Login Window payload settings for Apple devices
You can configure Login Window settings for Mac computers enrolled in a mobile device management (MDM) solution. Use the Login Window payload to set preferences for user login, control the user’s ability to restart and shut down the Mac from the login window, and set the appearance of the login window.
OS and channel | Supported enrolment types | Interaction | Duplicates |
|---|---|---|---|
macOS device macOS user | Device Automated Device | Combined | Multiple |
Login Window window options
Setting | Description | Required |
|---|---|---|
Show additional information in the menu bar | Cycle through the hostname, macOS version and IP address when the menu bar is clicked. | No |
Banner | Enter a message that’s displayed above the login prompt. You might use this to provide a warning about unauthorised use. | No |
Login Prompt | Select Name and password text fields if you want users to enter both their username and password. Select List of users able to use these computers then choose what appears in the Login window:
| No |
Show buttons | Select the buttons you’d like users to see:
| No |
Login Window options
Setting | Description | Required |
|---|---|---|
Password hint when needed and available | Shows the password hint. | No |
Automatic login | Allows the automatic login feature to be used. | No |
Apple ID setup during login | When a new user logs in, prevents the Apple ID setup screen from appearing. | No |
Siri setup during login | When a new user logs in, prevents the Apple ID setup screen from appearing. | No |
>console login | Allows users to use >console at the login window. | No |
Fast User Switching | Allows Fast User Switching to be enabled. | No |
Log out users after a period of inactivity | Select the amount of inactivity time before a user is automatically logged out. The minimum is 3 minutes. | No |
Mac computer administrators may refresh content or disable management | Allows Mac administrators on the computer to refresh or disable the management features. | No |
Set Mac computer name to computer record name | Forces the name of the Mac to be set as the computer record name. | No |
External accounts | Allows external accounts to log in. Available in macOS 10.14.4 or earlier. | No |
Guest user | Allows the Guest user account to appear. | No |
Start screen saver after a specified time | Select the amount of time before a screen saver appears. The options are:
| No |
User screen saver module | Select a path to force the screen saver to use a specific module. | No |
Set-up Assistant options
You can restrict which Setup Assistant panes are shown to users who create new accounts on a Mac that’s enrolled in an MDM solution. This doesn’t effect the initial account.
Important: All options in Setup Assistant panes can be configured later by the user unless you also permanently restrict these features using your MDM solution with a restrictions payload in a configuration profile on the device.
Setting | Description | Required |
|---|---|---|
Apple ID | The user can’t enter their Apple ID. | No |
Choose your look | The user can’t select Dark Mode or Automatic. | No |
iCloud Desktop and Documents | The user can’t set up iCloud Desktop and Documents. | No |
Privacy | The user doesn’t see the Privacy consent window. | No |
Screen Time | The user can’t enable Screen Time. | No |
Siri | The user can’t configure Siri. | No |
Touch ID | The user can’t enable Touch ID to unlock the device or authenticate to apps that use Touch ID. | No |
True Tone Display | The user can’t enable four-channel sensors to dynamically adjust the white balance of the display. | No |
Login Window access
Setting | Description | Required |
|---|---|---|
Specify authorised users and groups | Select the users or groups than can either be allowed or specifically not allowed to log in to the Mac computers. | No |
Local-only users | Permit only local users to log in. Network users won’t be allowed to log in. | No |
Local-only users use available workgroup settings | Local users are forced to use any available workgroup settings. | No |
Ignore workgroup nesting | If users are part of a nested workgroup, only the settings of the user’s workgroup are enforced. | No |
Combine available workgroup settings | If users are part of a nested workgroup, all nested workgroup settings are enforced. | No |
Always show workgroup dialogue during login | If the workgroup has a specific dialogue, that dialogue is shown when users log in. | No |
Login Window scripts
Setting | Description | Required |
|---|---|---|
Login script | Select the script that runs when users log in. | No |
Execute the Mac computer’s LoginHook script | Run any LoginHook script in addition to the Login script. | No |
Logout script | Select the script that runs when users log out. | No |
Execute the Mac computer’s LogoutHook script | Run any LogoutHook script in addition to the Logout script. | No |