Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Add DisableFDEAutoLogin to Login Window payload

This option prevents the user that decrypted FileVault from automatically logging in, a feature which ignores loginwindow's general "Disable automatic login" (com.apple.login.mcx.DisableAutoLoginClient) setting.
This setting is desirable for admins dealing with SmartCard logins which FDEAutoLogin bypasses and while it wouldn't be 100% out of place in the SmartCard payload, it is a com.apple.loginwindow preference and should probably end up there. It could even appear contextually depending on whether "Disable automatic login" is checked although technically the two can be set independently.

Comment

Posted: by bpavlov

This is supported according to this Apple article: https://support.apple.com/en-us/HT207431

Specifically they say:

To turn off automatic login when FileVault is on, enter this command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

It does not look to be a part of the Configuration Profile Reference guide here: https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

However, given that the com.apple.loginwindow payload is in the reference guide, I'm going to say that this is just another oversight by Apple in not documenting it in their Configuration Profile Reference guide.

Would definitely be good to see Jamf implement this. And for people to also make the request to Apple to get this properly documented so MDM vendors can implement these features.

Like