Disable Remote Login

What the SSH remote login disabler does

This Automox Worklet™ disables remote login functionality on macOS endpoints by modifying the system's SSH configuration. The Worklet uses native macOS system commands to evaluate the current remote login status and, if enabled, applies the remediation to turn off SSH access.

Remote login on macOS is controlled through the systemsetup utility, which allows administrators to toggle SSH access at the system level. By disabling this feature, you prevent malicious actors from establishing remote shell sessions to your endpoints.

Why disable SSH remote login access

SSH remote login services expose macOS endpoints to network-based authentication attacks. Attackers who can reach port 22 on your endpoints attempt brute force password guessing, exploit SSH vulnerabilities, and leverage stolen credentials to gain remote command-line access. Remote login services that remain enabled without business justification create unnecessary entry points for attackers.

Organizations managing endpoints through modern platforms like Automox do not need SSH enabled on user endpoints. Keeping SSH active on workstations and laptops increases your attack surface without providing operational benefits. Administrative access through your endpoint management platform provides the necessary control without exposing SSH to the network.

Network-accessible SSH services require constant security monitoring for failed authentication attempts, version vulnerabilities, and configuration weaknesses. Disabling SSH on endpoints that do not require it reduces the complexity of security monitoring and eliminates a common target for automated attack tools.

How SSH remote login disabling works

1. Evaluation phase: The Worklet runs systemsetup -getremotelogin and parses the output using awk to determine whether remote login is currently enabled (On) or disabled (Off). If the status is On, the Worklet signals that remediation is required.

2. Remediation phase: If remote login is enabled, the Worklet executes systemsetup -f -setremotelogin off to disable SSH access. The -f flag forces the change without requiring user confirmation, allowing the Worklet to complete silently.

SSH remote login remediation requirements

• macOS 10.6 or later (all modern versions supported)

• Root or administrator privileges to modify system settings

• The systemsetup utility available on the endpoint (standard on all macOS installations)

• awk command-line tool for parsing (included in macOS by default)

• Compatible with workstations and servers

Expected remote access state

After remediation, SSH remote login is completely disabled on macOS endpoints. The endpoint no longer listens on port 22 and does not accept SSH connection attempts. Local command-line access through the Terminal application continues functioning normally. Your endpoint management platform maintains full control through its own communication channels.

The Worklet verifies SSH is disabled through its evaluation check. IT operations teams can confirm the setting by attempting SSH connections to affected endpoints, checking System Preferences under Sharing, or reviewing Worklet execution results in the Automox console.

How to validate disable remote login changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable remote login.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as systemsetup, else, exit, then rerun evaluation for compliance.