Display Login Window as Name and Password

What the macOS login window name and password prompt does

This Automox Worklet™ configures macOS endpoints to display a login prompt requesting username and password input, rather than showing a list of available user accounts. The Worklet modifies the `com.apple.loginwindow` preference using the `defaults write` command-line utility.

By default, macOS login windows display all local user accounts on the system. This information disclosure allows attackers to enumerate valid usernames without attempting to log in. The Worklet eliminates this attack vector by forcing users to enter their credentials manually.

apple.loginwindow".

The Worklet sets the `SHOWFULLNAME` preference to `true` (boolean value 1), which activates the username and password prompt style login.

Why require name and password entry at login

Login windows that display a list of usernames make it easier for attackers to target specific accounts. When macOS shows all available usernames, attackers know exactly which accounts exist and can focus their password guessing attempts on valid users. This username enumeration reduces the attacker's work by eliminating the need to discover valid account names.

Organizations with strict security requirements configure login screens to require both username and password entry. This approach prevents username enumeration and adds an additional authentication factor by requiring the attacker to know both the username and password. Failed login attempts provide less information to potential attackers when the system does not confirm whether the username exists.

Configuring the name and password login window aligns with CIS benchmarks and security best practices for macOS endpoint hardening. Combined with account lockout policies and failed login monitoring, this setting strengthens your defense against unauthorized access attempts.

How login window configuration enforcement works

1. Evaluation phase: The Worklet reads the current `SHOWFULLNAME` preference from `/Library/Preferences/com.apple.loginwindow` and checks if it equals 1 (enabled). If the value is not 1, the Worklet returns exit status 1, indicating remediation is needed.

2. Remediation phase: The Worklet executes `defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true` to enable the username and password prompt. This command writes the boolean value 1 to the preference file, activating the login window configuration across all user sessions on the endpoint.

macOS login window configuration requirements

• macOS 10.13 (High Sierra) or later

• Local or directory user accounts (does not affect network accounts)

• Write access to `/Library/Preferences/com.apple.loginwindow` (requires root or sudo privileges)

• Compatible with both WORKSTATION and SERVER endpoint types

• No conflicts with other Automox Worklets or macOS security policies

Expected login screen behavior

After remediation, the macOS login screen displays Name and Password fields instead of showing a list of available usernames. Users must type both their username and password to authenticate. The system no longer reveals which user accounts exist on the endpoint.

The Worklet confirms successful configuration through its remediation phase. You can visually verify the change by restarting an affected endpoint and observing the login screen, or review Worklet execution results in the Automox console to confirm deployment across your macOS fleet.

How to validate display login window as name and password changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for display login window as name and password.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as defaults, else, exit, then rerun evaluation for compliance.