About the loginwindow Application

When a computer with macOS completes its initial boot process and is ready for a user to log in, the loginwindow application launches.

Note: The loginwindow application is commonly referred to as the "login window", the UI for signing in to a computer. The "login window" UI is just one of many built-in mechanisms in the loginwindow application.

As the loginwindow runs, it queries the authorization database for the “system.login.console” right. In the authorization database, a right, in this case the ability to log in at the console, has a series of mechanisms or “rules”. The loginwindow runs each mechanisms to determine if the user is allowed to log in. Any mechanisms can deny a login, since all mechanisms must conclude the user has been validated before the login process is complete.

Mechanisms may run as the root user or as the Security Agent user. Generally, all mechanisms that display a graphical interface should run as the Security Agent user. This special user has a limited set of permissions, which minimizes potential interaction with the system.

loginwindow mechanisms do not directly communicate with each other. The Security Server process keeps a data structure of hints and context settings that can be set and retrieved by mechanisms as they run. This allows for a process running as the Security Agent to safely hand off information to another mechanism running as root.

The actual user authentication occurs in the middle of this process. The default setting runs several mechanisms before a user is authenticated, and the remaining mechanisms run after authentication, which prepare the computer to launch the Finder.

Mechanisms run in the order listed in the authorization database. The loginwindow does not change the order or apply any logic to the workflow. Instead, the mechanisms independently determine if an action is required.

Default loginwindow Settings

To list the currently installed loginwindow mechanism on a computer, execute the following command:

security authorizationdb read system.login.console

XML in PLIST format will display. The Mechanisms key lists the loginwindow mechanism as an array of strings.

Mechanisms defined as "privileged" prompt the loginwindow to run the mechanism as the root user.

For more information about the loginwindow mechanisms installed with Jamf Connect Login, see the loginwindow Mechanisms section.

Editing loginwindow Settings

You can use the authchanger binary that is installed with Jamf Connect Login to edit loginwindow settings. For more information, see authchanger.

You can also edit loginwindow mechanisms manually on macOS:

  1. Open Terminal, and execute the following command:

    security authorizationdb read system.login.console
  2. Using your preferred text editor, edit the XML mechanism array.

  3. Reload the list using the security command executed as root:

    sudo security authorizationdb write system.login.console < newset.xml

Note: If the loginwindow application is running, you must restart it to apply your changes. If no users are currently signed in to the computer, you can close the loginwindow application as root with the following command:

sudo killall loginwindow

If a user is currently logged in to the computer, the user must log out.

Additionally, it may be useful to leave an admin user signed in to a Finder session, and then Fast User Switch to the loginwindow. Using the killall command above will kill any Finder sessions currently running, including your admin users.

Note: Fast User Switching must be enabled on the computer to use this feature. Navigate to System Preferences > Users & Groups > Login Options to access this feature.

Reverting to Default loginwindow Settings

To reset the loginwindow to the default macOS loginwindow, you can use the authchanger to execute the following:

sudo /usr/local/bin/authchanger authchanger -reset

You can also use the following methods:

  • Use the security commands, as listed above, to import a working configuration.

  • Remove SQLite database, which contains the mechanisms in /var/db/auth.db. Reboot the computer after this file is removed and macOS will restore the loginwindow to its default settings. You can perform this reset in a single-user mode.

Related Information

For related information, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.