Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Automatic login disabled (macOS)" checks possibly wrong default #24415

Open
WilliamDEdwards opened this issue Dec 5, 2024 · 2 comments · May be fixed by #26346
Open

"Automatic login disabled (macOS)" checks possibly wrong default #24415

WilliamDEdwards opened this issue Dec 5, 2024 · 2 comments · May be fixed by #26346
Assignees
@mike-j-thomas
Labels
bug Something isn't working as documented #g-digital-experience https://fleetdm.com/handbook/digital-experience ~released bug This bug was found in a stable release. ~website Issues related to fleetdm.com

Comments

@WilliamDEdwards
Copy link

WilliamDEdwards commented Dec 5, 2024
edited by noahtalerman
Loading

  • @noahtalerman: looks like this is a built-in policy in the UI.
    • We're getting rid of these in the UI but is it on the website too? If yes, I think we should fix it there.

The built-in "Automatic login disabled (macOS)" policy does the following query:

SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;

According to https://developer.apple.com/documentation/devicemanagement/, the checked default com.apple.login.mcx.DisableAutoLoginClient is applicable only when "FileVault is disabled."

iMazing - the profile editor that FleetDM recommends - says the same:

Screenshot 2024-12-05 at 14 36 22

The default DisableFDEAutoLogin is applicable only when "FileVault is enabled":

Screenshot 2024-12-05 at 14 32 44

As FileVault can be enforced in Fleet itself, Fleet could dynamically adjust the query. Or, users should at least be warned about this.

Fleet version: 4.59.1
@WilliamDEdwards WilliamDEdwards added :incoming New issue in triage process. :reproduce Involves documenting reproduction steps in the issue bug Something isn't working as documented labels Dec 5, 2024
@georgekarrv georgekarrv added the #g-endpoint-ops Endpoint ops product group label Dec 5, 2024
@jmwatts
Copy link
Member

jmwatts commented Dec 13, 2024
edited
Loading

Fleet version: v4.59.1

Web browser and operating system: N/A

💥  Actual behavior

Policy fails

🧑‍💻  Steps to reproduce

  1. Create a MacOS configuration profile to disable automatic login and deploy to an MDM enabled host and verify it is installed
  2. Create a policy to detect Automatic login disabled
  3. Run the policy on the host

🕯️ Expected behavior

Policy passes and accurately reports whether or not the host has the profile installed, and thus whether or not the host has automatic login disabled.

🕯️ More info (optional)

Per our documentation, the managed_policies table contains the managed configuration policies from AD, MDM, MCX, etc.

This built-in policy will check to see if Automatic Login is Disabled via configuration policy (profile)
SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'com.apple.login.mcx.DisableAutoLoginClient' AND value = 1 LIMIT 1;

One of the first issues is that the profile created to disable automatic login claims to be able to do so regardless of FV status, but when I examined the contents of the profile, only the DisableFDEAutoLogin key is present.

Screenshot 2024-12-13 at 8 46 25 AM

Screenshot 2024-12-13 at 8 48 24 AM

Secondly, on a host that does not have FileVault enabled, that has already configured automatic login, the profile doesn't appear to actually enforce the disable automatic login feature, even after restarting the host.

Screenshot 2024-12-13 at 6 49 34 AM

Screenshot 2024-12-13 at 6 49 19 AM

Screenshot 2024-12-13 at 6 51 06 AM

Also worth noting that hosts with FileVault enabled can not configure automatic login regardless of whether or not the configuration profile is installed:

Screenshot 2024-12-13 at 6 50 14 AM

The existing built-in policy will fail regardless of Automatic Login disabled profile install status. If the policy is updated to:
SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'DisableFDEAutoLogin' AND value = 1 LIMIT 1;

It will pass for all hosts that have the profile installed. HOWEVER - for hosts that do not have FileVault enabled, the configuration profile doesn't actually disable automatic login, so it will be a false positive for "Automatic Login disabled"

Additionally the policy using DisableFDEAutoLogin ALWAYS passes for a host that does not have FileVault enabled, regardless of whether or not the configuration profile is installed.

The Policy with the updated query SELECT 1 FROM managed_policies WHERE domain = 'com.apple.loginwindow' AND name = 'DisableFDEAutoLogin' AND value = 1 LIMIT 1; accurately reports automatic login disabled profile installed status for FileVault enabled hosts, but not hosts that do not have FileVault enabled.

The only thing that seems to accurately report the setting on the host is running sysadminctl -autologin status in terminal.

@jmwatts jmwatts added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release. and removed :reproduce Involves documenting reproduction steps in the issue labels Dec 13, 2024
@lukeheath lukeheath added #g-mdm MDM product group #g-software Software product group #g-endpoint-ops Endpoint ops product group and removed #g-endpoint-ops Endpoint ops product group #g-software Software product group labels Dec 19, 2024
@georgekarrv georgekarrv added this to the 4.63.0-tentative milestone Jan 3, 2025
@georgekarrv georgekarrv modified the milestones: 4.63.0, 4.64.0-tentative Jan 14, 2025
@georgekarrv georgekarrv added #g-orchestration Orchestration product group and removed #g-mdm MDM product group labels Feb 5, 2025
@lukeheath lukeheath added :product Product Design department (shows up on 🦢 Drafting board) and removed :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels Feb 7, 2025
@noahtalerman noahtalerman removed this from the 4.64.0 milestone Feb 10, 2025
@rachaelshaw
Copy link
Member

Per @jmwatts's comment above, there doesn't seem to be a straightforward fix for this policy.

@mike-j-thomas @eashaw passing this to you to decide whether to remove it or update it, since policy templates will all live on the website in the future.

@rachaelshaw rachaelshaw added #g-digital-experience https://fleetdm.com/handbook/digital-experience ~website Issues related to fleetdm.com and removed :product Product Design department (shows up on 🦢 Drafting board) :incoming New issue in triage process. #g-orchestration Orchestration product group labels Feb 13, 2025
mike-j-thomas added a commit that referenced this issue Feb 14, 2025
@mike-j-thomas
Update standard-query-library.yml
db0d9bf 
closes: #24415 (comment)
@mike-j-thomas mike-j-thomas linked a pull request Feb 14, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mike-j-thomas mike-j-thomas

Labels
bug Something isn't working as documented #g-digital-experience https://fleetdm.com/handbook/digital-experience ~released bug This bug was found in a stable release. ~website Issues related to fleetdm.com
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update standard-query-library.yml fleetdm/fleet
7 participants
@georgekarrv @lukeheath @rachaelshaw @WilliamDEdwards @noahtalerman @mike-j-thomas @jmwatts