The Apple Login Window Policy lets administrators control the behavior, security, and appearance of the macOS login window. This helps improve endpoint security, ensure compliance, and customize user experience.
Requirements
Minimum macOS version: macOS 13.0+
Settings Reference Table
Setting | Description | Possible Values | Minimum macOS Requirement |
Show a list of users for the device to log in | Displays a list of users at the login screen; disable to require manual login. | True / False | 13.0+ |
MDM config to disable local Hidden account in outside management | Prevents local hidden accounts from being used outside MDM control. | True / False | 13.0+ |
Allowed Users or Groups | Restrict login access to specific users or groups. | List input | 13.0+ |
Always show Passwords during setup log-in | Shows password fields during setup login. | True / False | 13.0+ |
Enable user to choose external account | Allows login using an external account. | True / False | 13.0+ |
Combine available workgroup settings | Shows combined workgroup options. | True / False | 13.0+ |
Can be joined on Directory | Allows joining directory services from login. | True / False | 13.0+ |
Enable > Console Access | Grants access to the console (command-line login). | True / False | 13.0+ |
Enable automatic log-in if FileVault is enabled | Auto-logs in when FileVault is active. | True / False | 13.0+ |
Enable the immediate Screen Lock function | Enables instant screen lock from login. | True / False | 13.0+ |
Prohibit external accounts | Blocks external account logins. | True / False | 13.0+ |
Ignore verification greeting | Skips greeting verification step. | True / False | 13.0+ |
Hidden Users List | Hides specified accounts from login window. | List input | 13.0+ |
Hide Mac empty with authorized user accounts | Hides Mac if no authorized accounts are found. | True / False | 13.0+ |
Hide mobile accounts | Prevents mobile accounts from appearing. | True / False | 13.0+ |
Show network users | Displays network-based accounts. | True / False | 13.0+ |
Local only setting for log-in | Restricts login to local accounts only. | True / False | 13.0+ |
Local only new user available settings | Controls creation of new local users. | True / False | 13.0+ |
Disable Mac Log In Items (menu) after logged in | Removes "Login Items" menu after login. | True / False | 13.0+ |
Banner | Displays a custom message/banner at login. | Text input | 13.0+ |
Disable Pre-set Chrome state after logged in | Prevents Chrome from applying pre-set states post-login. | True / False | 13.0+ |
Hide the restart button | Removes restart option from login. | True / False | 13.0+ |
Enable the Restart menu item after logged in | Allows restart option after login. | True / False | 13.0+ |
Show user as password instead of full name | Displays short username instead of full name. | True / False | 13.0+ |
Footer Text Label | Displays custom footer text at login. | Text input | 13.0+ |
Show “Other” | Enables “Other…” login option. | True / False | 13.0+ |
Hide the Shut Down button | Removes shutdown option from login. | True / False | 13.0+ |
Disable the Shut Down menu after logged in | Blocks shutdown from Apple menu post-login. | True / False | 13.0+ |
Hide the Sleep button | Removes sleep option from login. | True / False | 13.0+ |
Require admin when login fails | Requires admin credentials after failed login. | True / False | 13.0+ |
Set user computer name to contained record name | Auto-sets Mac computer name to user record. | True / False | 13.0+ |
Disable automatic log-in if FileVault is disabled | Disables auto-login unless FileVault is active. | True / False | 13.0+ |
Show reset menu in login window | Displays password reset options. | True / False | 13.0+ |
Best Practices
Security First: Keep auto-login disabled unless absolutely necessary.
Limit Access: Define specific users or groups for login.
Hide Unused Options: Remove restart, shutdown, or sleep buttons to prevent unauthorized device actions.