The macOS system must disable unattended or automatic log on to the system.

STIG ID: APPL-14-002066  |  SRG: SRG-OS-000480-GPOS-00229 | Severity: medium |  CCI: CCI-000366

Vulnerability Discussion

Automatic logon must be disabled.

When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.

Check

Verify the macOS system is configured to disable unattended or automatic logon to the system with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js
EOS

If the result is not "true", this is a finding.

Fix

Configure the macOS system to disable unattended or automatic logon to the system by installing the "com.apple.loginwindow" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.