Enable Secure Keyboard Entry

What the secure keyboard entry enabler does

This Automox Worklet™ enables Secure Keyboard Entry for the console user on macOS endpoints. Secure Keyboard Entry is a built-in macOS Terminal security feature that isolates keyboard input from other processes, preventing local applications and network-based keyloggers from detecting what is typed into Terminal.

The Worklet reads the current Secure Keyboard Entry status for the active user's Terminal application by querying the Terminal defaults database. If Secure Keyboard Entry is disabled, the Worklet enables it using the defaults write command with the SecureKeyboardEntry preference set to true.

Why protect keyboard input from capture

Malicious applications with accessibility permissions can capture keyboard input in macOS Terminal sessions. Keyloggers and spyware use these accessibility APIs to record passwords, command-line credentials, SSH keys, and other sensitive data entered by administrators. This information allows attackers to escalate privileges and move laterally through your environment.

Secure keyboard entry prevents other applications from monitoring what users type in Terminal windows. When enabled, macOS blocks all keyboard event monitoring for Terminal sessions, protecting sensitive data like database passwords, API keys, and encryption passphrases that administrators frequently enter at the command line.

How secure keyboard entry enforcement works

1. Evaluation phase: The Worklet identifies the currently logged-in console user and queries the Terminal application defaults database to check the current value of SecureKeyboardEntry. If the value is 0 (disabled), the evaluation fails and the Worklet proceeds to remediation.

2. Remediation phase: The Worklet writes SecureKeyboardEntry as a boolean true value to the Terminal application defaults for the console user, enabling Secure Keyboard Entry immediately.

Secure keyboard entry requirements

• macOS 10.7 (Lion) or later

• Must run as the console user (automatically detected)

• RunNow compatible for immediate execution

• No additional macOS security permissions required beyond standard user defaults access

Expected Terminal security behavior

After remediation, Terminal.app blocks external applications from monitoring keyboard input. Administrators can continue using Terminal normally while their keystrokes remain protected from accessibility-based keyboard capture. The secure keyboard entry setting persists across reboots and user sessions.

You can verify the configuration by checking Terminal preferences or reviewing Worklet output in the Automox console. The setting activates immediately upon remediation, protecting all subsequent Terminal sessions from keyboard monitoring attempts.Secure Keyboard Entry checkbox is enabled.

How to validate enable secure keyboard entry changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable secure keyboard entry.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as sudo, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable secure keyboard entry. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as sudo, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.