Editing the macOS loginwindow Application

You can manually edit the loginwindow application in macOS using the security command.
  1. In Terminal, execute the following command: 
    security authorizationdb read system.login.console
  2. Using your preferred text editor, edit the XML mechanism array.
  3. Reload the list using the following security command executed as root: 
    sudo security authorizationdb write system.login.console < newest.xml
Note:

If the loginwindow application is running, you must restart it to apply your changes. If no users are currently signed in to the computer, you can close the loginwindow application as root with the following command: sudo killall loginwindow

If a user is currently logged in to the computer, the user must log out.

Additionally, it may be useful to leave a local administrator account logged in to a Finder session, and then Fast User Switch to the login window. Using the killall command above will kill any Finder sessions currently running, including your local administrator account.

Note:

Fast User Switching must be enabled on the computer to use this feature. Navigate to System Preferences > Users & Groups > Login Options.

Enabling and Disabling the Jamf Connect Login Window

You can enable and disable the Jamf Connect login window to help you troubleshoot issues and quickly restore the default macOS login window.

Execute one of the following commands to enable or disable the login window.
Enable the Login Window
sudo authchanger -reset -jamfconnect
Disable the Login Window
sudo authchanger -reset

Restoring the Authorization Database

If the Jamf Connect login window is not loading and other remediation steps have not worked, you can replace the authorization database by renaming the auth.db file and letting the system replace it with a default copy.

  1. Start the computer in recovery mode.
  2. From the menu bar, navigate to Utilities > Terminal.
    A Terminal window opens.
  3. Confirm the mount location and name of your computer's system drive.

    You can find the system drive location by navigating to /Volumes in Terminal, and then identifying the name of the local system drive. By default, a Mac computer's system drive name is /Volumes/Macintosh\ HD/.

  4. Rename the authorization database file by executing the following mv command:
    mv /Volumes/SYSTEM_DRIVE_NAME/var/db/auth.db /Volumes/SYSTEM_DRIVE_NAME/var/db/auth.db.bak
  5. Log out and let the computer finish startup.

The standard macOS login window displays.

Reading the loginwindow Mechanisms

To list the currently installed loginwindow mechanism on a computer, execute the following command:
security authorizationdb read system.login.console
XML in PLIST format similar to the following should display:
<key>mechanisms</key>
<array>
<string>builtin:policy-banner</string>
<string>JamfConnectLogin:LoginUI</string>
<string>JamfConnectLogin:PowerControl,privileged</string>
<string>JamfConnectLogin:CreateUser,privileged</string>
<string>JamfConnectLogin:DeMobilize,privileged</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>loginwindow:FDESupport,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>loginwindow:done</string>
<string>JamfConnectLogin:EnableFDE,privileged</string>
<string>JamfConnectLogin:KeyChainAdd,privileged</string>
</array>

The Mechanisms key lists the loginwindow settings as an array of strings. Mechanisms defined as privileged prompt the loginwindow to run the mechanism as the root user. The only built-in macOS mechanism removed by Jamf Connect is loginwindow:login, which displays the standard macOS login window.