5.12 Disable ability to login to another user's active and locked session

Information

macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions.

Rationale:

Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

Impact:

While Fast user switching is a workaround for some lab environments especially where there is even less of an expectation of privacy this setting change may impact some maintenance workflows

Solution

Run the following command to disable a user logging into another user's active and/or locked session:

$ sudo security authorizationdb write system.login.screensaver use-login-window-ui

YES (0)

References
https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-14a.

Plugin: Unix

Control ID: 1a7727bc9da3fb89b33b30bc7d86d79c3b64c1bd0ce878a673d391ba857e5947