How to create a policy banner in OS X

You can display a banner at the login window that requires a user to acknowledge it before proceeding.

Create a banner

You can set a login message that appears at the login screen of your Mac. You can also set a "policy" banner to display a longer message that you must accept before you can log in. This can be useful in situations where you need users to agree to or acknowledge terms or conditions before using the computer, such as an Acceptable Use Policy.

Use these steps to create a policy banner:

  1. Create a plain text (.txt) or rich text (.rtf .rtfd) document named PolicyBanner that contains your banner.
  2. Copy the PolicyBanner file to the /Library/Security/ folder. 

The next time you restart the computer, the banner you created appears when you would normally see the login screen. 

If you don't see your banner

If you don't see your banner appear, check the following.

Check FileVault

If you have FileVault full disk encryption enabled on your computer, the policy banner appears after the first user logs in, before the desktop appears. The first login is performed to unlock the startup disk. 

Check permissions

In some instances, you might need to adjust the permissions on the PolicyBanner file.

For .txt or .rtfd files set the permissions on the Policy Banner file so that Everyone (Other) has read privileges:

sudo chmod o+r /Library/Security/PolicyBanner.txt
sudo chmod o+r /Library/Security/PolicyBanner.rtf 

For .rtfd files, adjust the permissions so Everyone (Other) has both read and execute privileges:

sudo chmod -R o+rx /Library/Security/PolicyBanner.rtfd

Check authorization

If you're using OS X v10.8.3 through v10.8.5 and the Policy Banner window doesn't appear, check the /etc/authorization file for the two lines in bold below:

<string>loginwindow:login</string>

<string>builtin:login-begin</string>

<string>builtin:reset-password,privileged</string>
 

<string>PKINITMechanism:auth,privileged</string>

<string>builtin:login-success</string>

<string>loginwindow:success</string>
 

If these two lines aren't present, add them to the /etc/authorization file in the locations they appear above. The /etc/authorization file is no longer used in OS X v10.9 and later, so these changes don't need to be made in versions of OS X other than v10.8.3 through v10.8.5.

Learn More

If you want to use the same policy banner across multiple computers, you can use  Apple Remote Desktop admin, Profile Manager in OS X Server, or other mobile device management software to distribute the file you created to all of your Macs.

Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)