macOS Disable Guest Account Login

What the macOS guest account disabler does

This Automox Worklet™ disables the built-in guest account on macOS endpoints by writing the GuestEnabled preference to /Library/Preferences/com.apple.loginwindow.plist. The macOS guest account is an Apple-provided login that grants a temporary, credential-free session and wipes its home directory on logout. On a managed fleet, that account is an authentication bypass waiting to be used.

The Worklet uses the standard defaults command, so the change persists across reboots and survives most macOS minor updates. The Guest User tile is removed from the login window the next time loginwindow restarts, typically on the next reboot or logout. The script is idempotent, so the Worklet can run on a recurring policy without re-flipping a value that is already correct.

The Worklet ships with no parameters to configure. Target it at any endpoint group where guest login should not be available, typically all corporate-managed Macs, kiosks, shared-use workstations, and lab endpoints.

Why disable the macOS guest account on managed endpoints

An enabled guest account is the cheapest physical-access attack path on a Mac. Anyone with physical access to a powered-on endpoint can click Guest User, land in a full macOS session, mount external media, exfiltrate non-encrypted data, attempt USB-based persistence, and chain known local-privilege-escalation flaws against a logged-in shell.

CIS Benchmark for macOS control 6.1.2 (Disable Guest Account Login) and the corresponding NIST 800-53 AC-2 user-account rules both require this preference to be off. HIPAA, PCI-DSS, and SOC 2 controls that require every endpoint session to map to a named, authenticated user are violated the moment GuestEnabled is true on a single in-scope Mac.

This Worklet writes GuestEnabled=false to /Library/Preferences/com.apple.loginwindow.plist on every Mac in scope so the Guest User entry no longer appears on the login screen after loginwindow restarts. The change is idempotent: endpoints already in the desired state return immediately, and any Mac where guest login is re-enabled through System Settings or a recovery workflow reverts at the next evaluation. The activity log captures the exit status and the script output, giving the CIS macOS 6.1.2 and NIST 800-53 AC-2 controls fleet-wide audit evidence.

How macOS guest account disablement works

1. Evaluation phase: The Worklet runs defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled and compares the value to 0. If the value is anything other than 0 (1, true, or the key missing) the endpoint prints "Guest user is not disabled." and exits 1, and Automox flags the endpoint for remediation. If the value is already 0 the endpoint exits 0 and reports compliant.

2. Remediation phase: The Worklet re-reads GuestEnabled, and on a non-compliant endpoint runs defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false. The login window picks up the change the next time loginwindow restarts, so the Guest User tile is removed on the next logout or reboot. The next scheduled evaluation reports the endpoint as compliant and the Worklet exits without taking action again.

macOS guest account disablement requirements

• macOS workstation or server endpoint enrolled in Automox; the catalog targets the Mac OS family

• Automox agent running as root, the default agent context on macOS, which is required to write /Library/Preferences/com.apple.loginwindow.plist

• No active guest session at the time of remediation; defaults write succeeds during a guest session, but the Guest User tile is only removed after loginwindow restarts on the next logout or reboot

• No conflicting MDM configuration profile pinning DisableGuestAccount or GuestEnabled; an MDM-managed preference takes precedence and will overwrite this Worklet on each profile refresh, so retire the conflicting profile first

• FixNow compatible, so you can run on demand from the Automox console against a single endpoint to confirm behavior before scheduling fleet-wide

Expected macOS login window state after remediation

After the Worklet runs and loginwindow restarts on the next logout or reboot, the Guest User tile no longer appears on the macOS login window or the fast-user-switching menu. Every interactive login must use a named local or directory-bound account, which means every session is traceable to a specific user in unified logs and in any SIEM that consumes macOS audit records. Anonymous, credential-free access to the endpoint is closed.

To verify on a single endpoint, run defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled and confirm the value is 0. For audit evidence, capture the Automox activity log entry showing the Worklet evaluation exit 0 and store it with the policy run identifier; that record contributes evidence toward CIS macOS 6.1.2, NIST 800-53 AC-2 (1), HIPAA 164.312(a)(2)(i), and PCI-DSS 8.2.1 control assessments. The setting persists across reboots and across most macOS minor updates; a major macOS upgrade should be followed by an on-demand FixNow run of this Worklet to confirm the preference survived the migration.