Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Enable automatic login with automatic screen lock System
Until now, my machine hasn't used auto-login because I prefer to have the security it adds. However, if the machine had rebooted for whatever reason, I lost the ability to use any non-console apps by remote (thru VLC or their own private networkable side-interface) without physically logging into it in-person.

The solution: make the system lock the screen using your login items!

I checked, and can't find an AppleScript command to lock the screen, so I instead dragged the ScreenSaverEngine.app in /System -> Library -> Frameworks -> ScreenSaver.framework -> Versions -> A -> Resources to my Account's Login Items. This will activate the screensaver a few moments after your account is logged in. A witness to this process could start apps on your dock or possibly force kill them, but the likelyhood of being able to otherwise interact with the yet-unstarted apps before the screen goes dark is low enough that I figured others might want to know how to do this (if it isn't an old one..).

Also, I mention AppleScript because I would have liked to do it that way. For those who think Active Screen Corners are too sensitive to lock your screen, open Keychain Access' preferences, and check Show Status in Menu Bar. That menu item (appears as a lock) has at the top a "Lock Screen" menu item (this has been noted in a previous hint). However, Keychain's AppleScripting doesn't make this available like I had hoped.

[robg adds: Somewhat obviously, make sure you've enabled the "require password" option for sleep and screensavers in the Security System Preferences panel.]
    •    
  • Currently 3.29 / 5
  You rated: 3 / 5 (7 votes cast)
 
[35,913 views]  

Enable automatic login with automatic screen lock | 16 comments | Create New Account
Click here to return to the 'Enable automatic login with automatic screen lock' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Enable automatic login with automatic screen lock
Authored by: brucio on Nov 07, '06 07:44:04AM

Question: will this work if I otherwise set my screensaver to "Never" turn on? I'd like to restrict login access to the machine (which is in a semi-public space), but once logged in keep the screensaver from coming on.



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: tirerim on Nov 08, '06 10:24:50AM

Yes, it should -- the 'Never' setting is just how long the computer will wait before activating the screensaver application when you're idle, whereas this just opens it at login.



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: jhb on Nov 07, '06 08:00:56AM

How are about this:

/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend > /dev/null



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: momerath on Nov 07, '06 08:37:31AM

Um, couldn't this "security" be bypassed by holding the shift key at startup?



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: frgough on Nov 07, '06 08:48:48AM

First rule in security: If someone has physical access to the machine, it isn't secure.

For example, even if the screen was already locked, someone can just come up and pull the power cord and hold command-S when restarting the machine. All security is bypassed.

If you have an open firmware password, the person can simply open the case, pull a RAM stick and restart the machine.

This method is pretty good for locking down a machine in a trusted environment; i.e. one where you don't expect people to deliberately work at compromising your machine, but might mess you up without intending to do so or see something they shouldn't (like a payroll spreadsheet) if your machine wasn't locked at all.



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: cougar718 on Nov 07, '06 09:27:01AM

FYI in case anyone was wondering...

Changing RAM configuration on a machine protected by the Open-Firmware Password disables the password.

---
Rick alias cougar



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: boxcarl on Nov 07, '06 12:37:50PM

If you use FileVault though, you do have some protection, since the attacker will have to find a way to decrypt the files, which is really hard. The downside is that FileVault is a little buggy? or at least seems that way in the reports I've read.



[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: zpjet on Nov 07, '06 09:21:49AM

safe boot disables automatic login, at least in tiger.8 (goes to login window).



[ Reply to This | # ]
Script for login with automatic screen lock
Authored by: ars on Nov 07, '06 10:42:46AM
See http://www.macosxhints.com/comment.php?mode=display&format=threaded&order=ASC&pid=63858
for a shell script which you can run at log-in. You can adjust the idle time to less if you want the screen saver to kick in quicker.

[ Reply to This | # ]
Enable automatic login with automatic screen lock
Authored by: myrkr on Nov 07, '06 11:01:12AM

I use OSX-vnc to do this. It has a startup item so it can run in the background of the login screen. I can remotely login using the vnc password, and then login using the computer account. I can also lock the machine using fast user switch/login window. It is not seemless though, I usually get kicked off vnc upon logging in/out, and i must re-login the vnc session.



[ Reply to This | # ]
AppleScripting the Keychain menu
Authored by: waboom on Nov 07, '06 05:53:50PM
There is a way to script the keychain menu, but it's not through the Keychain Access application. Instead, you have to go through the UI Server, which controls all of the "menu extras" menus. Normally, you can find a particular menu extra by it's description ("iChat menu extra", for example.) However, the keychain menu extra does not register a description for itself, so if you want to access it via AppleScript, you have to do a bit more of a "kludgy" search. In this example, the script clicks on each menu extra, and looks at the first menu item. If the name of the item is "Lock Screen", then it clicks it. Note that UI Scripting has to be enabled for this to run (System Preferences->Universal Access->Enable access for assistive devices.)
activate application "SystemUIServer"
tell application "System Events"
	tell process "SystemUIServer"
		repeat with i from 1 to number of menu bar items of menu bar 1
			tell menu bar item i of menu bar 1
				click
				try
					if name of menu item 1 of front menu is "Lock Screen" then
						click menu item "Lock Screen" of front menu
						exit repeat
					end if
				end try
			end tell
		end repeat
	end tell
end tell


[ Reply to This | # ]
AppleScripting the Keychain menu
Authored by: jctull on Dec 06, '06 02:40:03PM

I knew someone else would have worked this out for me. Excellent!



[ Reply to This | # ]
Very Bad Idea
Authored by: nerkles on Nov 12, '06 10:19:39PM

This is really bad security. If an attacker has physical access to your machine, holding down shift while it automatically logs you in will disable the Login Items and then you're wide open. 

Of course if they have physical access and half a clue, you're probably screwed at that point anyway.



[ Reply to This | # ]
Caveat: Moving the mouse
Authored by: Lycestra on Oct 18, '07 12:34:23PM
There is one easy way to stop the screen lock in boot: keep the mouse moving. The screensaver engine will notice the user is still busy and won't activate. So, really, this isn't too much better than without the screensaver if you know this trick.

On the VNC route, user-based server apps (Vine Server, etc) can give you access to your desktop while a login screen is displayed (user switching required) but you'll get odd results from a context that isn't in charge (think audio and video hardware access. Some apps can crash or misbehave). This can give you to the GUI, albeit not 100% compatible, but still a step up from just command line.

Alternatively, I think if you enable Remote Desktop with VNC access enabled, that being system wide, you can actually access the login screen by remote. The downside is of course, you can't hide behind the login screen like you can with a user-bound server app, but has the advantage that its always present, and autologin isn't needed. Also, the built-in server doesn't support all the traffic-reducing features of user apps, but I think this solution will become much more useful in Leopard. Apple is touting Screen Sharing as a real feature. Imagine it combined with back-to-my-mac (personal VPN, requires .Mac)

Killer combination of features.

http://www.apple.com/dotmac/backtomymac.html


[ Reply to This | # ]
Improved solution - a login hook
Authored by: Jason209 on May 26, '08 04:46:00PM
As stated prevously, the login items can be bypassed by holding the Shift key. Because of this I have written a login hook based on Joe Mullin's Two factor authentication script. http://techgoesboom.com/archives/2004/09/29/two_factor_authentication_in_os_x.php

! Note: But it doesnt work with filevault.


#!/bin/bash
#
# LoginScreen.sh Log-in hook. Lock the screen during user log-in.
# Requires fast user switching + automatic login - no filevault. Tested on 10.5 Leopard.
#
# Note: The only thing the user sees is a blue screen, interrupted
# by the F.U.S. cube transition effect (blue screen -> blue screen).
#
# To diable the transition (all users) it is necessary to have 2 or more
# user accounts, and set differently the display settings on/for
# one of the accounts. (Either resolution or color depth).
#
# Installation
#
# To install type at the command line:
# sudo defaults write com.apple.loginwindow LoginHook "/path/to/LoginScreen.sh"
#
# To remove: (hold down 's' for single user mode)
# sudo defaults delete com.apple.loginwindow LoginHook 
# sudo rm -rf "/path/to/LoginScreen.sh"
#

thisuser="$1"
lastuser=`defaults read /Library/Preferences/com.apple.loginwindow lastUser`
autologinuser=`defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser`

# Do this to see the state of the loginwindow settings during login
cp /Library/Preferences/com.apple.loginwindow.plist /var/tmp/loginwindow.plist_$thisuser_`date "+%Y-%m-%d--%H:%M:%S"`.plist

if [ "$lastuser" == "loggedIn" ]; 
then
	logger -isf /dev/null "$thisuser $lastuser. First log-in since reboot";
	exit 0;
fi

# if this is the first time
if [ "$lastuser" == "Restart" ]; 
then
	
	if [ "$thisuser" == "$autologinuser" ]; 
	then
	
		# Continue automatic login, but also immediately go to to the "Fast-User Switching" Screen / login screen
		/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend > /dev/null;
		exit 0;
	
	fi
	
else
	logger -isf /dev/null "Already logged-in since reboot";
	exit 0;
fi




Please bear in mind that useing login hooks can render your machine un-usable. To safeguard against such events its recommended to write down the restoration command on a piece of paper. Login hooks are run as root, they can be disabled from single-user mode (press 's' on startup).

This above script is nice under normal circumstances because you dont really notice it and no "second wait" while user account is still loaded.

[ Reply to This | # ]
Improved solution - a login hook
Authored by: janpittner on Dec 01, '09 07:04:48AM

jason209 - nice script, however under Snow Leopard this causes the system to just display a blue screen after you click the 'Already Logged In User' and enter your password (logging into another account, such as the Guest Account, works fine).

Any ideas how to get this working with Snow Leopard?



[ Reply to This | # ]