Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.1 - macOS Administration Guide

Privileged Access Suite for Unix Installation Safeguard Authentication Services macOS components Safeguard Authentication Services client configuration Special macOS features Limitations on macOS Group Policy for macOS Certificate Autoenrollment Glossary

Options tab

The Options tab of the Login Properties controls miscellaneous login-related options and support the following Manage Modes: Never, Always.

The following options are supported:

  • Show password hint when needed and available

    All Safeguard Authentication Services users always have a password hint of "Active Directory Domain Password" by default. This hint is configurable in the Safeguard Authentication Services configuration policy. Users are never allowed to set a password hint on a Safeguard Authentication Services account. Local or non- Safeguard Authentication Services accounts may have a password hint which was intentionally set by the user to remind them of their password.

  • Enable automatic login

    Select to configure the operating system to boot directly to the desktop without presenting the user with a login screen. The operating system boots using the automatic login account configured locally under System Preferences, Accounts.

  • Enable console login

    By default users can type >console at the login window to drop to a terminal login. This setting allows you to disable the ability to drop to a terminal login.

  • Enable Fast User Switching

    Select to display the logged in user's name in the right-hand corner of the desktop. Selecting on the user name allows the user to switch to another account without logging out of their current desktop session.

  • Log out users after X minutes of inactivity

    Select to automatically log out a user if he has been inactive for the specified number of minutes.

  • Local administrators may refresh or disable management

    Select to allow administrators to disable or refresh login window management settings.

  • Set computer name to computer record name

    This setting affects the computer’s Bonjour name. The new Bonjour name is name-#.local where name is the computer record name you specify and # uniquely identifies the computer if there are several computers with the same Bonjour name.

  • Enable external accounts

    Select to store external accounts on removable storage devices such as a thumb-drive. You must insert the removable device before an external account can log in.

  • Enable guest account

    Select to enable a guest account to log in without a password. When the guest user logs out, the home directory, documents and settings are removed from the system.

  • Start screen saver after X minutes

    Select to modify your screen saver setting.

Access tab

The Access tab settings of the Login Properties control which users are allowed to log in and support the following management modes: Never, Always.

Safeguard Authentication Services provides unified access control across all supported Unix platforms including macOS. Because of this, you should use the Safeguard Authentication Services access control policies to manage access control. The access control policies are found in the Access Control node in the Quest Software folder under Unix Settings.

The following option is supported:

  • Local-only users may login

    Select to allow local users to log in; leave this option deselected to only allow Active Directory users to log in.

Scripts tab

The Scripts tab settings of the Login Properties control scripts that run at login and logout; and, support the following management modes: Never, Always.

You can specify shell scripts that you want to execute when a user logs in or out on macOS. Scripts are stored in the policy settings so you can browse to local files or remote hosts to select the script to use. Scripts configured through Group Policy run as root with the trust value of FullTrust.

Note: Test scripts thoroughly before deploying them with Group Policy.

The following options are supported:

  • Login script

    Specify the script to execute when the user logs in.

  • Also execute the client computer's LoginHook script

    Select to allow the LoginHook script to execute. The LoginHook script is a locally configured script that runs at login.

  • Log-Out script

    Specify the script to execute when the user logs out.

  • Also execute the client computer's LogoutHook script

    Select to allow the LogoutHook script to execute. The LogoutHook script is a locally configured script that runs at log-out.

Items tab

The Items tab settings of the Login Properties, control items that are started automatically when a user logs in and support the following management modes: Never, Once, Always.

Note: The Items tab is only available in Users Configuration.

Refer to Adding login items to run items automatically when a user logs in.

The following options are supported:

  • User may add and remove additional items

    Select to allow users to add and remove additional items by means of local configuration. You can only configure this option if the management mode is set to Always.

  • User may press Shift to keep items from opening

    Select to allow users to press shift to prevent items from opening automatically. You can only configure this option if the management mode is set to Always.

  • Merge with user's items

    Select to merge the configured items with the user's items. You can only configure this option if the management mode is set to Once.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating