2.12.3 Ensure Automatic Login Is Disabled

Information

The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen.

Rationale:

Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system.

Impact:

If automatic login is not disabled, an unauthorized user could gain access to the system without supplying any credentials.

Solution

Graphical Method:
Perform the following steps to set automatic login to off:

Open System Settings

Select Users & Groups

Set Automatic login in as... to Off

Terminal Method:
Run the following command to disable automatic login:

$ /usr/bin/sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.loginwindow

The key to include is com.apple.login.mcx.DisableAutoLoginClient

The key must be set to <true/>

Note: If both the profile is enabled and a user is set to autologin, the profile will take precedent. In this case, the graphical or terminal remediation method should also be applied in case the profile is ever removed.

See Also

https://workbench.cisecurity.org/files/4159