Enable Secure Keyboard Entry in macOS Terminal to block keylogger capture of passwords, SSH passphrases, and tokens
This Automox Worklet™ enables Secure Keyboard Entry for the active console user on macOS endpoints. Secure Keyboard Entry is a built-in Terminal.app protection that isolates keystrokes from event-monitoring APIs while a Terminal window has focus. With the setting on, accessibility-based keyloggers and screen recorders cannot capture what a user types into a shell prompt. Remote-control utilities lose the same visibility.
The Worklet detects the logged-in console user using scutil against State:/Users/ConsoleUser. It then queries the Terminal preference domain with defaults read -app Terminal SecureKeyboardEntry. If the value is 0, the Worklet writes the preference back as a boolean true using defaults write -app Terminal SecureKeyboardEntry -bool true. The change is scoped to the console user, so the protection follows the human at the keyboard. Service accounts and locked sessions are skipped.
The defaults-read evaluation returns SecureKeyboardEntry = 1 on an already-hardened user profile and exits 0 without writing anything, so a recurring policy keeps the baseline current without thrashing the preference plist. The Worklet is RunNow compatible, so the same policy can also be invoked through Fix Now against a single Mac or a device group when an investigation calls for on-demand enforcement.
Terminal is where the highest-value secrets on a Mac get typed. SSH passphrases, sudo passwords, cloud CLI tokens, database connection strings, and TOTP codes pass through a shell prompt every day on a developer or administrator endpoint. Third-party apps with Accessibility or Input Monitoring permission can read those keystrokes through the same APIs that legitimate assistive software uses. Screen recorders, automation tools, productivity launchers, and keyboard utilities all qualify. A compromised app with that permission becomes a fleet-wide credential leak. The CIS Benchmark for macOS calls this out in section 2 on System Preferences hardening. Secure Keyboard Entry in Terminal sits alongside FileVault and the screen lock baseline in that control set.
Secure Keyboard Entry is a per-user preference, so MDM payloads and configuration profiles cannot reach it on their own. The Worklet writes the hardened com.apple.Terminal SecureKeyboardEntry default into the signed-in console user's profile on every targeted Mac, and a recurring policy keeps the baseline in place as users sign in and out across developer laptops and shared admin endpoints.
Evaluation phase: The Worklet reads the active console user with scutil <<< "show State:/Users/ConsoleUser" and filters out the loginwindow process so service accounts and locked sessions do not match. It then runs sudo -u $consoleUser defaults read -app Terminal SecureKeyboardEntry against that user's Terminal preference domain. If the returned value is 0, the endpoint is flagged non-compliant, the script exits 1, and Automox schedules remediation. If the value is already 1, the script exits 0 and no change is made.
Remediation phase: The remediation script re-detects the console user, re-reads the SecureKeyboardEntry preference, and runs sudo -u $consoleUser defaults write -app Terminal SecureKeyboardEntry -bool true when the value is still 0. The defaults write call updates ~/Library/Preferences/com.apple.Terminal.plist for the resolved user, which Terminal.app reads on its next launch or focus change. The script exits 0 on success. New Terminal sessions inherit the hardened setting automatically, and existing sessions pick it up the next time the window gains focus.
macOS 10.7 (Lion) or later; tested through current macOS releases
An interactive console user is signed in at the time of evaluation (the script skips loginwindow sessions and service accounts)
Automox agent running with root privileges, which is the default agent context on macOS
RunNow compatible, so the policy can be invoked through Fix Now for incident response
No additional entitlements, no MDM profile dependency, and no third-party Terminal replacement support (iTerm2, Warp, Alacritty have their own equivalent preferences)
Aligns with CIS macOS Benchmark control 2.x on Terminal Secure Keyboard Entry and complements the broader endpoint hardening baseline
After remediation, defaults read -app Terminal SecureKeyboardEntry returns 1 for the console user, and the Terminal menu shows a check next to Terminal > Secure Keyboard Entry. Any process that previously called CGEventTapCreate or similar event-tap APIs against Terminal stops receiving keystroke events while a Terminal window has focus. The setting persists across reboots and re-logins because it is stored in the per-user preference plist. The next Automox evaluation reports the endpoint as compliant and skips the write.
Validate from the endpoint with sudo -u $(stat -f %Su /dev/console) defaults read -app Terminal SecureKeyboardEntry, which should return 1. For audit evidence, capture the Automox activity log entry, the exit code from the evaluation script, and the post-remediation defaults read output against a sample of endpoints. Pair this Worklet with the screen lock and FileVault hardening Worklets to cover the CIS section 2 baseline end to end. If the console user opens iTerm2 or another third-party terminal, run the comparable hardening for that app; this Worklet only enforces the protection inside Terminal.app.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in