Skip to main content

Linux Guest Login Policy

Updated this week

The Linux Guest Login Policy lets you centrally control whether users can sign in to a Linux device using a guest session. This Linux policy can be used for both BYOD and company-owned devices.

Guest logins are typically anonymous sessions without a persistent identity. Allowing guest sessions can weaken auditability and access control, so many security and compliance frameworks recommend disabling guest access on corporate devices.

Note: On most supported Linux distributions, guest login is disabled by default. This policy primarily exists so that you can explicitly prevent guest login for compliance — or allow guest login in specific, approved scenarios.

When to use this policy

Use the Linux Guest Login Policy when you need to:

  • Enforce your compliance baseline to disable guest login on Linux devices (e.g., LOGIN-1 / “guest account disable” control).

  • Ensure only identified users (with named user accounts) can access corporate or BYOD devices.

  • Avoid local, anonymous sessions that bypass normal identity and audit controls.

  • Explicitly allow guest login in tightly controlled exceptions (for example, shared kiosks or training machines), while still managing this access via MDM.

This policy applies to:

  • Device types:

    • BYOD (user-owned)

    • Company-owned devices

  • Operating systems:

    • Linux

Minimum system requirements

  • Operating system: Linux

This Linux policy can be used for both BYOD and company-owned devices.

Supported platforms

  • Linux (supported distributions as per Swif Linux agent and MDM platform support)

For the full list of Linux MDM policies and supported platforms, see:
Linux-specific MDM policies available in Swif | Help Center | Swif

Policy fields

Enable

  • Field name: enable

  • Type: Boolean (true / false)

  • Display name: Enable

  • Description: Controls whether guest login is allowed on the Linux device.

Values

  • trueEnable guest login

    • A guest session is allowed on the device.

    • Users can sign in as a guest (typically without a password, depending on distro and desktop environment).

    • This may reduce accountability and is generally not recommended for devices handling sensitive data or subject to strict compliance requirements.

  • falseDisable guest login

    • Guest sessions are not allowed.

    • Users must log in using a named user account (local, domain, or identity-provider-based, depending on your setup).

    • This aligns with typical security and compliance baselines for login controls (e.g., LOGIN-1 / “guest account disable”).

Recommended setting for compliance:
Set Enable = false to disable guest login on all corporate and regulated BYOD devices.

Behavior and notes

  • On many modern Linux distributions, guest login is already disabled by default.
    Applying this policy with Enable = false makes that state explicit and centrally enforced.

  • When Enable = true:

    • The system will allow a guest login option, using a dedicated guest user/session.

    • Guest data may be cleared after logout depending on the implementation and desktop environment.

    • Because guest sessions do not map to a persistent, named user account, they are generally not recommended for devices with strict audit or access control requirements.

Example use cases

Enforce no-guest-login on all corporate Linux devices

  1. Create or edit a policy of type Linux Guest Login Policy.

  2. Set Enable = false.

  3. Assign the policy to:

    • All corporate Linux devices, or

    • A specific device group (e.g., “Production Servers”, “Engineering Laptops (Linux)”).

  4. Confirm on a test device that the guest login option is no longer available on the login screen.

Allow guest login on a controlled kiosk

  1. Create a Linux Guest Login Policy for your kiosk group.

  2. Set Enable = true.

  3. Assign the policy only to:

    • The kiosk / lab / test machines that explicitly require guest access.

  4. Ensure that:

    • No sensitive corporate data is accessible from guest sessions.

    • You have operational controls for regularly re-imaging or clearing devices if needed.

Compliance considerations

Disabling guest login is part of common account and authentication best practices:

  • Guest accounts allow anonymous access and can bypass individual accountability.

  • Many security frameworks (e.g., SOC 2, ISO 27001, NIST, CIS) expect:

    • Named user accounts,

    • Traceable authentication, and

    • Controlled access to corporate systems.

By using the Linux Guest Login Policy with Enable = false, you can:

  • Demonstrate that guest login is disabled on Linux devices.

  • Align Linux behavior with your existing guest-account controls on other platforms (e.g., Windows Guest Account Policy, macOS login window controls).

  • Support LOGIN-1 / “guest account disable” style controls in your Compliance Center configuration.

Related documentation

Related Articles
Managing the Swif Admin User on Linux (BYOD and Non-BYOD)
Linux-specific MDM policies available in Swif
Linux Google Login Policy
Linux Azure Login Policy
Windows Guest Account Policy
Did this answer your question?