The Apple Login Window Policy lets you configure how the macOS login window behaves on managed devices. You can control:

All field names below use the UI label (fieldDisplayName).

Displays extra system information in the menu bar at the login window (e.g., when clicking the time area).

Text displayed on the login window, often used for legal or security notices.

(macOS 10.8+)
Shows the macOS input/keyboard menu at the login screen.

Defines which users or groups can log in.

Users or groups that cannot log in. This list takes priority over Allowed Users or Groups.

Hides specific users from the login window. These users can still log in via Other….

Prevents direct root login, requiring a normal user login before privilege escalation.

Shows only network and system users in the login user list (local users are hidden).

Hides mobile account users in the user list. (In some configurations, mobile users may appear as network users.)

Displays network directory users (e.g., AD/LDAP) in the user list.

Controls whether local-only users are allowed to log in.

Allows external accounts to log in.

Applies workgroup configuration to local-only users.

Controls the macOS Guest account, which is often recommended to be disabled in secure environments.

(macOS 10.10+)
Prevents users from changing the lock screen message.

Configure the system to prompt for both username and password at the login window, rather than displaying a user list.

Shows the Other… option, allowing login as a user not listed on the screen (including hidden ones).

Blocks users from changing their own password via macOS UI.

Controls when password hints appear after failed login attempts.

Always displays the workgroup dialog during login.

Combines workgroup settings when a user belongs to more than one workgroup.

Ignores nested workgroup structure (flattens workgroup hierarchy).

Uses workgroup settings for local-only accounts.

Disables access to the special >console login (command-line only UI).

(macOS 10.9+)
Blocks automatic login when FileVault disk encryption is turned on.

(macOS 10.13+)
Disables immediate screen lock actions.

These settings control which actions are visible or usable on the login screen or while logged in.

Removes the Shut Down button from the login window.

Prevents users from shutting down the Mac from the menu when logged in.

Hides the Restart button on the login window.

Prevents users from restarting from the menu when logged in.

Hides the Sleep button on the login window.

Disables the Power Off item in the menu while a user is logged in.

(macOS 10.13+)
Prevents users from logging out via the menu when logged in.

Controls whether macOS reopens previously open windows when the user logs back in.

Allows Mac administrators to refresh management content or disable management.

Keeps the Mac’s hostname in sync with its directory/computer record.

For enterprise security hardening, Swif.ai recommends:

The Apple Login Window Policy provides deep control over how macOS handles login flow, user visibility, authentication behavior, and security posture. With extensive fields and configurable options, it enables fine-grained alignment with enterprise security standards.