Remove Guest Home Folder

What the Guest home folder cleanup does

This Automox Worklet™ removes the residual /Users/Guest home directory from macOS endpoints after the Guest account has been disabled. macOS does not always reap the Guest home folder when an administrator turns the account off through System Settings or a configuration profile. The folder lingers with cached preferences, browser data, downloads, and any files an unauthenticated user dropped during the last Guest session, and it stays on disk until something deletes it.

The Worklet runs a directory check against /Users/Guest, then issues rm -rf /Users/Guest when the folder is present. It is safe to schedule on a recurring policy because the evaluation phase is idempotent: once the directory is gone, every subsequent run exits 0 with no remediation. The script is bash-based and runs under the Automox agent's root context, so no additional credentials or interactive logins are required.

This Worklet is FixNow compatible. You can target a single endpoint or a group from the Automox console and trigger the cleanup on demand when an audit, an offboarding event, or a forensic review surfaces a Guest profile that should not be there.

Why purge the residual Guest profile

Disabling the Guest account is the first half of the control. The second half is removing what the account left behind. A disabled Guest user can no longer log in, but the contents of /Users/Guest remain readable by any local administrator and can be exfiltrated by malware running with elevated rights. The folder also drifts: software installers, browser auto-launches, and Apple's own diagnostic flows can write into the Guest profile before the disable takes effect, and that data sits on the endpoint until it is explicitly cleared. CIS Benchmarks for macOS recommend disabling the Guest account; the residual-folder cleanup is the operational follow-through that closes the audit finding.

On most Mac fleets, the Guest account is disabled in the MDM baseline but the home folder lingers on any endpoint where Guest was ever signed in before the policy went live. Applying this Worklet across the Mac estate sweeps /Users/Guest from every laptop and desktop in a single evaluation cycle, so a disabled Guest account no longer coexists with a populated Guest home directory full of cached browser data, sample documents, and lingering session tokens. Recurring evaluation catches any endpoint where a Time Machine restore, a system migration, or a manual login briefly recreates the folder.

How the Guest home folder cleanup works

1. Evaluation phase: The Worklet runs a bash test against /Users/Guest. If the directory exists, evaluation prints "Guest home folder present. Remediation needed..." and exits 1, which schedules the endpoint for remediation. If the directory is absent, evaluation prints "Guest home folder not present. Exiting..." and exits 0, and Automox records the endpoint as compliant on this policy run.

2. Remediation phase: The remediation script re-tests for /Users/Guest, then executes rm -rf /Users/Guest to recursively delete the directory and every file, subdirectory, and cached preference inside it. The script exits cleanly whether the folder was present or already removed by a parallel process, so a second policy run against the same endpoint never produces a false failure.

Guest profile cleanup requirements

• macOS endpoint with the Automox agent installed; the bundled bash interpreter at /bin/bash handles both evaluation and remediation

• Root-equivalent execution context, which the Automox agent provides by default; no separate credentials are required

• The Guest user account should already be disabled in System Settings or via a configuration profile before this Worklet runs; pair this policy with a separate Worklet that enforces the disable

• No active Guest session on the endpoint at policy execution time; if a session is open, log it out first to avoid removing a directory in use

• Workstation or server endpoint type; the Worklet supports both because the underlying file path is identical across macOS variants

• Optional: if your environment uses /Users/Shared/ for cross-account staging, audit that directory separately because the Guest account writes there as well and this Worklet does not touch /Users/Shared/

Expected state after Guest folder removal

After a successful remediation run, /Users/Guest no longer exists on the endpoint, and a listing of /Users/ shows only the active local accounts plus the system Shared directory. Open Terminal and run ls -la /Users/ to confirm the Guest entry is gone, then run stat /Users/Guest to verify it returns "No such file or directory." The Automox activity log records the remediation exit status, the bytes reclaimed, and the timestamp of the deletion, which together form the audit trail for compliance review.

On every subsequent policy evaluation, the Worklet reports exit code 0 and applies no further changes. If a Guest folder reappears on a managed endpoint, the next evaluation flags it within the policy interval and the Worklet removes it on the same run. Pair this policy with a Worklet that disables the Guest account through dscl or a configuration profile to keep the underlying account state in sync with the folder state. The combined policy gives you a clean, drift-resistant Guest configuration across every macOS endpoint Automox manages, without sending an admin to log in to each laptop.