macOS Disable Guest Account Login

What the Guest Account Disabler does

This Automox Worklet™ disables the built-in guest account on macOS endpoints. The guest account allows anyone with physical access to log into the computer without providing credentials, creating a temporary session that is erased upon logout.

The Worklet modifies the com.apple.loginwindow preferences to set GuestEnabled to false, which removes the Guest User option from the login screen and prevents guest sessions.

apple.loginwindow.plist", "/Library/Preferences/com.apple.loginwindow".

Why disable guest account access on macOS

Guest accounts allow anyone with physical access to your macOS endpoints to bypass authentication and access the system. Attackers who gain physical access to an unlocked endpoint or steal a endpoint can use the guest account to access sensitive data, install malware, or exfiltrate confidential information without needing valid credentials.

Organizations with compliance requirements for user accountability cannot tolerate anonymous access through guest accounts. HIPAA, PCI-DSS, and SOC 2 compliance frameworks require that all endpoint access be traceable to specific authenticated users. Guest accounts violate these requirements by allowing untraceable anonymous sessions.

Disabling guest accounts strengthens your security posture by eliminating an authentication bypass mechanism. Combined with screen lock policies and full disk encryption, this configuration protects your macOS endpoints from unauthorized physical access attempts.

How guest account management works

1. Evaluation phase: The Worklet reads the GuestEnabled value from /Library/Preferences/com.apple.loginwindow.plist. If the value is not 0 (false), the guest account is enabled and the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses defaults write to set GuestEnabled to false in the login window preferences. The change takes effect immediately, removing the Guest User option from the login screen without requiring a reboot.

Guest account management requirements

• macOS endpoint (workstation or server)

• Administrative privileges for modifying system preferences

• No active guest sessions at the time of remediation

Expected login behavior after guest account removal

After remediation, the guest account option no longer appears at the macOS login screen. Users must authenticate with valid credentials tied to a specific user account. Anonymous or guest access is completely disabled across all affected endpoints.

The Worklet confirms successful guest account removal through the remediation phase output. IT operations teams can verify the change by checking the Users and Groups settings or reviewing the Automox console for Worklet execution results showing the guest account is disabled.

How to validate disable guest account login changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable guest account login.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as defaults, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable guest account login. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as defaults, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.