MacOS
View all Worklets
MacOSmacOS

Disable Remote Login

Disable SSH Remote Login on macOS endpoints to block port 22 shell access and shrink the fleet attack surface

Worklet Details

What the macOS Remote Login disabler does

This Automox Worklet™ disables the macOS Remote Login service on the target endpoint. Remote Login is the System Settings toggle that controls the built-in SSH listener on port 22, so turning it off stops the endpoint from accepting any inbound SSH connection until an administrator explicitly re-enables the service.

The Worklet drives Apple's systemsetup utility. It calls systemsetup -getremotelogin to read the current state, parses the third field of the response with awk, and only triggers remediation when the value comes back as On. The remediation step runs systemsetup -f -setremotelogin off, which writes the change without the interactive confirmation prompt that macOS otherwise shows from the command line.

Local terminal use, MDM check-ins, and the Automox agent's own communication channels are untouched. The Worklet only closes the inbound network path that ssh and sftp clients would use to reach the endpoint from across the LAN or the public internet.

Why disable Remote Login on macOS endpoints

An enabled Remote Login service publishes an SSH daemon on TCP 22 that authenticates against local macOS user accounts. Attackers scanning the network for port 22 see a credential-accepting service and immediately have a target for password spraying, stolen-credential replay, and exploitation of any unpatched OpenSSH CVE the endpoint has not yet picked up. The risk compounds on laptops that move between trusted corporate networks and untrusted coffee-shop or hotel networks where inbound port 22 is reachable from anything on the same broadcast domain. The CIS macOS Benchmark calls for Remote Login to be disabled on endpoints that do not have a documented administrative need for SSH access.

This Worklet runs systemsetup -setremotelogin off on every Mac in scope, which closes the port 22 listener without requiring a reboot. Repeat runs on already-hardened endpoints finish in milliseconds, and a developer who flips Remote Login back on to debug a side project surfaces in the activity log at the next evaluation rather than at the next audit. The CIS macOS Benchmark Remote Login control returns deterministic fleet evidence on each policy run.

How macOS Remote Login disabling works

  1. Evaluation phase: The Worklet runs systemsetup -getremotelogin and pipes the output to awk '{print $3}' to capture the third whitespace-delimited token, which is either On or Off. If the value equals On, the script prints "Remote Login is enabled. Exiting for remediation." and exits with code 1, signaling Automox that the endpoint is non-compliant. If the value is Off, the script exits 0 and the endpoint is reported compliant without further action.

  2. Remediation phase: When the evaluation returned non-compliant, the remediation script re-reads the state, prints "Remote Login is enabled. Disabling." to stdout, and runs systemsetup -f -setremotelogin off. The -f flag forces the change without prompting for confirmation, which is required for the Worklet to complete in an unattended context. systemsetup tears down the active SSH listener and stops it from coming back on the next boot. The next evaluation reports the endpoint as compliant with no further changes.

macOS Remote Login disabling requirements

  • Any actively supported macOS release on Intel or Apple silicon (the systemsetup utility ships with the OS and has been stable since macOS 10.6)

  • Root privileges, which the Automox agent already runs with by default; systemsetup refuses to change Remote Login under a standard user account

  • Confirmation that no operational workflow depends on inbound SSH to the endpoint (build agents, remote support tooling, or per-host automation that still uses ssh should be migrated to the Automox agent first)

  • On macOS 13 and later, awareness that the equivalent System Settings toggle lives under General > Sharing > Remote Login, which is where end users will look if they need to verify the change manually

  • Exit codes: 0 means Remote Login is already off, 1 from evaluation signals remediation is needed, and a non-zero exit from systemsetup during remediation means the change failed and the endpoint should be investigated

Expected state after Remote Login is disabled

Once the Worklet completes, systemsetup -getremotelogin returns "Remote Login: Off" and the endpoint no longer listens on TCP 22. Inbound ssh, sftp, and scp connections fail at the network layer with a connection-refused error rather than reaching a credential prompt. The General > Sharing > Remote Login toggle in System Settings shows the service as disabled.

Validate from a second endpoint on the same network with ssh -v user@<endpoint> and confirm the connection is refused immediately. On the endpoint itself, run sudo lsof -i :22 to confirm no process is bound to the port. The Automox console activity log captures the Worklet's stdout, including the "Remote Login is enabled. Disabling." message, which serves as audit evidence that remediation ran. Re-running the policy after remediation produces an exit code 0 evaluation result, which is the compliance signal to feed into the CIS macOS Benchmark scorecard for this control.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets