The macOS system must disable FileVault automatic login.
An XCCDF Rule
Description
<VulnDiscussion>If FileVault is enabled, automatic login must be disabled so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon-based macOS systems that are smart card enforced, as smart cards are available at preboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-268434r1034242_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the macOS system to disable FileVault automatic login by installing the "com.apple.loginwindow" configuration profile.
NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.