Disable SSH Remote Login on macOS endpoints to block port 22 shell access and shrink the fleet attack surface
This Automox Worklet™ disables the macOS Remote Login service on the target endpoint. Remote Login is the System Settings toggle that controls the built-in SSH listener on port 22, so turning it off stops the endpoint from accepting any inbound SSH connection until an administrator explicitly re-enables the service.
The Worklet drives Apple's systemsetup utility. It calls systemsetup -getremotelogin to read the current state, parses the third field of the response with awk, and only triggers remediation when the value comes back as On. The remediation step runs systemsetup -f -setremotelogin off, which writes the change without the interactive confirmation prompt that macOS otherwise shows from the command line.
Local terminal use, MDM check-ins, and the Automox agent's own communication channels are untouched. The Worklet only closes the inbound network path that ssh and sftp clients would use to reach the endpoint from across the LAN or the public internet.
An enabled Remote Login service publishes an SSH daemon on TCP 22 that authenticates against local macOS user accounts. Attackers scanning the network for port 22 see a credential-accepting service and immediately have a target for password spraying, stolen-credential replay, and exploitation of any unpatched OpenSSH CVE the endpoint has not yet picked up. The risk compounds on laptops that move between trusted corporate networks and untrusted coffee-shop or hotel networks where inbound port 22 is reachable from anything on the same broadcast domain. The CIS macOS Benchmark calls for Remote Login to be disabled on endpoints that do not have a documented administrative need for SSH access.
This Worklet runs systemsetup -setremotelogin off on every Mac in scope, which closes the port 22 listener without requiring a reboot. Repeat runs on already-hardened endpoints finish in milliseconds, and a developer who flips Remote Login back on to debug a side project surfaces in the activity log at the next evaluation rather than at the next audit. The CIS macOS Benchmark Remote Login control returns deterministic fleet evidence on each policy run.
Evaluation phase: The Worklet runs systemsetup -getremotelogin and pipes the output to awk '{print $3}' to capture the third whitespace-delimited token, which is either On or Off. If the value equals On, the script prints "Remote Login is enabled. Exiting for remediation." and exits with code 1, signaling Automox that the endpoint is non-compliant. If the value is Off, the script exits 0 and the endpoint is reported compliant without further action.
Remediation phase: When the evaluation returned non-compliant, the remediation script re-reads the state, prints "Remote Login is enabled. Disabling." to stdout, and runs systemsetup -f -setremotelogin off. The -f flag forces the change without prompting for confirmation, which is required for the Worklet to complete in an unattended context. systemsetup tears down the active SSH listener and stops it from coming back on the next boot. The next evaluation reports the endpoint as compliant with no further changes.
Any actively supported macOS release on Intel or Apple silicon (the systemsetup utility ships with the OS and has been stable since macOS 10.6)
Root privileges, which the Automox agent already runs with by default; systemsetup refuses to change Remote Login under a standard user account
Confirmation that no operational workflow depends on inbound SSH to the endpoint (build agents, remote support tooling, or per-host automation that still uses ssh should be migrated to the Automox agent first)
On macOS 13 and later, awareness that the equivalent System Settings toggle lives under General > Sharing > Remote Login, which is where end users will look if they need to verify the change manually
Exit codes: 0 means Remote Login is already off, 1 from evaluation signals remediation is needed, and a non-zero exit from systemsetup during remediation means the change failed and the endpoint should be investigated
Once the Worklet completes, systemsetup -getremotelogin returns "Remote Login: Off" and the endpoint no longer listens on TCP 22. Inbound ssh, sftp, and scp connections fail at the network layer with a connection-refused error rather than reaching a credential prompt. The General > Sharing > Remote Login toggle in System Settings shows the service as disabled.
Validate from a second endpoint on the same network with ssh -v user@<endpoint> and confirm the connection is refused immediately. On the endpoint itself, run sudo lsof -i :22 to confirm no process is bound to the port. The Automox console activity log captures the Worklet's stdout, including the "Remote Login is enabled. Disabling." message, which serves as audit evidence that remediation ran. Re-running the policy after remediation produces an exit code 0 evaluation result, which is the compliance signal to feed into the CIS macOS Benchmark scorecard for this control.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in