Automatic Auto Login

Back in 2011, I wrote an article Terminally Geeky: use automatic login more securely for TUAW (now part of Engadget). In it, I described how you can use the “automatic” login feature of OS X more securely by immediately locking the screen after you are logged in.

I routinely get asked about this, mostly because many of the links and code examples in the previous article are dead (this was before I got into the much better habit of posting code snippets on GitHub). People want to know if I still have the bits of code (nope) and if it still works (yup). So I decided to post an updated version of the article, with code examples on GitHub. Unfortunately I have no way of updating the old article to link to the new article, but at least I’ll be able to point people to this when they ask.

First: Disclaimers

As I said then I will repeat now: yes, it is more secure to not use automatic login at all. If you handle Important Secrets or if your Mac is in some sort of open office setting, you probably should not use this method.

This idea is fundamentally incompatible with FileVault, because you can’t use auto-login and FileVault.

However, if you are an average user who has a Mac securely in your apartment/house where no one is going to get it unless they break in and steal your Mac (which could happen!) and decide that you want to take the risks, please read on.

Understand that you accept all responsibility for whatever happens, and I accept none. If you do not accept those terms, stop reading now.

Locking Your Mac: The New Way

For many years there have been countless people who looked for a quick way to lock their Mac. This was especially common among people who had switched from Windows and would ask: “Windows users can use ‘Windows Key + L’ to lock their computers, how do I do that with my Mac?”

For a long time, the answer was that you couldn’t, at least nowhere near as easily, but the good news is that Macs do have something like that now. Somewhere around the time of High Sierra, macOS added the ability to lock your Mac using the keyboard shortcut Control+Command+Q (⌃⌘Q).

In High Sierra, you can do that with AppleScript:

tell application "System Events" to keystroke "q" using {command down, control down}

I’m not running Mojave, so I am not sure if you can still do that in Mojave, because Mojave is hyper-touchy when it comes to anything related to automation. If you try that, you might get some kind of authentication prompt, or you might get an error telling you that you just aren’t allowed to do that, or it might just quietly fail.

(If someone would like to try this in Mojave and let me know if it works, I’ll gladly post an update.)

You could take that AppleScript into Script Editor.app and save it as an Application called Lock Screen.app (or whatever), move it to your /Applications/ folder and set Lock Screen.app to launch on login.

However, even if that works on Mojave, I wouldn’t recommend that.

One of the long-standing features of macOS is that you can temporarily skip your login items by holding down the Shift key. Soooo… if someone did get access to your Mac, they could disable your auto login auto lock just by holding down the Shift key. Let’s not make things that easy.

You could try using that AppleScript command in launchd with something like this:

/usr/bin/osascript -e "tell application \"System Events\" to keystroke \"q\" using {command down, control down}"

But, again, the only version of macOS that I know that would work is High Sierra. It might work on Mojave, or it might not. (Again, I’m happy to update the article if someone wants to test it and let me know.) It won’t work on older versions of macOS because the feature did not exist then.

The better solution is actually the old way.

Locking Your Mac: The Old Way

For many years (I don’t know how far back, maybe ask Stephen Hackett to check it on his 12” PowerBook G4 if you really need to know), you have been able to tell a Mac to go back to the login screen using this command:

"/System/Library/CoreServices/Menu Extras/user.menu/Contents/Resources/CGSession" -suspend

To be honest, I don’t know exactly why this works. I think it has something to do with Fast User Switching, but I’m not sure. The point is that it works, and it probably works with every Mac you have running (offer not valid for Stephen Hackett and John Moltz). It is reported to work with Mojave , too. (Thanks @jaycarroll!)

Not only that, but I think it’s a better option than Command+Control+Q because ⌃⌘Q does not show you the general login screen, it shows a lock screen specific to your user. That may not matter if you are the only user, but if you have multiple accounts, it might.

Locking Your Mac: the launchd way

To lock your Mac automatically when you log in, you’ll need to tell launchd to run that command.

Here’s the .plist you’ll need:

Save that file to something like ~/Library/LaunchAgents/com.tjluoma.autolock-on-login.plist (the exact name isn’t important, just make sure it ends with .plist or else launchd will ignore it). If the ~/Library/LaunchAgents/ folder doesn’t exist, create it first. (You knew that already, didn’t you?)

Once the file is in place, you can load it with this command in Terminal:

launchctl load ~/Library/LaunchAgents/com.tjluoma.autolock-on-login.plist

Note that as soon as you do that, it will switch to the login screen. That’s good. That’s what we want to happen.

Turn On Automatic Login

To enable auto-login, go to System Preferences.app and then “Users & Groups”.

Once there, click the “lock” icon at the bottom left and enter your password when prompted.

Then choose “Login Options”.

Next to “Automatic login:” choose the appropriate username from the drop down list.

Enter the password for that account when prompted.

Reboot your Mac and watch what happens.

Copyright 2018 Timothy J. Luoma