← Back to Apple macOS 14 (Sonoma) Security Technical Implementation Guide

V-259513

CAT II (Medium)

The macOS system must disable unattended or automatic log on to the system.

Rule ID

SV-259513r991591_rule

STIG

Apple macOS 14 (Sonoma) Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000366

Discussion

Automatic logon must be disabled. When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.

Check Content

Verify the macOS system is configured to disable unattended or automatic logon to the system with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js
EOS

If the result is not "true", this is a finding.

Fix Text

Configure the macOS system to disable unattended or automatic logon to the system by installing the "com.apple.loginwindow" configuration profile.