
        # No? We should not run the rest of this script.
        echo "$(date) - keep shouldrun at false (delta too small)" >> /Library/Logs/lab_logout_debug.log
    # We didn't find the log file that stores the last time the script was run, so let's assume we need to run the script.
    echo "$(date) - didn't find the last time run file" >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - set shouldrun to true (file not found)" >> /Library/Logs/lab_logout_debug.log
# Should we run the script?
if [ "$shouldrun" = "true" ]
    # Yes, we should run the script!
    echo "$(date) - shouldrun evaluated as true - executing remainder of script" >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Executing lab logout script." >> /Library/Logs/lab_logout.log
    ### Step 3: Copy the dock for the user
    echo "$(date) - Entering step 3" >> /Library/Logs/lab_logout_debug.log
    cp /Library/lab/ /Users/$lastUserName/Library/Preferences/
    echo "$(date) - Dock copied for this user:" $lastUserName >> /Library/Logs/lab_logout.log
    ### Step 4: Record the current time as the last time the script ran
    echo "$(date) - Entering step 4" >> /Library/Logs/lab_logout_debug.log
    # Record the current time to the lab_logout_last_time file, overwriting any previous file content
    echo $(date +%s) > /Library/Logs/lab_logout_last_time.log
    echo "$(date) - Current time recorded" >> /Library/Logs/lab_logout_debug.log

    ### Step 5: If the computer has been up for at least 24 hours, then restart;
    #           otherwise, just kill loginwindow

    echo "$(date) - Entering step 5" >> /Library/Logs/lab_logout_debug.log
    echo "$(date) - Current uptime: $(uptime)" >> /Library/Logs/lab_logout_debug.log
    # Has the computer been on for at least one full day? 
    # (i.e. does the word "day" or "days" appear in the output of the "uptime" terminal command?)
    if [[ $(uptime) =~ .*day.* ]] 
        # Uptime is at least one day, so let's force a restart. This will fully clear keychains and (obviously) log out all users.
        echo "$(date) - Uptime greater than a day; attempting a restart" >> /Library/Logs/lab_logout.log
        sudo shutdown -r now
        # Uptime is less than one day, so let's just kill the loginwindow process to make sure no one's
        # logged in in the background.
        echo "$(date) - Uptime less than a day; killing loginwindow." >> /Library/Logs/lab_logout.log
        # Kill loginwindow to log out any users who are logged in in the background
        sudo pkill loginwindow

    # No, we shouldn't run the script!
    echo "$(date) - shouldrun DID NOT evaluate as true, so script did not run" >> /Library/Logs/lab_logout_debug.log

Basic installation instructions:

  1. Install Offset.
  2. Paste my script into a new file with a .sh extension. (the specific filename I personally use is “”)
  3. Make any necessary changes to the script. Note that it won’t run as-is; at the very least, you need to put a dock.plist file in the /Library/lab/ directory for step 3 of the script, or else remove that part of the script.
  4. Move the script file to /usr/local/offset/logout-every so that Offset will run it for you.
  5. Make the script file executable. I run this command in Terminal, and it seems to work, but I’m not an expert, so ymmv: sudo chmod 755 /usr/local/offset/logout-every/ ; sudo chown root:wheel /usr/local/offset/logout-every/

That should do it!

Leave a Reply