Login Window MDM payload settings for Apple devices
You can configure Login Window settings for Mac computers enrolled in a mobile device management (MDM) solution. Use the Login Window payloads to configure settings for user login, control the user’s ability to restart and shut down the Mac from the login window, and set the appearance of the login window.
The Login Window payloads support the following. For more information, see Payload information.
Supported payload identifiers: com.apple.loginwindow, com.apple.mcxloginscripts
Supported operating systems and channels: macOS device.
Supported enrollment types: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one Login Window payload can be delivered to a device. False—Login Scripts can deliver only one payload to a device.
You can use the settings in the tables below with the Login Window payloads.
Login Window window options
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Show additional information in the menu bar | Cycles through the hostname, macOS version, and IP address when the menu bar is clicked. | No | |||||||||
Host information | Enters a message that’s displayed above the login prompt. You might use this to provide a warning about unauthorized use. | No | |||||||||
Login Prompt | Select Name and password text fields if you want users to enter both their user name and password. Select List of users able to use these computers then choose what appears on the Login window:
| No | |||||||||
Show buttons | Shows the buttons you’d like users to see:
| No | |||||||||
Automatic login user name | Can be used by MDM to configure the auto-login behavior on supervised Mac computers with macOS 14. | No | |||||||||
Automatic login password | An optional user password to set up auto login. If this key doesn’t exist but a user name does exist, the system sets up auto login the next time the user logs in to the Mac. Requires macOS 14. | No | |||||||||
Login Window options
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Password hint when needed and available | Shows the password hint. | No | |||||||||
Apple Account setup during login | When a new user logs in, prevents the Apple Account setup screen from appearing. | No | |||||||||
Siri setup during login | When a new user logs in, prevents the Apple Account setup screen from appearing. | No | |||||||||
>console login | Allows users to use >console at the login window. | No | |||||||||
Fast User Switching | Allows Fast User Switching to be turned on. | No | |||||||||
Log out users after a period of inactivity | Select the amount of inactivity time before a user is automatically logged out. The minimum is 3 minutes. | No | |||||||||
Mac computer administrators may refresh content or disable management | Allows Mac administrators on the computer to refresh or disable the management features. | No | |||||||||
Set Mac computer name to computer record name | Forces the name of the Mac to be set as the computer record name. | No | |||||||||
External accounts | Allows external accounts to log in. Available in macOS 10.14.4 or earlier. | No | |||||||||
Guest user | Allows the Guest user account to appear. | No | |||||||||
Start screen saver after a specified time | Select the amount of time before a screen saver appears. The options are:
| No | |||||||||
User screen saver module | Select a path to force the screen saver to use a specific module. | No | |||||||||
Login Window access
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Specify authorized users and groups | Select the users or groups than can either be allowed or specifically not allowed to log in to the Mac computers. | No | |||||||||
Local-only users | Permit only local users to log in. Network users won’t be allowed to log in. | No | |||||||||
Local-only users use available workgroup settings | Local users are forced to use any available workgroup settings. | No | |||||||||
Ignore workgroup nesting | If users are part of a nested workgroup, only the settings of the user’s workgroup are enforced. | No | |||||||||
Combine available workgroup settings | If users are part of a nested workgroup, all nested workgroup settings are enforced. | No | |||||||||
Always show workgroup dialog during log in | If the workgroup has a specific dialog, that dialog is shown when users log in. | No | |||||||||
Login Window (com.apple.mcxloginscripts) scripts
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Login script | Select the script that runs when users log in. | No | |||||||||
Execute the Mac computer’s LoginHook script | Run any LoginHook script in addition to the Login script. | No | |||||||||
Logout script | Select the script that runs when users log out. | No | |||||||||
Execute the Mac computer’s LogoutHook script | Run any LogoutHook script in addition to the Logout script. | No | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how various Login Window settings are applied to your devices and users, consult your MDM vendor’s documentation.