Hi all,
Wanted to quickly share this with you all. I've found that a few computers on our estate had been set by people unknown to autologin which is a big security nightmare! A little digging, an extension attribute, a smart group and a script have solved this nicely. None of this is too complicated, but it is effective.
Let's start with the extension attribute. Paste in the following code:
#!/bin/bash
# Script to detect if autologin has been set on a target mac.
# Author : r.purves@arts.ac.uk
# Version 1.0 : 30-01-2013 - Initial Version
# Check if /etc/kcpassword exists and report findings
if [ -f /etc/kcpassword ];
then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi
# All done!
exit 0
Next, set up a new smart group. All it has to do is look for this setting as "Enabled".
You'll need the following script to do the work:
#!/bin/bash
# Script to disable auto login on a target mac.
# Author : r.purves@arts.ac.uk
# Version 1.0 : 30-01-2013 - Initial Version
# Delete the section of the loginwindow plist that enables it
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
# Delete the file containing the cached password
rm /etc/kcpassword
# All done!
exit 0
Now you just need a policy to tie all this together. I've ours set to run on the "every15" trigger and set to "Ongoing". The policy is scoped to the smart group you set up earlier, it runs the script above and updates the inventory.
That'll stop them tinkering!
