PruneUsers

Prunes inactive local user accounts on shared Macs.

Modes

1. --secure: immediately secure-deletes inactive users.
2. --soft (default): drops a marker file (/Users/<user>/.pruneusers) and defers deletion until grace period expires.

Soft Delete Workflow

When a user reaches the inactivity threshold in soft mode:

• Script writes /Users/<user>/.pruneusers
• Marker stores delete_on and metadata
• Account/home are left in place during grace period

On later runs:

• If user activity resumes (logged in now or inactivity falls below threshold), marker is removed.
• If delete_on is reached and user remains inactive, account/home are deleted.

Logging

• Daily logs: /var/log/PruneUsers/PruneUsers-YYYY-MM-DD.log
• launchd stdout/stderr: /var/log/PruneUsers-launchd.log
• Old daily logs are pruned automatically by retention policy.

Usage

PruneUsers.zsh [options] [days_inactive]

Options:

• -h --help show help
• -v --verbose verbose logging
• -n --dry-run simulation mode
• --secure secure delete mode
• --soft soft delete mode
• --debug debug logging

Examples:

• ./PruneUsers.zsh --secure 14
• ./PruneUsers.zsh --soft --dry-run 45

MDM-Managed Configuration

Settings path:

• /Library/Managed Preferences/com.maxhewett.pruneusers.plist

Supported keys:

• DeletionMethod (soft or secure)
• InactivityDays (integer)
• SoftDeleteGraceDays (integer)
• LogRetentionDays (integer, 0 disables pruning)

Priority order:

1. Command-line arguments
2. Managed preferences
3. Script defaults (soft, inactivity 30, grace 14, log retention 30)

Jamf

• Example managed preferences payload: com.maxhewett.pruneusers.managed-preferences.example.plist
• Jamf Custom Settings schema: jamf/com.maxhewett.pruneusers.schema.json
• Preference domain: com.maxhewett.pruneusers

Quick setup:

1. Upload the schema file to a Jamf Application & Custom Settings payload.
2. Use preference domain com.maxhewett.pruneusers.
3. Configure DeletionMethod, InactivityDays, SoftDeleteGraceDays, and LogRetentionDays.
4. Deploy this profile to target Macs and run the LaunchDaemon on schedule.

launchd Deployment

Use a root LaunchDaemon (not a user LaunchAgent).

• Script: /Library/Application Support/PruneUsers/PruneUsers.zsh
• Daemon: /Library/LaunchDaemons/com.maxhewett.UserPruner.plist
• Load: launchctl bootstrap system /Library/LaunchDaemons/com.maxhewett.UserPruner.plist

Keep timing in the daemon and behavior in managed preferences.