How to disable automatic log-in via the command line in OS X
While the use of system preferences is an easy option, this setting can be scripted for quick reversion either manually or by scheduling.
While the use of the log-in window at startup in OS X is the more secure option to use, often people may prefer to have their systems automatically log in to a specified user account, especially if they are the only user on the system and the system is in a relatively safe location such as a locked study or office. However, there are times when users may enable automatic log-in for systems in more public areas, and you might wish to ensure this setting either remains off or can be quickly reverted with a script or command that can run locally or remotely.
MacFixIt reader "jjohnson" wrote in with such a scenario:
I'm trying to come up with a script that will disable automatic log-ins that I can apply to a bunch of Macs where all users have admin permissions. I'm looking in the com.apple.loginwindow plist but I can't figure out how to disable the ability of a user with admin permissions to (re)enable automatic log-ins. Any help/suggestions are much appreciated!
The automatic log-in feature in OS X consists of two components. The first is a property list setting in the preferences file for the log-in window, and the second is a password store for the user. When you enable automatic log-in, the system will set the log-in window to automatically provide the specified username, and then will retrieve the password from the stored file on disk.
Reverting this setup can be done in the Users & Groups system preferences, but if you wish to script this setting to either ensure it is disabled at all times or to periodically revert it either with local scripts or remotely using the secure shell (ssh), then you will need to use Terminal commands.
As with most system and application settings, the changes to the log-in window are stored in its preferences file, which is a property list (.plist) file in the global /Library/Preferences/ folder. In the case of the log-in window, the specific setting for the automatic user log-in is the "autoLoginUser" key, the value of which is the short username for the default user account on the system.
To target this file and remove the autoLoginUser setting, simply open the Terminal and run the following version of the "defaults" command (the command used to edit preference files):
sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
In this command, the first component "sudo" is required to run the remainder of the command with administrator privileges, which will allow for the changes to take place. The second component specifies the "defaults" command, after which we tell this command to perform a delete operation on the specified log-in window preferences file. Note that in this file specification the ".plist" suffix is not included, since the defaults command uses the program's "domain" specification instead of the file itself. Finally, we tell the command to target the "autoLoginUser" setting within this preferences file, which if present will be removed when the command is run.
Running this command is all that is needed to turn off automatic log-in, but you can also remove the password file that holds the user's log-in password. This file is called "kcpassword" and is located in the hidden /etc directory at the root of the hard drive. To remove it, you can run the following command:
sudo rm /etc/kcpassword
Once these two commands have been run, the system should be reverted back to its state before automatic log-in was enabled.
If you need to script these commands, you can do so either by saving them in a script to be run manually or by using the system launcher (launchd), which is used in part for automatic launching and scheduling of programs and scripts in OS X. To script this process, you will first need to create a script file, and then optionally create a launch agent file that will run the script at a desired time or on a desired schedule.
For the script file, open the Terminal and run the following command:
sudo pico /usr/bin/noautologin.sh
The Terminal window will show an editor, so then type the following three lines (note the "sudo" component used above to run the commands as "administrator" is no longer included, since this will be used later when running the script in its entirety):
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
Next press Control-O, followed by Control-X to save and quit the changes, and then run the following command in the Terminal to allow execution of the script:
sudo chmod +x /usr/bin/noautologin.sh
Now when you log into this system either locally or remotely you can open the Terminal and run the following command to both revert the setting and remove the password file, if present:
If you wish to schedule this script to run automatically, then you can create a launch agent process that will load it and run it when the system starts. To do this, first run the following command in the Terminal to again launch the editor and create the launch agent file:
sudo pico /Library/LaunchAgents/local.noautologin.plist
After running this command, the editor will open, in which you can copy and paste the following text:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
This launch agent setup will run the command once at startup, but you can have the command run periodically throughout the day by scheduling it. One way to do this with the launch agent is to replace the "RunAtLoad" key with the following key and value, which will instead have the launch agent run every 10,800 seconds (3 hours) or another specified time frame of your choosing:
Once the launch agent is set to your preferences, press Control-O and then Control-X to save and close the file, and then restart the computer to load the launch agent into memory.
Keep in mind that this use of a launch agent is only one way to schedule automatic execution of the script, and you can configure the launch agent to run on specific days and times, or under other conditions that are supported by the launchd process.