Tutorial

New updates and improvements to Macfleet.
Follow us on X.com

Manage FileVault Encryption on macOS

FileVault provides full-disk encryption for macOS devices, protecting sensitive data even if the device is lost or stolen. This tutorial shows how to automate FileVault management across your MacFleet using command-line scripts.

Understanding FileVault

FileVault encrypts the entire startup disk using XTS-AES-128 encryption with a 256-bit key. Key benefits include:

  • Data Protection - Encrypts all data on the startup disk
  • Compliance - Meets enterprise security requirements
  • Performance - Hardware-accelerated encryption on modern Macs
  • Recovery - Multiple recovery options available

Basic FileVault Commands

Check FileVault Status

#!/bin/bash

# Check current FileVault status
fdesetup status

# Get detailed encryption information
diskutil apfs listCryptoUsers /

Enable FileVault

#!/bin/bash

# Basic FileVault enable command
sudo fdesetup enable --user "username" --password "password"

# Enable with specific keychain
sudo fdesetup enable --user "username" --password "password" --keychain /Library/Keychains/System.keychain

Disable FileVault

#!/bin/bash

# Basic FileVault disable command
sudo fdesetup disable --user "username" --password "password"

Enterprise FileVault Management Script

Complete script for managing FileVault across your MacFleet:

#!/bin/bash

# FileVault Management Script for MacFleet
# Compatible with macOS 10.14+

# Configuration
LOG_FILE="/var/log/filevault_management.log"
KEYCHAIN_PATH="/Library/Keychains/System.keychain"

# Function to log messages
log_message() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

# Function to get current user
get_current_user() {
    stat -f "%Su" /dev/console
}

# Function to check if user has secure token
check_secure_token() {
    local username="$1"
    
    if sysadminctl -secureTokenStatus "$username" 2>/dev/null | grep -q "ENABLED"; then
        return 0
    else
        return 1
    fi
}

# Function to check FileVault status
check_filevault_status() {
    local status
    status=$(fdesetup status)
    
    if echo "$status" | grep -q "FileVault is On"; then
        echo "enabled"
    elif echo "$status" | grep -q "FileVault is Off"; then
        echo "disabled"
    elif echo "$status" | grep -q "Encryption in progress"; then
        echo "encrypting"
    elif echo "$status" | grep -q "Decryption in progress"; then
        echo "decrypting"
    else
        echo "unknown"
    fi
}

# Function to get encryption progress
get_encryption_progress() {
    fdesetup status | grep -o '[0-9]\+%' | head -1
}

# Function to validate user credentials
validate_user_credentials() {
    local username="$1"
    local password="$2"
    
    # Check if user exists
    if ! id "$username" &>/dev/null; then
        log_message "✗ User does not exist: $username"
        return 1
    fi
    
    # Check if user has admin privileges
    if ! dsmemberutil checkmembership -U "$username" -G admin &>/dev/null; then
        log_message "✗ User is not an administrator: $username"
        return 1
    fi
    
    # Check if user has secure token
    if ! check_secure_token "$username"; then
        log_message "✗ User does not have secure token: $username"
        return 1
    fi
    
    # Verify password (basic check)
    if [[ -z "$password" ]]; then
        log_message "✗ Password cannot be empty for user: $username"
        return 1
    fi
    
    log_message "✓ User credentials validated: $username"
    return 0
}

# Function to enable FileVault
enable_filevault() {
    local username="$1"
    local password="$2"
    local force_enable="$3"
    
    log_message "Starting FileVault enablement for user: $username"
    
    # Check current status
    local current_status
    current_status=$(check_filevault_status)
    
    case "$current_status" in
        "enabled")
            log_message "! FileVault is already enabled"
            if [[ "$force_enable" != "true" ]]; then
                return 0
            fi
            ;;
        "encrypting")
            log_message "! FileVault encryption is already in progress"
            local progress
            progress=$(get_encryption_progress)
            log_message "  Encryption progress: ${progress:-Unknown}"
            return 0
            ;;
        "decrypting")
            log_message "✗ Cannot enable FileVault while decryption is in progress"
            return 1
            ;;
    esac
    
    # Validate user credentials
    if ! validate_user_credentials "$username" "$password"; then
        return 1
    fi
    
    # Enable FileVault
    log_message "Enabling FileVault..."
    
    if fdesetup enable -user "$username" -password "$password" -keychain "$KEYCHAIN_PATH" 2>/dev/null; then
        log_message "✓ FileVault enable command executed successfully"
        
        # Wait a moment and check status
        sleep 5
        local new_status
        new_status=$(check_filevault_status)
        
        case "$new_status" in
            "enabled")
                log_message "✓ FileVault is now enabled"
                ;;
            "encrypting")
                local progress
                progress=$(get_encryption_progress)
                log_message "✓ FileVault encryption started (${progress:-0%})"
                ;;
            *)
                log_message "! FileVault status unclear: $new_status"
                ;;
        esac
        
        return 0
    else
        log_message "✗ Failed to enable FileVault"
        return 1
    fi
}

# Function to disable FileVault
disable_filevault() {
    local username="$1"
    local password="$2"
    local force_disable="$3"
    
    log_message "Starting FileVault disablement for user: $username"
    
    # Check current status
    local current_status
    current_status=$(check_filevault_status)
    
    case "$current_status" in
        "disabled")
            log_message "! FileVault is already disabled"
            if [[ "$force_disable" != "true" ]]; then
                return 0
            fi
            ;;
        "decrypting")
            log_message "! FileVault decryption is already in progress"
            local progress
            progress=$(get_encryption_progress)
            log_message "  Decryption progress: ${progress:-Unknown}"
            return 0
            ;;
        "encrypting")
            log_message "✗ Cannot disable FileVault while encryption is in progress"
            return 1
            ;;
    esac
    
    # Validate user credentials
    if ! validate_user_credentials "$username" "$password"; then
        return 1
    fi
    
    # Disable FileVault
    log_message "Disabling FileVault..."
    
    if fdesetup disable -user "$username" -password "$password" 2>/dev/null; then
        log_message "✓ FileVault disable command executed successfully"
        
        # Wait a moment and check status
        sleep 5
        local new_status
        new_status=$(check_filevault_status)
        
        case "$new_status" in
            "disabled")
                log_message "✓ FileVault is now disabled"
                ;;
            "decrypting")
                local progress
                progress=$(get_encryption_progress)
                log_message "✓ FileVault decryption started (${progress:-0%})"
                ;;
            *)
                log_message "! FileVault status unclear: $new_status"
                ;;
        esac
        
        return 0
    else
        log_message "✗ Failed to disable FileVault"
        return 1
    fi
}

# Function to get system information
get_system_info() {
    log_message "=== System Information ==="
    log_message "Hostname: $(hostname)"
    log_message "macOS Version: $(sw_vers -productVersion)"
    log_message "Current User: $(get_current_user)"
    log_message "FileVault Status: $(check_filevault_status)"
    
    # Get FileVault users
    local fv_users
    fv_users=$(fdesetup list 2>/dev/null)
    if [[ -n "$fv_users" ]]; then
        log_message "FileVault Enabled Users:"
        echo "$fv_users" | while read -r line; do
            log_message "  $line"
        done
    fi
}

# Function to display usage
usage() {
    echo "Usage: $0 {enable|disable|status} [options]"
    echo ""
    echo "Commands:"
    echo "  enable    Enable FileVault"
    echo "  disable   Disable FileVault"
    echo "  status    Check FileVault status"
    echo ""
    echo "Options:"
    echo "  -u, --user USERNAME      Specify username"
    echo "  -p, --password PASSWORD  Specify password"
    echo "  -f, --force             Force operation even if already in desired state"
    echo "  -h, --help              Show this help message"
    echo ""
    echo "Examples:"
    echo "  $0 enable -u admin -p password123"
    echo "  $0 disable -u admin -p password123 -f"
    echo "  $0 status"
}

# Main function
main() {
    local command="$1"
    local username=""
    local password=""
    local force="false"
    
    # Parse arguments
    shift
    while [[ $# -gt 0 ]]; do
        case $1 in
            -u|--user)
                username="$2"
                shift 2
                ;;
            -p|--password)
                password="$2"
                shift 2
                ;;
            -f|--force)
                force="true"
                shift
                ;;
            -h|--help)
                usage
                exit 0
                ;;
            *)
                echo "Unknown option: $1"
                usage
                exit 1
                ;;
        esac
    done
    
    # Execute command
    case "$command" in
        "enable")
            if [[ -z "$username" ]] || [[ -z "$password" ]]; then
                echo "Error: Username and password required for enable command"
                usage
                exit 1
            fi
            
            log_message "=== Starting FileVault Enable Operation ==="
            get_system_info
            
            if enable_filevault "$username" "$password" "$force"; then
                log_message "=== FileVault Enable Operation Completed Successfully ==="
                exit 0
            else
                log_message "=== FileVault Enable Operation Failed ==="
                exit 1
            fi
            ;;
        "disable")
            if [[ -z "$username" ]] || [[ -z "$password" ]]; then
                echo "Error: Username and password required for disable command"
                usage
                exit 1
            fi
            
            log_message "=== Starting FileVault Disable Operation ==="
            get_system_info
            
            if disable_filevault "$username" "$password" "$force"; then
                log_message "=== FileVault Disable Operation Completed Successfully ==="
                exit 0
            else
                log_message "=== FileVault Disable Operation Failed ==="
                exit 1
            fi
            ;;
        "status")
            get_system_info
            exit 0
            ;;
        *)
            echo "Error: Invalid command: $command"
            usage
            exit 1
            ;;
    esac
}

# Execute main function
main "$@"

Quick FileVault Scripts

Simple Enable Script

#!/bin/bash

USERNAME="admin"
PASSWORD="your_password_here"

if fdesetup enable -user "$USERNAME" -password "$PASSWORD"; then
    echo "FileVault enabled successfully"
else
    echo "Failed to enable FileVault"
    exit 1
fi

Simple Status Check

#!/bin/bash

STATUS=$(fdesetup status)
echo "FileVault Status: $STATUS"

if echo "$STATUS" | grep -q "FileVault is On"; then
    echo "✓ FileVault is enabled"
    exit 0
elif echo "$STATUS" | grep -q "FileVault is Off"; then
    echo "✗ FileVault is disabled"
    exit 1
else
    echo "! FileVault status unclear"
    exit 2
fi

Recovery Key Management

Generate Personal Recovery Key

#!/bin/bash

# Enable FileVault with personal recovery key
sudo fdesetup enable -user "$USERNAME" -password "$PASSWORD" -outputplist > /tmp/filevault_key.plist

# Extract recovery key
RECOVERY_KEY=$(grep -A1 "RecoveryKey" /tmp/filevault_key.plist | tail -1 | sed 's/.*<string>\(.*\)<\/string>.*/\1/')

echo "Recovery Key: $RECOVERY_KEY"

# Securely store recovery key
echo "$RECOVERY_KEY" | sudo tee /var/root/filevault_recovery_key.txt
sudo chmod 600 /var/root/filevault_recovery_key.txt

# Clean up
rm -f /tmp/filevault_key.plist

Enable Institutional Recovery Key

#!/bin/bash

# Create institutional recovery key
CERT_PATH="/path/to/institutional_certificate.cer"

if [[ -f "$CERT_PATH" ]]; then
    sudo fdesetup enable -user "$USERNAME" -password "$PASSWORD" -certificate "$CERT_PATH"
    echo "FileVault enabled with institutional recovery key"
else
    echo "Institutional certificate not found: $CERT_PATH"
    exit 1
fi

Troubleshooting Common Issues

Fix Secure Token Issues

#!/bin/bash

USERNAME="admin"

# Grant secure token to user
sudo sysadminctl -secureTokenOn "$USERNAME" -password -

# Verify secure token
if sysadminctl -secureTokenStatus "$USERNAME" | grep -q "ENABLED"; then
    echo "✓ Secure token enabled for $USERNAME"
else
    echo "✗ Failed to enable secure token for $USERNAME"
fi

Handle Blank Password Error

#!/bin/bash

USERNAME="admin"

# Check if user has a password set
if dscl . -read "/Users/$USERNAME" AuthenticationAuthority | grep -q "No such key"; then
    echo "User $USERNAME has no password set"
    echo "Setting password..."
    sudo dscl . -passwd "/Users/$USERNAME" "" "new_password_here"
fi

Monitoring and Reporting

FileVault Status Report

#!/bin/bash

# Generate FileVault status report
REPORT_FILE="/tmp/filevault_report.txt"

{
    echo "=== FileVault Status Report ==="
    echo "Generated: $(date)"
    echo "Hostname: $(hostname)"
    echo ""
    
    echo "=== FileVault Status ==="
    fdesetup status
    echo ""
    
    echo "=== Enabled Users ==="
    fdesetup list
    echo ""
    
    echo "=== Secure Token Status ==="
    for user in $(dscl . -list /Users | grep -v '^_'); do
        if [[ "$user" != "daemon" ]] && [[ "$user" != "nobody" ]]; then
            token_status=$(sysadminctl -secureTokenStatus "$user" 2>/dev/null | grep -o "ENABLED\|DISABLED")
            echo "User: $user - Token: ${token_status:-UNKNOWN}"
        fi
    done
    
} > "$REPORT_FILE"

echo "Report generated: $REPORT_FILE"

Common Error Solutions

ErrorCauseSolution
"Blank password"User has no passwordSet password with dscl . -passwd
"Master keychain found"Keychain ambiguityAdd -keychain parameter
"Secure token required"User lacks secure tokenGrant token with sysadminctl
"Already encrypted"FileVault already onUse -force or check status first
"Encryption in progress"Concurrent operationWait for completion

Security Best Practices

  • Use strong passwords for FileVault-enabled accounts
  • Store recovery keys securely in enterprise key management
  • Test scripts on isolated devices before fleet deployment
  • Monitor encryption progress to ensure completion
  • Backup recovery keys before making changes
  • Validate user permissions before attempting operations

Performance Considerations

  • Initial encryption can take several hours
  • System performance may be impacted during encryption
  • Schedule operations during maintenance windows
  • Monitor disk space (encryption requires free space)
  • Consider SSD vs HDD performance differences

Important Notes

  • FileVault requires admin privileges and secure tokens
  • Recovery keys are essential for data recovery
  • Encryption/decryption cannot be interrupted safely
  • Test all scripts thoroughly before production use
  • Always have a backup recovery plan

macOS Update Management

Implement enterprise-grade macOS update management across your MacFleet deployment with automated patch deployment, compliance monitoring, staged rollouts, and comprehensive update policies. This tutorial provides solutions for maintaining security patches and OS currency while minimizing disruption to business operations.

Understanding macOS Update Management

macOS provides several methods for managing operating system updates programmatically:

  • Software Update utility - Command-line tool for checking and installing updates
  • startosinstall - Direct OS installation from installer applications
  • MDM Update Commands - Mobile Device Management integration
  • Configuration Profiles - Policy-based update control
  • Apple Software Lookup Service - Update availability checking

Basic Update Operations

List Available Updates

#!/bin/bash

# List all available OS versions for installation
softwareupdate --list-full-installers | grep 'macOS' | awk '{print ++count " " $0}'

Download OS Installer

#!/bin/bash

# Fetch specific OS version installer
softwareupdate --fetch-full-installer --full-installer-version 12.1

echo "OS installer downloaded successfully"

Install OS Update

#!/bin/bash

# Basic OS update installation
osVersion="$1"
majorVersion=$(echo $osVersion | cut -d "." -f 1)
minorVersion=$(echo $osVersion | cut -d "." -f 2)

if [ $majorVersion == "12" ]; then
    installerPath="Install macOS Monterey.app"
elif [ $majorVersion == "11" ]; then
    installerPath="Install macOS Big Sur.app"
elif [ $minorVersion == "15"* ]; then
    installerPath="Install macOS Catalina.app"
fi

fullPath="/Applications/$installerPath/Contents/Resources/startosinstall"
softwareupdate --fetch-full-installer --full-installer-version $osVersion
echo <Password> | "$fullPath" --agreetolicense --forcequitapps --nointeraction --user <Username> --stdinpass

Enterprise Update Management System

Comprehensive Update Management Tool

#!/bin/bash

# MacFleet Enterprise macOS Update Management Tool
# Automated patch deployment and compliance monitoring

# Configuration
CONFIG_FILE="/etc/macfleet/update_policy.conf"
LOG_FILE="/var/log/macfleet_updates.log"
CACHE_DIR="/Library/MacFleet/Updates"
REPORT_DIR="/var/log/macfleet_reports"

# Create directories
mkdir -p "$(dirname "$CONFIG_FILE")" "$(dirname "$LOG_FILE")" "$CACHE_DIR" "$REPORT_DIR"

# Default update policy
cat > "$CONFIG_FILE" 2>/dev/null << 'EOF' || true
# MacFleet macOS Update Management Policy
# Version: 2.0

# Update Enforcement
ENFORCE_SECURITY_UPDATES=true
ALLOW_MAJOR_OS_UPDATES=false
AUTO_INSTALL_SECURITY_PATCHES=true
DEFER_MAJOR_UPDATES_DAYS=30

# Scheduling Configuration
UPDATE_CHECK_INTERVAL=86400  # 24 hours
MAINTENANCE_WINDOW_START="02:00"
MAINTENANCE_WINDOW_END="06:00"
WEEKEND_UPDATES_ALLOWED=true
BUSINESS_HOURS_UPDATES=false

# Deployment Strategy
STAGED_ROLLOUT=true
PILOT_GROUP_PERCENTAGE=10
PRODUCTION_DELAY_DAYS=7
EMERGENCY_PATCH_IMMEDIATE=true

# System Requirements
MIN_BATTERY_PERCENTAGE=50
MIN_FREE_SPACE_GB=20
REQUIRE_AC_POWER=true
MAX_REBOOT_ATTEMPTS=3

# Notification Settings
NOTIFY_USERS_BEFORE_UPDATE=true
NOTIFICATION_LEAD_TIME_HOURS=24
FORCE_UPDATE_AFTER_DEFERRALS=5
SEND_COMPLETION_REPORTS=true

# Compatibility Settings
EXCLUDE_BETA_UPDATES=true
VALIDATE_APP_COMPATIBILITY=true
BACKUP_BEFORE_MAJOR_UPDATE=true
EOF

# Source configuration
source "$CONFIG_FILE" 2>/dev/null || true

# Logging function
log_action() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

# Get current macOS version
get_current_version() {
    sw_vers -productVersion
}

# Get available updates
get_available_updates() {
    echo "=== Available Updates ==="
    
    # Check for software updates
    local updates
    updates=$(softwareupdate --list 2>/dev/null)
    
    if echo "$updates" | grep -q "No new software available"; then
        echo "✅ System is up to date"
        return 0
    else
        echo "Available updates:"
        echo "$updates"
        return 1
    fi
}

# Get available OS installers
get_available_installers() {
    echo "=== Available OS Installers ==="
    
    # List full installers
    local installers
    installers=$(softwareupdate --list-full-installers 2>/dev/null)
    
    if [[ -n "$installers" ]]; then
        echo "$installers" | grep 'macOS' | awk '{print ++count " " $0}'
    else
        echo "No OS installers available"
    fi
}

# Check system readiness for updates
check_update_readiness() {
    echo "=== Update Readiness Check ==="
    local issues=0
    local warnings=0
    
    # Check battery level
    local battery_level
    if command -v pmset >/dev/null; then
        battery_level=$(pmset -g batt | grep -Eo "\d+%" | tr -d '%' | head -1)
        
        if [[ -n "$battery_level" && $battery_level -lt $MIN_BATTERY_PERCENTAGE ]]; then
            echo "❌ Battery level too low: ${battery_level}% (min: ${MIN_BATTERY_PERCENTAGE}%)"
            ((issues++))
        else
            echo "✅ Battery level adequate: ${battery_level:-AC Power}%"
        fi
    fi
    
    # Check AC power if required
    if [[ "$REQUIRE_AC_POWER" == "true" ]]; then
        local ac_power
        ac_power=$(pmset -g ps | grep "AC Power" || echo "")
        
        if [[ -z "$ac_power" ]]; then
            echo "❌ AC power required but not connected"
            ((issues++))
        else
            echo "✅ AC power connected"
        fi
    fi
    
    # Check free disk space
    local free_space_gb
    free_space_gb=$(df / | awk 'NR==2 {print int($4/1024/1024)}')
    
    if [[ $free_space_gb -lt $MIN_FREE_SPACE_GB ]]; then
        echo "❌ Insufficient disk space: ${free_space_gb}GB (min: ${MIN_FREE_SPACE_GB}GB)"
        ((issues++))
    else
        echo "✅ Sufficient disk space: ${free_space_gb}GB"
    fi
    
    # Check if system is in maintenance window
    local current_time
    current_time=$(date '+%H:%M')
    
    if [[ "$current_time" > "$MAINTENANCE_WINDOW_START" && "$current_time" < "$MAINTENANCE_WINDOW_END" ]]; then
        echo "✅ Within maintenance window"
    else
        echo "⚠️  Outside maintenance window (current: $current_time)"
        ((warnings++))
    fi
    
    # Check if weekend updates are allowed
    local day_of_week
    day_of_week=$(date '+%u')  # 1=Monday, 7=Sunday
    
    if [[ $day_of_week -gt 5 ]] && [[ "$WEEKEND_UPDATES_ALLOWED" != "true" ]]; then
        echo "❌ Weekend updates not allowed"
        ((issues++))
    fi
    
    echo "Readiness summary: $issues issues, $warnings warnings"
    return $issues
}

# Install security updates
install_security_updates() {
    echo "=== Installing Security Updates ==="
    
    if [[ "$AUTO_INSTALL_SECURITY_PATCHES" != "true" ]]; then
        echo "Security update auto-installation disabled"
        return 0
    fi
    
    # Check readiness
    if ! check_update_readiness >/dev/null; then
        echo "❌ System not ready for updates"
        return 1
    fi
    
    # Install recommended updates
    echo "Installing security and recommended updates..."
    log_action "Starting security update installation"
    
    # Use softwareupdate to install recommended updates
    if softwareupdate --install --recommended --verbose; then
        echo "✅ Security updates installed successfully"
        log_action "Security updates installed successfully"
        
        # Check if restart is required
        if softwareupdate --list | grep -q "restart"; then
            echo "⚠️  System restart required"
            log_action "System restart required after security updates"
        fi
        
        return 0
    else
        echo "❌ Failed to install security updates"
        log_action "FAILED: Security update installation"
        return 1
    fi
}

# Download OS installer
download_os_installer() {
    local target_version="$1"
    
    echo "=== Downloading OS Installer ==="
    echo "Target version: $target_version"
    
    # Validate version format
    if [[ ! "$target_version" =~ ^[0-9]+\.[0-9]+(\.[0-9]+)?$ ]]; then
        echo "❌ Invalid version format: $target_version"
        return 1
    fi
    
    # Download installer
    echo "Downloading macOS $target_version installer..."
    log_action "Downloading macOS installer: $target_version"
    
    if softwareupdate --fetch-full-installer --full-installer-version "$target_version"; then
        echo "✅ macOS installer downloaded successfully"
        log_action "macOS installer downloaded: $target_version"
        
        # Verify installer exists
        local installer_path
        installer_path=$(find /Applications -name "Install macOS*.app" -path "*$target_version*" 2>/dev/null | head -1)
        
        if [[ -n "$installer_path" && -d "$installer_path" ]]; then
            echo "Installer location: $installer_path"
            return 0
        else
            # Check for installer by major version
            local major_version
            major_version=$(echo "$target_version" | cut -d'.' -f1)
            
            case "$major_version" in
                "15")
                    installer_path="/Applications/Install macOS Sequoia.app"
                    ;;
                "14")
                    installer_path="/Applications/Install macOS Sonoma.app"
                    ;;
                "13")
                    installer_path="/Applications/Install macOS Ventura.app"
                    ;;
                "12")
                    installer_path="/Applications/Install macOS Monterey.app"
                    ;;
                "11")
                    installer_path="/Applications/Install macOS Big Sur.app"
                    ;;
                *)
                    echo "❌ Unknown macOS version: $target_version"
                    return 1
                    ;;
            esac
            
            if [[ -d "$installer_path" ]]; then
                echo "Installer found: $installer_path"
                return 0
            else
                echo "❌ Installer not found after download"
                return 1
            fi
        fi
    else
        echo "❌ Failed to download macOS installer"
        log_action "FAILED: macOS installer download for $target_version"
        return 1
    fi
}

# Install major OS update
install_major_update() {
    local target_version="$1"
    local admin_user="$2"
    local admin_password="$3"
    
    echo "=== Installing Major OS Update ==="
    echo "Target version: $target_version"
    echo "Admin user: $admin_user"
    
    if [[ "$ALLOW_MAJOR_OS_UPDATES" != "true" ]]; then
        echo "❌ Major OS updates not allowed by policy"
        return 1
    fi
    
    # Check readiness
    if ! check_update_readiness; then
        echo "❌ System not ready for major update"
        return 1
    fi
    
    # Find installer
    local installer_path
    local major_version
    major_version=$(echo "$target_version" | cut -d'.' -f1)
    
    case "$major_version" in
        "15")
            installer_path="/Applications/Install macOS Sequoia.app"
            ;;
        "14")
            installer_path="/Applications/Install macOS Sonoma.app"
            ;;
        "13")
            installer_path="/Applications/Install macOS Ventura.app"
            ;;
        "12")
            installer_path="/Applications/Install macOS Monterey.app"
            ;;
        "11")
            installer_path="/Applications/Install macOS Big Sur.app"
            ;;
        *)
            echo "❌ Unsupported macOS version: $target_version"
            return 1
            ;;
    esac
    
    if [[ ! -d "$installer_path" ]]; then
        echo "Installer not found, downloading..."
        if ! download_os_installer "$target_version"; then
            return 1
        fi
    fi
    
    # Prepare installation command
    local install_cmd="$installer_path/Contents/Resources/startosinstall"
    local install_args="--agreetolicense --forcequitapps --nointeraction"
    
    # Check if Apple Silicon Mac (requires credentials)
    if system_profiler SPHardwareDataType | grep -q "Apple M"; then
        if [[ -z "$admin_user" || -z "$admin_password" ]]; then
            echo "❌ Apple Silicon Mac requires admin credentials"
            return 1
        fi
        install_args="$install_args --user $admin_user --stdinpass"
    fi
    
    echo "Starting macOS installation..."
    log_action "Starting major OS update to $target_version"
    
    # Execute installation
    if [[ -n "$admin_password" ]]; then
        echo "$admin_password" | "$install_cmd" $install_args
    else
        "$install_cmd" $install_args
    fi
    
    local result=$?
    
    if [[ $result -eq 0 ]]; then
        echo "✅ macOS update initiated successfully"
        log_action "macOS update initiated successfully to $target_version"
        echo "⚠️  System will restart to complete installation"
    else
        echo "❌ Failed to initiate macOS update (exit code: $result)"
        log_action "FAILED: macOS update initiation to $target_version (exit code: $result)"
    fi
    
    return $result
}

# Generate update compliance report
generate_update_report() {
    local report_file="$REPORT_DIR/update_compliance_$(date +%Y%m%d_%H%M%S).json"
    
    echo "=== Generating Update Compliance Report ==="
    
    # Get current system information
    local current_version
    current_version=$(sw_vers -productVersion)
    local build_version
    build_version=$(sw_vers -buildVersion)
    local hardware_model
    hardware_model=$(system_profiler SPHardwareDataType | grep "Model Identifier" | awk -F: '{print $2}' | xargs)
    
    # Check for available updates
    local updates_available="false"
    local security_updates_available="false"
    
    if ! softwareupdate --list 2>/dev/null | grep -q "No new software available"; then
        updates_available="true"
        
        if softwareupdate --list 2>/dev/null | grep -i "security\|recommended"; then
            security_updates_available="true"
        fi
    fi
    
    # Calculate days since last update
    local last_update_date
    last_update_date=$(system_profiler SPInstallHistoryDataType | grep "Install Date" | head -1 | awk -F: '{print $2}' | xargs)
    local days_since_update="unknown"
    
    if [[ -n "$last_update_date" ]]; then
        local last_update_epoch
        last_update_epoch=$(date -j -f "%m/%d/%y" "$last_update_date" "+%s" 2>/dev/null || echo "0")
        local current_epoch
        current_epoch=$(date "+%s")
        days_since_update=$(( (current_epoch - last_update_epoch) / 86400 ))
    fi
    
    # Create JSON report
    cat > "$report_file" << EOF
{
  "report_type": "update_compliance",
  "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
  "device_info": {
    "hostname": "$(hostname)",
    "serial_number": "$(system_profiler SPHardwareDataType | grep "Serial Number" | awk -F: '{print $2}' | xargs)",
    "hardware_model": "$hardware_model",
    "current_os_version": "$current_version",
    "build_version": "$build_version"
  },
  "update_status": {
    "updates_available": $updates_available,
    "security_updates_available": $security_updates_available,
    "days_since_last_update": $days_since_update,
    "last_update_date": "$last_update_date",
    "auto_update_enabled": $(defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled 2>/dev/null || echo false)
  },
  "policy_compliance": {
    "security_updates_enforced": $ENFORCE_SECURITY_UPDATES,
    "major_updates_allowed": $ALLOW_MAJOR_OS_UPDATES,
    "auto_install_enabled": $AUTO_INSTALL_SECURITY_PATCHES,
    "staged_rollout_enabled": $STAGED_ROLLOUT
  },
  "system_readiness": {
    "sufficient_battery": true,
    "ac_power_connected": $(pmset -g ps | grep -q "AC Power" && echo true || echo false),
    "sufficient_disk_space": true,
    "in_maintenance_window": false
  }
}
EOF
    
    echo "Update compliance report saved to: $report_file"
    log_action "Update compliance report generated: $report_file"
}

# Main function with argument handling
main() {
    log_action "=== MacFleet Update Management Tool Started ==="
    
    case "${1:-status}" in
        "check")
            get_available_updates
            ;;
        "security")
            install_security_updates
            ;;
        "download")
            download_os_installer "$2"
            ;;
        "install")
            install_major_update "$2" "$3" "$4"
            ;;
        "readiness")
            check_update_readiness
            ;;
        "installers")
            get_available_installers
            ;;
        "report")
            generate_update_report
            ;;
        "status"|*)
            echo "Current macOS version: $(get_current_version)"
            get_available_updates
            ;;
    esac
    
    log_action "=== Update management operation completed ==="
}

# Execute main function
main "$@"

Advanced Update Management

Staged Rollout Management

#!/bin/bash

# Staged rollout management for enterprise deployments
manage_staged_rollout() {
    local update_version="$1"
    local deployment_stage="${2:-pilot}"
    
    echo "=== Staged Rollout Management ==="
    echo "Update version: $update_version"
    echo "Deployment stage: $deployment_stage"
    
    # Define device groups
    local device_serial
    device_serial=$(system_profiler SPHardwareDataType | grep "Serial Number" | awk -F: '{print $2}' | xargs)
    
    # Calculate hash for consistent group assignment
    local hash_value
    hash_value=$(echo "$device_serial" | md5 | cut -c1-2)
    local numeric_hash
    numeric_hash=$(printf "%d" "0x$hash_value")
    local group_percentage
    group_percentage=$((numeric_hash % 100))
    
    case "$deployment_stage" in
        "pilot")
            if [[ $group_percentage -lt $PILOT_GROUP_PERCENTAGE ]]; then
                echo "✅ Device selected for pilot deployment"
                log_action "Device included in pilot group for $update_version"
                return 0
            else
                echo "⏳ Device not in pilot group, waiting for production rollout"
                return 1
            fi
            ;;
        "production")
            echo "✅ Device eligible for production deployment"
            log_action "Device included in production rollout for $update_version"
            return 0
            ;;
        "emergency")
            echo "🚨 Emergency deployment - bypassing staging"
            log_action "Emergency deployment initiated for $update_version"
            return 0
            ;;
        *)
            echo "❌ Unknown deployment stage: $deployment_stage"
            return 1
            ;;
    esac
}

# Usage example:
# manage_staged_rollout "14.2.1" "pilot"

Update Compatibility Checking

#!/bin/bash

# Check application compatibility before major updates
check_app_compatibility() {
    local target_version="$1"
    
    echo "=== Application Compatibility Check ==="
    
    if [[ "$VALIDATE_APP_COMPATIBILITY" != "true" ]]; then
        echo "App compatibility checking disabled"
        return 0
    fi
    
    local incompatible_apps=()
    
    # Check for 32-bit applications (not supported in macOS 10.15+)
    local target_major
    target_major=$(echo "$target_version" | cut -d'.' -f1)
    
    if [[ $target_major -ge 10 ]]; then
        echo "Checking for 32-bit applications..."
        
        # Use system_profiler to find 32-bit apps
        local bit32_apps
        bit32_apps=$(system_profiler SPApplicationsDataType | grep -B1 -A1 "64-Bit (Intel): No" | grep "Location:" | awk -F: '{print $2}' | xargs)
        
        if [[ -n "$bit32_apps" ]]; then
            echo "⚠️  Found 32-bit applications:"
            echo "$bit32_apps"
            incompatible_apps+=("32-bit applications")
        fi
    fi
    
    # Check for known incompatible applications
    local known_incompatible=(
        "/Applications/Adobe CS6"
        "/Applications/Microsoft Office 2011"
        "/Applications/Final Cut Pro 7"
    )
    
    for app_path in "${known_incompatible[@]}"; do
        if [[ -d "$app_path" ]]; then
            echo "⚠️  Found known incompatible app: $app_path"
            incompatible_apps+=("$(basename "$app_path")")
        fi
    done
    
    # Generate compatibility report
    if [[ ${#incompatible_apps[@]} -eq 0 ]]; then
        echo "✅ No compatibility issues detected"
        return 0
    else
        echo "❌ Compatibility issues found:"
        printf '  - %s\n' "${incompatible_apps[@]}"
        
        # Log compatibility issues
        log_action "App compatibility issues found for $target_version: ${incompatible_apps[*]}"
        return 1
    fi
}

check_app_compatibility "14.0"

Automated Backup Before Updates

#!/bin/bash

# Create system backup before major updates
create_pre_update_backup() {
    local backup_destination="${1:-/Volumes/Backup}"
    
    echo "=== Pre-Update Backup ==="
    
    if [[ "$BACKUP_BEFORE_MAJOR_UPDATE" != "true" ]]; then
        echo "Pre-update backup disabled"
        return 0
    fi
    
    # Check backup destination
    if [[ ! -d "$backup_destination" ]]; then
        echo "❌ Backup destination not available: $backup_destination"
        return 1
    fi
    
    # Create Time Machine backup
    echo "Creating Time Machine backup..."
    if tmutil startbackup --auto --block; then
        echo "✅ Time Machine backup completed"
        log_action "Pre-update Time Machine backup completed"
    else
        echo "⚠️  Time Machine backup failed, continuing with update"
        log_action "WARNING: Pre-update Time Machine backup failed"
    fi
    
    # Create system configuration backup
    local config_backup="$backup_destination/macfleet_config_$(date +%Y%m%d_%H%M%S).tar.gz"
    
    echo "Creating configuration backup..."
    if tar -czf "$config_backup" \
        /etc/macfleet \
        /Library/Preferences \
        /System/Library/LaunchDaemons/com.macfleet.* \
        2>/dev/null; then
        echo "✅ Configuration backup created: $config_backup"
        log_action "Configuration backup created: $config_backup"
    else
        echo "⚠️  Configuration backup failed"
        log_action "WARNING: Configuration backup failed"
    fi
    
    return 0
}

create_pre_update_backup

Monitoring and Compliance

Update Compliance Monitoring

#!/bin/bash

# Monitor update compliance across fleet
monitor_update_compliance() {
    echo "=== Update Compliance Monitoring ==="
    
    local current_version
    current_version=$(sw_vers -productVersion)
    
    # Check against security baselines
    local security_baseline="14.2.1"  # Example baseline
    
    if [[ "$(printf '%s\n' "$security_baseline" "$current_version" | sort -V | head -1)" != "$security_baseline" ]]; then
        echo "❌ Below security baseline (current: $current_version, required: $security_baseline)"
        log_action "COMPLIANCE VIOLATION: Below security baseline $security_baseline"
        
        # Trigger remediation if enabled
        if [[ "$ENFORCE_SECURITY_UPDATES" == "true" ]]; then
            echo "Initiating automatic remediation..."
            install_security_updates
        fi
    else
        echo "✅ Meets security baseline requirements"
    fi
    
    # Check for overdue updates
    local last_check
    last_check=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate LastSuccessfulDate 2>/dev/null || echo "")
    
    if [[ -n "$last_check" ]]; then
        local days_since_check
        days_since_check=$(( ($(date +%s) - $(date -j -f "%Y-%m-%d %H:%M:%S %z" "$last_check" +%s 2>/dev/null || echo 0)) / 86400 ))
        
        if [[ $days_since_check -gt 7 ]]; then
            echo "⚠️  Updates not checked for $days_since_check days"
            log_action "WARNING: Updates not checked for $days_since_check days"
        fi
    fi
}

monitor_update_compliance

Emergency Patch Deployment

#!/bin/bash

# Emergency patch deployment for critical security updates
deploy_emergency_patch() {
    local patch_version="$1"
    local override_policies="${2:-false}"
    
    echo "=== Emergency Patch Deployment ==="
    echo "Patch version: $patch_version"
    echo "Override policies: $override_policies"
    
    log_action "EMERGENCY: Deploying critical patch $patch_version"
    
    # Override normal restrictions for emergency patches
    if [[ "$override_policies" == "true" ]]; then
        # Temporarily modify configuration
        local original_config
        original_config=$(cat "$CONFIG_FILE")
        
        # Emergency configuration
        cat > "$CONFIG_FILE" << 'EOF'
ENFORCE_SECURITY_UPDATES=true
AUTO_INSTALL_SECURITY_PATCHES=true
EMERGENCY_PATCH_IMMEDIATE=true
REQUIRE_AC_POWER=false
MIN_BATTERY_PERCENTAGE=20
BUSINESS_HOURS_UPDATES=true
EOF
        
        # Install emergency patch
        if install_security_updates; then
            echo "✅ Emergency patch deployed successfully"
            log_action "Emergency patch $patch_version deployed successfully"
        else
            echo "❌ Emergency patch deployment failed"
            log_action "CRITICAL: Emergency patch $patch_version deployment FAILED"
        fi
        
        # Restore original configuration
        echo "$original_config" > "$CONFIG_FILE"
    else
        # Standard emergency deployment
        install_security_updates
    fi
}

# Example usage:
# deploy_emergency_patch "14.2.1" "true"

Important Configuration Notes

macOS Update Tools

  • softwareupdate - Command-line Software Update utility
  • startosinstall - Direct OS installation tool
  • system_profiler - System information and update history
  • tmutil - Time Machine backup utility
  • pmset - Power management settings

Apple Silicon Considerations

  • Admin credentials required - Updates need user authentication
  • Secure Boot policies - May affect update installation
  • Recovery mode options - Different from Intel Macs
  • Reduced kernel extensions - System extension model

Best Practices for Enterprise

  1. Staged Deployment Strategy

    • Test updates on pilot group first
    • Monitor for issues before full rollout
    • Maintain rollback capabilities

  2. Compliance Management

    • Define security baselines
    • Monitor update status regularly
    • Automate compliance reporting

  3. Risk Mitigation

    • Backup before major updates
    • Test application compatibility
    • Plan for emergency patches

  4. User Communication

    • Notify users of scheduled updates
    • Provide clear maintenance windows
    • Offer deferral options within policy limits

Troubleshooting Common Issues

  • Insufficient disk space - Clean up before updates or increase storage
  • Power requirements - Ensure AC power for major updates
  • Network connectivity - Verify access to Apple's update servers
  • Authentication failures - Check admin credentials on Apple Silicon
  • Installation failures - Review system logs and compatibility

Remember to test update procedures thoroughly in a non-production environment before deploying across your entire MacFleet.

Login Window Customization on macOS

Customize and secure the login window on your MacFleet devices to enhance security, branding, and user experience. This tutorial covers user list management, power option control, custom messages, and enterprise login window configuration.

Understanding macOS Login Window

The macOS login window is the first interface users encounter when starting their device. It provides several customization options:

  • User display modes - Show user list or username/password fields
  • Power options - Control shutdown, restart, and sleep buttons
  • Custom messages - Display organizational notices or branding
  • Security settings - Hide sensitive information and control access

Enterprise Considerations

Login window customization is crucial for enterprise security:

  • Hide user lists to prevent user enumeration
  • Disable power options to prevent unauthorized shutdowns
  • Display security notices for compliance requirements
  • Brand the interface for organizational identity

Basic Login Window Configuration

Display User List in Login Window

#!/bin/bash

# Show the list of users in the login window
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME false

echo "User list display enabled in login window"

Display Username/Password Dialog

#!/bin/bash

# Show username and password dialog instead of user list
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true

echo "Username/password dialog enabled in login window"

Hide Power Options

#!/bin/bash

# Hide shutdown button
defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true

# Hide restart button
defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true

# Hide sleep button
defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true

echo "All power options hidden from login window"

Enable Power Options

#!/bin/bash

# Enable shutdown button
defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled false

# Enable restart button
defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false

# Enable sleep button
defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled false

echo "All power options enabled in login window"

Display Custom Message

#!/bin/bash

# Display a custom message on the login window
MESSAGE="Your device is managed by MacFleet. Contact IT for assistance."
defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$MESSAGE"

echo "Custom message set for login window"

Advanced Login Window Management

Comprehensive Login Window Configuration

#!/bin/bash

# Advanced login window configuration with validation
configure_login_window() {
    local config_type="$1"
    local custom_message="$2"
    
    # Validate admin privileges
    if [[ $EUID -ne 0 ]]; then
        echo "Error: This script requires administrator privileges"
        echo "Please run with sudo: sudo $0"
        exit 1
    fi
    
    case "$config_type" in
        "secure")
            echo "Applying secure login window configuration..."
            
            # Hide user list for security
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            
            # Disable all power options
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            
            # Set security message
            local security_msg="Authorized Personnel Only - All Activity Monitored"
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$security_msg"
            
            echo "✓ Secure configuration applied"
            ;;
        "corporate")
            echo "Applying corporate login window configuration..."
            
            # Show user list for convenience
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME false
            
            # Allow restart but disable shutdown and sleep
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            
            # Set corporate message
            local corp_msg="${custom_message:-Property of MacFleet Corporation}"
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$corp_msg"
            
            echo "✓ Corporate configuration applied"
            ;;
        "kiosk")
            echo "Applying kiosk login window configuration..."
            
            # Hide user list
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            
            # Disable all power options
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            
            # Hide additional elements for kiosk mode
            defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers true
            defaults write /Library/Preferences/com.apple.loginwindow HideMobileAccounts true
            
            # Set kiosk message
            local kiosk_msg="Kiosk Mode - Authorized Access Only"
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$kiosk_msg"
            
            echo "✓ Kiosk configuration applied"
            ;;
        "standard")
            echo "Applying standard login window configuration..."
            
            # Show user list
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME false
            
            # Enable all power options
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled false
            
            # Clear custom message
            defaults delete /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || true
            
            echo "✓ Standard configuration applied"
            ;;
        *)
            echo "Error: Unknown configuration type '$config_type'"
            echo "Available types: secure, corporate, kiosk, standard"
            return 1
            ;;
    esac
    
    # Verify configuration
    verify_login_window_config
}

# Verify current login window configuration
verify_login_window_config() {
    echo ""
    echo "=== Current Login Window Configuration ==="
    
    # Check user display mode
    local show_fullname
    show_fullname=$(defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 2>/dev/null || echo "false")
    
    if [[ "$show_fullname" == "true" ]]; then
        echo "User Display: Username/Password Dialog"
    else
        echo "User Display: User List"
    fi
    
    # Check power options
    local shutdown_disabled
    shutdown_disabled=$(defaults read /Library/Preferences/com.apple.loginwindow ShutDownDisabled 2>/dev/null || echo "false")
    echo "Shutdown Button: $([ "$shutdown_disabled" == "true" ] && echo "Hidden" || echo "Visible")"
    
    local restart_disabled
    restart_disabled=$(defaults read /Library/Preferences/com.apple.loginwindow RestartDisabled 2>/dev/null || echo "false")
    echo "Restart Button: $([ "$restart_disabled" == "true" ] && echo "Hidden" || echo "Visible")"
    
    local sleep_disabled
    sleep_disabled=$(defaults read /Library/Preferences/com.apple.loginwindow SleepDisabled 2>/dev/null || echo "false")
    echo "Sleep Button: $([ "$sleep_disabled" == "true" ] && echo "Hidden" || echo "Visible")"
    
    # Check custom message
    local login_text
    login_text=$(defaults read /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || echo "None")
    echo "Custom Message: $login_text"
}

# Usage examples
configure_login_window "corporate" "Welcome to MacFleet Enterprise"

Login Window Branding and Customization

#!/bin/bash

# Advanced login window branding
customize_login_branding() {
    local company_name="$1"
    local support_info="$2"
    local logo_path="$3"
    
    echo "=== Customizing Login Window Branding ==="
    
    # Set company message
    if [[ -n "$company_name" ]]; then
        local branded_message="Property of $company_name"
        if [[ -n "$support_info" ]]; then
            branded_message="$branded_message | Support: $support_info"
        fi
        
        defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$branded_message"
        echo "✓ Company branding message set"
    fi
    
    # Set custom desktop background for login window
    if [[ -n "$logo_path" && -f "$logo_path" ]]; then
        defaults write /Library/Preferences/com.apple.loginwindow DesktopPicture "$logo_path"
        echo "✓ Custom background image set"
    fi
    
    # Configure additional branding options
    setup_login_window_styling "$company_name"
}

# Setup advanced login window styling
setup_login_window_styling() {
    local company_name="$1"
    
    # Hide computer name for cleaner appearance
    defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName
    
    # Configure login window appearance
    defaults write /Library/Preferences/com.apple.loginwindow showInputMenu true
    
    # Set custom computer name display
    if [[ -n "$company_name" ]]; then
        scutil --set ComputerName "$company_name Workstation"
        scutil --set LocalHostName "$company_name-Mac"
    fi
    
    echo "✓ Login window styling configured"
}

# Usage
customize_login_branding "MacFleet Corporation" "help@macfleet.com" "/System/Library/Desktop Pictures/Big Sur.heic"

Security-Focused Login Configuration

#!/bin/bash

# High-security login window configuration
apply_security_hardening() {
    local security_level="$1"
    
    echo "=== Applying Security Hardening: $security_level ==="
    
    case "$security_level" in
        "maximum")
            # Hide all user information
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers true
            defaults write /Library/Preferences/com.apple.loginwindow HideMobileAccounts true
            defaults write /Library/Preferences/com.apple.loginwindow HideAdminUsers true
            
            # Disable all power options
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            
            # Hide additional UI elements
            defaults write /Library/Preferences/com.apple.loginwindow showInputMenu false
            defaults write /Library/Preferences/com.apple.loginwindow PowerOffDisabledWhileLoggedIn true
            
            # Set security warning
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "RESTRICTED ACCESS - AUTHORIZED PERSONNEL ONLY"
            
            echo "✓ Maximum security configuration applied"
            ;;
        "high")
            # Hide user list but allow some functionality
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers false
            defaults write /Library/Preferences/com.apple.loginwindow HideMobileAccounts true
            
            # Disable shutdown and sleep, allow restart
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            
            # Set moderate security message
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Corporate Device - Authorized Users Only"
            
            echo "✓ High security configuration applied"
            ;;
        "moderate")
            # Show user list but control power options
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME false
            defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers false
            
            # Allow restart, disable shutdown and sleep
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            
            # Set informational message
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Managed Device - Contact IT for Support"
            
            echo "✓ Moderate security configuration applied"
            ;;
        *)
            echo "Error: Unknown security level '$security_level'"
            echo "Available levels: maximum, high, moderate"
            return 1
            ;;
    esac
}

# Usage
apply_security_hardening "high"

Enterprise Login Window Management System

#!/bin/bash

# MacFleet Login Window Management Tool
# Comprehensive login window configuration and monitoring for fleet devices

# Configuration
SCRIPT_VERSION="1.0.0"
LOG_FILE="/var/log/macfleet_loginwindow.log"
REPORT_DIR="/etc/macfleet/reports/loginwindow"
CONFIG_DIR="/etc/macfleet/loginwindow"
TEMPLATE_DIR="/etc/macfleet/templates/loginwindow"

# Create directories if they don't exist
mkdir -p "$REPORT_DIR" "$CONFIG_DIR" "$TEMPLATE_DIR"

# Login window policy templates
declare -A LOGIN_POLICIES=(
    ["corporate_standard"]="user_list,restart_only,company_branding,moderate_security"
    ["corporate_secure"]="username_dialog,no_power,security_message,high_security"
    ["kiosk_mode"]="username_dialog,no_power,kiosk_branding,maximum_security"
    ["public_access"]="user_list,all_power,public_notice,low_security"
    ["executive"]="username_dialog,restart_only,executive_branding,high_security"
    ["guest_network"]="user_list,no_power,guest_notice,moderate_security"
    ["development"]="user_list,all_power,dev_environment,low_security"
    ["classroom"]="user_list,restart_only,educational_message,moderate_security"
    ["healthcare"]="username_dialog,no_power,hipaa_notice,maximum_security"
    ["financial"]="username_dialog,no_power,compliance_notice,maximum_security"
)

# Message templates for different scenarios
declare -A MESSAGE_TEMPLATES=(
    ["security_warning"]="RESTRICTED ACCESS - AUTHORIZED PERSONNEL ONLY - ALL ACTIVITY MONITORED"
    ["corporate_standard"]="Property of {COMPANY} | IT Support: {SUPPORT_CONTACT}"
    ["compliance_notice"]="This system contains confidential information. Unauthorized access is prohibited."
    ["guest_notice"]="Guest Access | Please contact reception for assistance"
    ["kiosk_mode"]="Kiosk Terminal | For assistance press F1"
    ["maintenance"]="System Under Maintenance | Contact IT Department"
    ["emergency"]="Emergency Access Only | Security Incident in Progress"
    ["educational"]="Educational Device | Students must follow acceptable use policy"
    ["hipaa_notice"]="HIPAA Protected System | Authorized Healthcare Personnel Only"
    ["financial_compliance"]="Financial Data System | SOX Compliance Required"
)

# Logging function
log_action() {
    local message="$1"
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    echo "[$timestamp] $message" | tee -a "$LOG_FILE"
}

# Advanced login window policy enforcement
enforce_login_policy() {
    local policy_name="$1"
    local company_name="${2:-MacFleet}"
    local support_contact="${3:-IT Department}"
    local dry_run="${4:-false}"
    
    log_action "Enforcing login window policy: $policy_name (dry_run: $dry_run)"
    
    if [[ -z "${LOGIN_POLICIES[$policy_name]}" ]]; then
        log_action "ERROR: Unknown policy '$policy_name'"
        echo "Available policies: ${!LOGIN_POLICIES[*]}"
        return 1
    fi
    
    # Parse policy configuration
    IFS=',' read -ra POLICY_PARTS <<< "${LOGIN_POLICIES[$policy_name]}"
    local user_display="${POLICY_PARTS[0]}"
    local power_options="${POLICY_PARTS[1]}"
    local branding_type="${POLICY_PARTS[2]}"
    local security_level="${POLICY_PARTS[3]}"
    
    echo "=== Enforcing Policy: $policy_name ==="
    echo "User Display: $user_display"
    echo "Power Options: $power_options"
    echo "Branding: $branding_type"
    echo "Security Level: $security_level"
    
    if [[ "$dry_run" == "true" ]]; then
        echo "DRY RUN MODE - No changes will be applied"
        return 0
    fi
    
    # Apply user display settings
    apply_user_display_settings "$user_display"
    
    # Apply power option settings
    apply_power_option_settings "$power_options"
    
    # Apply branding and messaging
    apply_branding_settings "$branding_type" "$company_name" "$support_contact"
    
    # Apply security configurations
    apply_security_settings "$security_level"
    
    # Generate policy compliance report
    local report_file="$REPORT_DIR/policy_enforcement_${policy_name}_$(date +%Y%m%d_%H%M%S).json"
    generate_policy_report "$policy_name" "$report_file"
    
    log_action "Policy enforcement completed: $report_file"
    echo "$report_file"
}

# Apply user display settings
apply_user_display_settings() {
    local display_type="$1"
    
    case "$display_type" in
        "user_list")
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME false
            defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers false
            echo "✓ User list display enabled"
            ;;
        "username_dialog")
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            echo "✓ Username/password dialog enabled"
            ;;
        "hidden_users")
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers true
            defaults write /Library/Preferences/com.apple.loginwindow HideMobileAccounts true
            echo "✓ All users hidden from display"
            ;;
    esac
}

# Apply power option settings
apply_power_option_settings() {
    local power_config="$1"
    
    case "$power_config" in
        "all_power")
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled false
            echo "✓ All power options enabled"
            ;;
        "restart_only")
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            echo "✓ Only restart option enabled"
            ;;
        "no_power")
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            echo "✓ All power options disabled"
            ;;
    esac
}

# Apply branding and messaging settings
apply_branding_settings() {
    local branding_type="$1"
    local company_name="$2"
    local support_contact="$3"
    
    local message=""
    
    case "$branding_type" in
        "company_branding")
            message="${MESSAGE_TEMPLATES[corporate_standard]}"
            message="${message/\{COMPANY\}/$company_name}"
            message="${message/\{SUPPORT_CONTACT\}/$support_contact}"
            ;;
        "security_message")
            message="${MESSAGE_TEMPLATES[security_warning]}"
            ;;
        "kiosk_branding")
            message="${MESSAGE_TEMPLATES[kiosk_mode]}"
            ;;
        "executive_branding")
            message="Executive Workstation | $company_name | Confidential"
            ;;
        "guest_notice")
            message="${MESSAGE_TEMPLATES[guest_notice]}"
            ;;
        "educational_message")
            message="${MESSAGE_TEMPLATES[educational]}"
            ;;
        "hipaa_notice")
            message="${MESSAGE_TEMPLATES[hipaa_notice]}"
            ;;
        "compliance_notice")
            message="${MESSAGE_TEMPLATES[financial_compliance]}"
            ;;
        *)
            message="Managed by $company_name"
            ;;
    esac
    
    if [[ -n "$message" ]]; then
        defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$message"
        echo "✓ Custom message applied: $message"
    fi
}

# Apply security-specific settings
apply_security_settings() {
    local security_level="$1"
    
    case "$security_level" in
        "maximum_security")
            # Hide computer information
            defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo ""
            
            # Disable input menu
            defaults write /Library/Preferences/com.apple.loginwindow showInputMenu false
            
            # Disable auto login
            defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser 2>/dev/null || true
            
            # Enable login window delay
            defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
            
            echo "✓ Maximum security settings applied"
            ;;
        "high_security")
            # Show minimal computer info
            defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName
            
            # Enable input menu for language support
            defaults write /Library/Preferences/com.apple.loginwindow showInputMenu true
            
            # Disable guest account
            defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
            
            echo "✓ High security settings applied"
            ;;
        "moderate_security")
            # Standard security with some convenience features
            defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName
            defaults write /Library/Preferences/com.apple.loginwindow showInputMenu true
            defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
            
            echo "✓ Moderate security settings applied"
            ;;
        "low_security")
            # Minimal restrictions for convenience
            defaults write /Library/Preferences/com.apple.loginwindow showInputMenu true
            
            echo "✓ Low security settings applied"
            ;;
    esac
}

# Generate comprehensive policy compliance report
generate_policy_report() {
    local policy_name="$1"
    local report_file="$2"
    
    # Get current login window settings
    local show_fullname=$(defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 2>/dev/null || echo "false")
    local shutdown_disabled=$(defaults read /Library/Preferences/com.apple.loginwindow ShutDownDisabled 2>/dev/null || echo "false")
    local restart_disabled=$(defaults read /Library/Preferences/com.apple.loginwindow RestartDisabled 2>/dev/null || echo "false")
    local sleep_disabled=$(defaults read /Library/Preferences/com.apple.loginwindow SleepDisabled 2>/dev/null || echo "false")
    local login_text=$(defaults read /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || echo "")
    local hide_local_users=$(defaults read /Library/Preferences/com.apple.loginwindow HideLocalUsers 2>/dev/null || echo "false")
    local guest_enabled=$(defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled 2>/dev/null || echo "false")
    
    cat > "$report_file" << EOF
{
    "policy_report": {
        "policy_name": "$policy_name",
        "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
        "hostname": "$(hostname)",
        "script_version": "$SCRIPT_VERSION",
        "current_settings": {
            "show_fullname": $show_fullname,
            "shutdown_disabled": $shutdown_disabled,
            "restart_disabled": $restart_disabled,
            "sleep_disabled": $sleep_disabled,
            "custom_message": "$login_text",
            "hide_local_users": $hide_local_users,
            "guest_enabled": $guest_enabled
        },
        "display_mode": "$([ "$show_fullname" == "true" ] && echo "username_dialog" || echo "user_list")",
        "security_level": "unknown",
        "compliance_status": "compliant"
    }
}
EOF
    
    log_action "Policy report generated: $report_file"
}

# Monitor login window configuration
monitor_login_window() {
    local detailed="${1:-false}"
    
    echo "=== Login Window Configuration Monitor ==="
    
    # Basic configuration check
    local show_fullname=$(defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 2>/dev/null || echo "false")
    local display_mode=$([ "$show_fullname" == "true" ] && echo "Username/Password Dialog" || echo "User List")
    
    echo "Display Mode: $display_mode"
    
    # Power options status
    local shutdown_status=$([ "$(defaults read /Library/Preferences/com.apple.loginwindow ShutDownDisabled 2>/dev/null)" == "true" ] && echo "Hidden" || echo "Visible")
    local restart_status=$([ "$(defaults read /Library/Preferences/com.apple.loginwindow RestartDisabled 2>/dev/null)" == "true" ] && echo "Hidden" || echo "Visible")
    local sleep_status=$([ "$(defaults read /Library/Preferences/com.apple.loginwindow SleepDisabled 2>/dev/null)" == "true" ] && echo "Hidden" || echo "Visible")
    
    echo "Power Options:"
    echo "  Shutdown Button: $shutdown_status"
    echo "  Restart Button: $restart_status"
    echo "  Sleep Button: $sleep_status"
    
    # Custom message
    local custom_message=$(defaults read /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || echo "None")
    echo "Custom Message: $custom_message"
    
    if [[ "$detailed" == "true" ]]; then
        echo ""
        echo "=== Detailed Configuration ==="
        
        # Additional settings
        local hide_local=$(defaults read /Library/Preferences/com.apple.loginwindow HideLocalUsers 2>/dev/null || echo "false")
        local hide_mobile=$(defaults read /Library/Preferences/com.apple.loginwindow HideMobileAccounts 2>/dev/null || echo "false")
        local guest_enabled=$(defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled 2>/dev/null || echo "false")
        local admin_info=$(defaults read /Library/Preferences/com.apple.loginwindow AdminHostInfo 2>/dev/null || echo "DSStatus")
        
        echo "Advanced Settings:"
        echo "  Hide Local Users: $hide_local"
        echo "  Hide Mobile Accounts: $hide_mobile"
        echo "  Guest Account Enabled: $guest_enabled"
        echo "  Admin Host Info: $admin_info"
        
        # Check for custom background
        local desktop_picture=$(defaults read /Library/Preferences/com.apple.loginwindow DesktopPicture 2>/dev/null || echo "Default")
        echo "  Desktop Picture: $desktop_picture"
    fi
}

# Main execution function
main() {
    local action="${1:-status}"
    local param1="${2:-}"
    local param2="${3:-}"
    local param3="${4:-}"
    local param4="${5:-}"
    
    log_action "=== MacFleet Login Window Management Started ==="
    log_action "Action: $action"
    
    # Ensure required privileges for configuration changes
    if [[ "$action" != "status" && "$action" != "help" && $EUID -ne 0 ]]; then
        echo "Error: This action requires administrator privileges"
        echo "Please run with sudo: sudo $0 $*"
        exit 1
    fi
    
    case "$action" in
        "policy")
            if [[ -z "$param1" ]]; then
                echo "Available policies: ${!LOGIN_POLICIES[*]}"
                exit 1
            fi
            enforce_login_policy "$param1" "$param2" "$param3" "$param4"
            ;;
        "secure")
            apply_security_hardening "${param1:-high}"
            ;;
        "message")
            if [[ -z "$param1" ]]; then
                echo "Usage: $0 message <message_text>"
                exit 1
            fi
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "$param1"
            echo "✓ Custom message set: $param1"
            ;;
        "power")
            case "$param1" in
                "disable")
                    defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
                    defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true
                    defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
                    echo "✓ All power options disabled"
                    ;;
                "enable")
                    defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled false
                    defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
                    defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled false
                    echo "✓ All power options enabled"
                    ;;
                *)
                    echo "Usage: $0 power <enable|disable>"
                    exit 1
                    ;;
            esac
            ;;
        "display")
            case "$param1" in
                "userlist")
                    defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME false
                    echo "✓ User list display enabled"
                    ;;
                "dialog")
                    defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
                    echo "✓ Username/password dialog enabled"
                    ;;
                *)
                    echo "Usage: $0 display <userlist|dialog>"
                    exit 1
                    ;;
            esac
            ;;
        "status")
            monitor_login_window "$param1"
            ;;
        "reset")
            echo "Resetting login window to defaults..."
            defaults delete /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 2>/dev/null || true
            defaults delete /Library/Preferences/com.apple.loginwindow ShutDownDisabled 2>/dev/null || true
            defaults delete /Library/Preferences/com.apple.loginwindow RestartDisabled 2>/dev/null || true
            defaults delete /Library/Preferences/com.apple.loginwindow SleepDisabled 2>/dev/null || true
            defaults delete /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || true
            echo "✓ Login window reset to system defaults"
            ;;
        "help")
            echo "Usage: $0 [action] [options...]"
            echo "Actions:"
            echo "  policy <policy_name> [company] [support] [dry_run] - Apply policy"
            echo "  secure <level> - Apply security hardening (maximum/high/moderate)"
            echo "  message <text> - Set custom login message"
            echo "  power <enable|disable> - Control power button visibility"
            echo "  display <userlist|dialog> - Set user display mode"
            echo "  status [detailed] - Show current configuration"
            echo "  reset - Reset to system defaults"
            echo "  help - Show this help"
            echo ""
            echo "Policies: ${!LOGIN_POLICIES[*]}"
            echo "Message Templates: ${!MESSAGE_TEMPLATES[*]}"
            ;;
        *)
            log_action "ERROR: Unknown action: $action"
            echo "Use '$0 help' for usage information"
            exit 1
            ;;
    esac
    
    log_action "=== Login window management completed ==="
}

# Execute main function
main "$@"

Login Window Security Best Practices

Corporate Security Configuration

#!/bin/bash

# Implement corporate login window security
implement_corporate_security() {
    echo "=== Implementing Corporate Login Window Security ==="
    
    # Hide user enumeration
    defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
    
    # Disable power options to prevent unauthorized shutdowns
    defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
    defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
    
    # Allow restart for updates (optional)
    defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled false
    
    # Set corporate security message
    defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Corporate Property - Authorized Personnel Only"
    
    # Disable guest account
    defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
    
    # Hide computer information
    defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo ""
    
    echo "✓ Corporate security configuration applied"
}

implement_corporate_security

Compliance and Audit Configuration

#!/bin/bash

# Configure login window for compliance requirements
configure_compliance_login() {
    local compliance_type="$1"
    
    case "$compliance_type" in
        "hipaa")
            # Healthcare compliance configuration
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled true
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "HIPAA Protected System - Healthcare Personnel Only"
            defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
            echo "✓ HIPAA compliance configuration applied"
            ;;
        "pci_dss")
            # Payment card industry compliance
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "PCI DSS Secure Environment - Authorized Access Only"
            defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
            echo "✓ PCI DSS compliance configuration applied"
            ;;
        "sox")
            # Financial compliance
            defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME true
            defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Financial Data System - SOX Compliance Required"
            defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled false
            echo "✓ SOX compliance configuration applied"
            ;;
        *)
            echo "Unknown compliance type: $compliance_type"
            return 1
            ;;
    esac
}

# Usage
configure_compliance_login "hipaa"

Troubleshooting Login Window Issues

Verify Configuration

#!/bin/bash

# Comprehensive login window configuration verification
verify_login_config() {
    echo "=== Login Window Configuration Verification ==="
    
    # Check all current settings
    echo "Current Settings:"
    echo "  Show Full Name: $(defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 2>/dev/null || echo 'Not Set')"
    echo "  Shutdown Disabled: $(defaults read /Library/Preferences/com.apple.loginwindow ShutDownDisabled 2>/dev/null || echo 'Not Set')"
    echo "  Restart Disabled: $(defaults read /Library/Preferences/com.apple.loginwindow RestartDisabled 2>/dev/null || echo 'Not Set')"
    echo "  Sleep Disabled: $(defaults read /Library/Preferences/com.apple.loginwindow SleepDisabled 2>/dev/null || echo 'Not Set')"
    echo "  Login Text: $(defaults read /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || echo 'Not Set')"
    echo "  Guest Enabled: $(defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled 2>/dev/null || echo 'Not Set')"
    echo "  Hide Local Users: $(defaults read /Library/Preferences/com.apple.loginwindow HideLocalUsers 2>/dev/null || echo 'Not Set')"
    
    # Check file permissions
    echo ""
    echo "File Permissions:"
    ls -la /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null || echo "Login window plist not found"
    
    # Verify settings will take effect
    echo ""
    echo "Verification Tests:"
    if defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME &>/dev/null; then
        echo "✓ Login window preferences are readable"
    else
        echo "⚠ Login window preferences may not be configured"
    fi
}

verify_login_config

Reset to Defaults

#!/bin/bash

# Reset login window to system defaults
reset_login_window() {
    echo "=== Resetting Login Window to Defaults ==="
    
    # Remove all custom settings
    defaults delete /Library/Preferences/com.apple.loginwindow SHOWFULLNAME 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow ShutDownDisabled 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow RestartDisabled 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow SleepDisabled 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow LoginwindowText 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow GuestEnabled 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow HideLocalUsers 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow HideMobileAccounts 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow AdminHostInfo 2>/dev/null || true
    defaults delete /Library/Preferences/com.apple.loginwindow DesktopPicture 2>/dev/null || true
    
    echo "✓ Login window reset to system defaults"
    echo "Note: Changes will take effect after logout or restart"
}

reset_login_window

Important Notes

  • Administrator privileges required for login window modifications
  • Changes take effect after logout or restart
  • Test thoroughly on individual devices before fleet deployment
  • Backup settings before making changes
  • Security implications - Consider hiding user lists in high-security environments
  • User experience - Balance security with usability
  • Compliance requirements - Some industries require specific login window configurations
  • Special characters - Avoid exclamation marks in custom messages due to shell interpretation

Login History Management on macOS

Monitor and analyze user login activity across your MacFleet devices using advanced command-line tools. This tutorial covers login history tracking, user session analysis, security auditing, and enterprise-grade compliance monitoring with comprehensive reporting capabilities.

Understanding macOS Login History Management

macOS provides several powerful tools for tracking user login activity:

  • who - Shows currently logged-in users and brief login history
  • last - Displays detailed login history with session information
  • dscl - Directory Services command line utility for user management
  • w - Extended user activity information with system load
  • finger - User information and login details (if available)

These tools access system logs and user databases to provide comprehensive login tracking capabilities.

Basic Login History Commands

Brief Login History with who

#!/bin/bash

# Display brief login history
get_brief_login_history() {
    echo "=== Brief Login History ==="
    who
    echo ""
    
    # Alternative with timestamps
    echo "=== Current User Sessions ==="
    who -u
}

# Execute basic login check
get_brief_login_history

Detailed Login History with last

#!/bin/bash

# Display detailed login history
get_detailed_login_history() {
    echo "=== Detailed Login History ==="
    last
    echo ""
    
    # Show last 10 login entries
    echo "=== Recent 10 Login Sessions ==="
    last -10
    echo ""
    
    # Show login history for today
    echo "=== Today's Login Sessions ==="
    last -t "$(date '+%Y%m%d%H%M%S')"
}

# Execute detailed login check
get_detailed_login_history

Check Specific User Login History

#!/bin/bash

# Get last login time for specific user
check_user_login() {
    local username="$1"
    
    if [[ -z "$username" ]]; then
        echo "Usage: check_user_login <username>"
        return 1
    fi
    
    echo "=== Last Login for User: $username ==="
    last -1 "$username"
    echo ""
    
    # Additional user information
    echo "=== User Account Information ==="
    dscl . -read "/Users/$username" RealName 2>/dev/null || echo "User not found"
    dscl . -read "/Users/$username" UniqueID 2>/dev/null || echo "UID not available"
}

# Example usage
# check_user_login "john.doe"

Advanced Login History Analysis

Comprehensive User Session Analysis

#!/bin/bash

# Advanced login history analysis with security insights
analyze_login_patterns() {
    echo "=== Comprehensive Login Analysis ==="
    echo "Generated: $(date)"
    echo "Hostname: $(hostname)"
    echo "=================================="
    echo ""
    
    # Current active sessions
    echo "1. ACTIVE USER SESSIONS:"
    echo "------------------------"
    who -u | while IFS= read -r line; do
        echo "  $line"
    done
    echo ""
    
    # Recent login activity (last 24 hours)
    echo "2. RECENT LOGIN ACTIVITY (24 hours):"
    echo "------------------------------------"
    local yesterday
    yesterday=$(date -v-1d '+%Y%m%d%H%M%S' 2>/dev/null || date -d 'yesterday' '+%Y%m%d%H%M%S' 2>/dev/null)
    
    if [[ -n "$yesterday" ]]; then
        last -t "$yesterday" | head -20
    else
        last -20
    fi
    echo ""
    
    # Failed login attempts (if available in logs)
    echo "3. FAILED LOGIN ATTEMPTS:"
    echo "-------------------------"
    grep "authentication failure" /var/log/system.log 2>/dev/null | tail -10 || echo "No recent failures found"
    echo ""
    
    # Login frequency analysis
    echo "4. LOGIN FREQUENCY BY USER:"
    echo "---------------------------"
    last | grep -v "wtmp begins" | awk '{print $1}' | sort | uniq -c | sort -nr | head -10
    echo ""
    
    # Remote vs local logins
    echo "5. LOGIN SOURCE ANALYSIS:"
    echo "-------------------------"
    echo "Console logins:"
    last | grep -c "console" || echo "0"
    echo "Remote logins:"
    last | grep -v "console" | grep -v "wtmp begins" | wc -l | tr -d ' '
}

# Execute comprehensive analysis
analyze_login_patterns

User Account Discovery

#!/bin/bash

# List all users and their login status
discover_users() {
    echo "=== User Account Discovery ==="
    echo ""
    
    # All users from directory services
    echo "1. ALL SYSTEM USERS:"
    echo "-------------------"
    dscl . list /Users | grep -v "^_" | grep -v "^root" | grep -v "^daemon" | grep -v "^nobody"
    echo ""
    
    # Users with UID >= 500 (typically regular users)
    echo "2. REGULAR USER ACCOUNTS:"
    echo "------------------------"
    dscl . list /Users UniqueID | awk '$2 >= 500 {print $1, "(UID: " $2 ")"}'
    echo ""
    
    # Users with recent login activity
    echo "3. USERS WITH RECENT LOGIN ACTIVITY:"
    echo "------------------------------------"
    last | awk '{print $1}' | sort | uniq | grep -v "wtmp" | grep -v "^$" | head -10
    echo ""
    
    # Home directories
    echo "4. USER HOME DIRECTORIES:"
    echo "------------------------"
    ls -la /Users/ | grep -v "^total" | grep -v "Shared" | awk '{print $9, $3, $4}' | grep -v "^$"
}

# Execute user discovery
discover_users

Enterprise Login History Management System

#!/bin/bash

# MacFleet Enterprise Login History Management System
# Comprehensive user activity monitoring and security auditing

# Configuration
LOG_FILE="/var/log/macfleet_login_history.log"
REPORT_DIR="/var/reports/macfleet/login_history"
CONFIG_FILE="/etc/macfleet/login_monitoring.conf"
ALERT_THRESHOLD_FAILED_LOGINS=5
ALERT_THRESHOLD_UNUSUAL_HOURS=22  # Alert for logins after 10 PM

# Create directory structure
setup_directories() {
    mkdir -p "$(dirname "$LOG_FILE")" "$REPORT_DIR" "$(dirname "$CONFIG_FILE")"
    touch "$LOG_FILE"
}

# Logging function
log_action() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

# Generate comprehensive login report
generate_login_report() {
    local report_file="$REPORT_DIR/login_report_$(date +%Y%m%d_%H%M%S).json"
    
    log_action "Generating comprehensive login history report: $report_file"
    
    {
        echo "{"
        echo "  \"report_type\": \"login_history\","
        echo "  \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\","
        echo "  \"hostname\": \"$(hostname)\","
        echo "  \"system_info\": {"
        echo "    \"macos_version\": \"$(sw_vers -productVersion)\","
        echo "    \"uptime\": \"$(uptime | awk -F'up ' '{print $2}' | awk -F', ' '{print $1}')\","
        echo "    \"current_users\": $(who | wc -l | tr -d ' ')"
        echo "  },"
        
        # Active sessions
        echo "  \"active_sessions\": ["
        local first_session=true
        who -u | while IFS= read -r line; do
            if [[ "$first_session" == "false" ]]; then
                echo ","
            fi
            first_session=false
            
            local user terminal login_time pid
            user=$(echo "$line" | awk '{print $1}')
            terminal=$(echo "$line" | awk '{print $2}')
            login_time=$(echo "$line" | awk '{print $3, $4}')
            pid=$(echo "$line" | awk '{print $6}')
            
            echo "    {"
            echo "      \"user\": \"$user\","
            echo "      \"terminal\": \"$terminal\","
            echo "      \"login_time\": \"$login_time\","
            echo "      \"pid\": \"$pid\""
            echo -n "    }"
        done
        echo ""
        echo "  ],"
        
        # Recent login history
        echo "  \"recent_logins\": ["
        local first_login=true
        last -20 | grep -v "wtmp begins" | while IFS= read -r line; do
            if [[ -n "$line" ]]; then
                if [[ "$first_login" == "false" ]]; then
                    echo ","
                fi
                first_login=false
                
                local user terminal source login_date login_time logout_info
                user=$(echo "$line" | awk '{print $1}')
                terminal=$(echo "$line" | awk '{print $2}')
                source=$(echo "$line" | awk '{print $3}')
                login_date=$(echo "$line" | awk '{print $4, $5, $6}')
                login_time=$(echo "$line" | awk '{print $7}')
                logout_info=$(echo "$line" | awk '{print $9, $10}')
                
                echo "    {"
                echo "      \"user\": \"$user\","
                echo "      \"terminal\": \"$terminal\","
                echo "      \"source\": \"$source\","
                echo "      \"login_date\": \"$login_date\","
                echo "      \"login_time\": \"$login_time\","
                echo "      \"logout_info\": \"$logout_info\""
                echo -n "    }"
            fi
        done
        echo ""
        echo "  ],"
        
        # User statistics
        echo "  \"user_statistics\": {"
        local total_users
        total_users=$(dscl . list /Users | grep -v "^_" | wc -l | tr -d ' ')
        echo "    \"total_system_users\": $total_users,"
        
        local regular_users
        regular_users=$(dscl . list /Users UniqueID | awk '$2 >= 500' | wc -l | tr -d ' ')
        echo "    \"regular_users\": $regular_users,"
        
        local active_login_users
        active_login_users=$(last | awk '{print $1}' | sort | uniq | grep -v "wtmp" | grep -v "^$" | wc -l | tr -d ' ')
        echo "    \"users_with_login_history\": $active_login_users"
        echo "  }"
        echo "}"
    } > "$report_file"
    
    log_action "Login history report generated successfully"
    echo "$report_file"
}

# Monitor for suspicious login activity
monitor_suspicious_activity() {
    log_action "Starting suspicious login activity monitoring..."
    
    local alerts=()
    
    # Check for unusual login times (configurable)
    local current_hour
    current_hour=$(date +%H)
    
    if [[ "$current_hour" -ge "$ALERT_THRESHOLD_UNUSUAL_HOURS" ]]; then
        local late_logins
        late_logins=$(who | wc -l | tr -d ' ')
        
        if [[ "$late_logins" -gt 0 ]]; then
            alerts+=("Late night login activity detected: $late_logins active sessions after $ALERT_THRESHOLD_UNUSUAL_HOURS:00")
        fi
    fi
    
    # Check for multiple failed login attempts
    local failed_logins
    failed_logins=$(grep "authentication failure" /var/log/system.log 2>/dev/null | grep "$(date '+%b %d')" | wc -l | tr -d ' ')
    
    if [[ "$failed_logins" -ge "$ALERT_THRESHOLD_FAILED_LOGINS" ]]; then
        alerts+=("High number of failed login attempts today: $failed_logins failures")
    fi
    
    # Check for root logins
    local root_logins
    root_logins=$(last | grep "^root " | head -5 | wc -l | tr -d ' ')
    
    if [[ "$root_logins" -gt 0 ]]; then
        alerts+=("Recent root login activity detected: $root_logins sessions")
    fi
    
    # Check for simultaneous logins from same user
    local duplicate_users
    duplicate_users=$(who | awk '{print $1}' | sort | uniq -d)
    
    if [[ -n "$duplicate_users" ]]; then
        alerts+=("Multiple simultaneous sessions detected for users: $duplicate_users")
    fi
    
    # Report alerts
    if [[ ${#alerts[@]} -eq 0 ]]; then
        log_action "✅ No suspicious login activity detected"
        return 0
    else
        log_action "⚠️  Suspicious login activity alerts:"
        for alert in "${alerts[@]}"; do
            log_action "  - $alert"
        done
        return 1
    fi
}

# Analyze login patterns for security insights
analyze_security_patterns() {
    log_action "Analyzing login patterns for security insights..."
    
    echo "=== Security Pattern Analysis ==="
    echo ""
    
    # Login frequency by day of week
    echo "1. LOGIN FREQUENCY BY DAY:"
    echo "--------------------------"
    last | grep -v "wtmp begins" | awk '{print $4}' | sort | uniq -c | sort -nr
    echo ""
    
    # Most active users
    echo "2. MOST ACTIVE USERS:"
    echo "--------------------"
    last | grep -v "wtmp begins" | awk '{print $1}' | sort | uniq -c | sort -nr | head -10
    echo ""
    
    # Login sources analysis
    echo "3. LOGIN SOURCES:"
    echo "----------------"
    echo "Console logins: $(last | grep -c "console")"
    echo "Remote logins: $(last | grep -v "console" | grep -v "wtmp begins" | wc -l | tr -d ' ')"
    echo ""
    
    # Session duration analysis
    echo "4. SESSION PATTERNS:"
    echo "-------------------"
    local avg_sessions
    avg_sessions=$(last | grep -v "wtmp begins" | grep -v "still logged in" | wc -l | tr -d ' ')
    echo "Total completed sessions: $avg_sessions"
    
    local active_sessions
    active_sessions=$(who | wc -l | tr -d ' ')
    echo "Currently active sessions: $active_sessions"
    echo ""
    
    # Time-based analysis
    echo "5. LOGIN TIME PATTERNS:"
    echo "----------------------"
    echo "Business hours (9-17): $(last | awk '{print $7}' | grep -E '^(09|1[0-7]):' | wc -l | tr -d ' ')"
    echo "After hours (18-08): $(last | awk '{print $7}' | grep -E '^(1[8-9]|2[0-3]|0[0-8]):' | wc -l | tr -d ' ')"
}

# User access audit
perform_user_audit() {
    local audit_file="$REPORT_DIR/user_audit_$(date +%Y%m%d_%H%M%S).txt"
    
    log_action "Performing comprehensive user access audit: $audit_file"
    
    {
        echo "MacFleet User Access Audit Report"
        echo "Generated: $(date)"
        echo "Hostname: $(hostname)"
        echo "=================================="
        echo ""
        
        echo "SYSTEM OVERVIEW:"
        echo "----------------"
        echo "macOS Version: $(sw_vers -productVersion)"
        echo "Build: $(sw_vers -buildVersion)"
        echo "System Uptime: $(uptime | awk -F'up ' '{print $2}' | awk -F', ' '{print $1}')"
        echo "Current Date/Time: $(date)"
        echo ""
        
        echo "USER ACCOUNT SUMMARY:"
        echo "---------------------"
        echo "Total system users: $(dscl . list /Users | wc -l | tr -d ' ')"
        echo "Regular users (UID >= 500): $(dscl . list /Users UniqueID | awk '$2 >= 500' | wc -l | tr -d ' ')"
        echo "Currently logged in: $(who | wc -l | tr -d ' ')"
        echo ""
        
        echo "DETAILED USER INFORMATION:"
        echo "--------------------------"
        dscl . list /Users UniqueID | awk '$2 >= 500' | while read -r username uid; do
            echo "User: $username (UID: $uid)"
            
            # Real name
            local real_name
            real_name=$(dscl . -read "/Users/$username" RealName 2>/dev/null | grep "RealName:" | cut -d' ' -f2-)
            echo "  Real Name: ${real_name:-"Not set"}"
            
            # Home directory
            local home_dir
            home_dir=$(dscl . -read "/Users/$username" NFSHomeDirectory 2>/dev/null | grep "NFSHomeDirectory:" | cut -d' ' -f2)
            echo "  Home Directory: ${home_dir:-"Not set"}"
            
            # Last login
            local last_login
            last_login=$(last -1 "$username" 2>/dev/null | head -1 | awk '{print $4, $5, $6, $7}')
            echo "  Last Login: ${last_login:-"Never"}"
            
            # Account status
            local account_disabled
            account_disabled=$(dscl . -read "/Users/$username" AuthenticationAuthority 2>/dev/null | grep -c "DisabledUser" || echo "0")
            if [[ "$account_disabled" -gt 0 ]]; then
                echo "  Status: DISABLED"
            else
                echo "  Status: Active"
            fi
            
            echo ""
        done
        
        echo "RECENT LOGIN ACTIVITY:"
        echo "----------------------"
        last -50
        
        echo ""
        echo "SECURITY RECOMMENDATIONS:"
        echo "-------------------------"
        
        # Check for users without recent login activity
        local inactive_users
        inactive_users=$(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}' | while read -r user; do
            if ! last "$user" | grep -q "$(date '+%b')" 2>/dev/null; then
                echo "$user"
            fi
        done)
        
        if [[ -n "$inactive_users" ]]; then
            echo "• Consider reviewing inactive user accounts:"
            echo "$inactive_users" | while read -r user; do
                echo "  - $user"
            done
        else
            echo "• All users have recent login activity"
        fi
        
        # Check for admin users
        local admin_users
        admin_users=$(dscl . -read /Groups/admin GroupMembership 2>/dev/null | cut -d' ' -f2-)
        if [[ -n "$admin_users" ]]; then
            echo "• Review admin user access regularly:"
            for admin in $admin_users; do
                echo "  - $admin"
            done
        fi
        
    } > "$audit_file"
    
    log_action "User access audit completed successfully"
    echo "$audit_file"
}

# Export login data for external analysis
export_login_data() {
    local export_format="${1:-json}"  # json, csv, xml
    local export_file="$REPORT_DIR/login_export_$(date +%Y%m%d_%H%M%S).$export_format"
    
    log_action "Exporting login data in $export_format format: $export_file"
    
    case "$export_format" in
        "csv")
            {
                echo "User,Terminal,Source,LoginDate,LoginTime,LogoutInfo,Duration"
                last -100 | grep -v "wtmp begins" | while IFS= read -r line; do
                    if [[ -n "$line" ]]; then
                        echo "$line" | awk -F' ' '{
                            user=$1; terminal=$2; source=$3; 
                            login_date=$4" "$5" "$6; login_time=$7; 
                            logout_info=$9" "$10; duration=$8;
                            print user","terminal","source","login_date","login_time","logout_info","duration
                        }'
                    fi
                done
            } > "$export_file"
            ;;
        "json")
            generate_login_report > /dev/null
            cp "$REPORT_DIR"/login_report_*.json "$export_file" 2>/dev/null || echo "{\"error\": \"No recent report found\"}" > "$export_file"
            ;;
        "xml")
            {
                echo '<?xml version="1.0" encoding="UTF-8"?>'
                echo '<login_history>'
                echo "  <generated>$(date -u +%Y-%m-%dT%H:%M:%SZ)</generated>"
                echo "  <hostname>$(hostname)</hostname>"
                echo "  <sessions>"
                
                last -50 | grep -v "wtmp begins" | while IFS= read -r line; do
                    if [[ -n "$line" ]]; then
                        local user terminal source login_date login_time
                        user=$(echo "$line" | awk '{print $1}')
                        terminal=$(echo "$line" | awk '{print $2}')
                        source=$(echo "$line" | awk '{print $3}')
                        login_date=$(echo "$line" | awk '{print $4, $5, $6}')
                        login_time=$(echo "$line" | awk '{print $7}')
                        
                        echo "    <session>"
                        echo "      <user>$user</user>"
                        echo "      <terminal>$terminal</terminal>"
                        echo "      <source>$source</source>"
                        echo "      <login_date>$login_date</login_date>"
                        echo "      <login_time>$login_time</login_time>"
                        echo "    </session>"
                    fi
                done
                
                echo "  </sessions>"
                echo '</login_history>'
            } > "$export_file"
            ;;
        *)
            log_action "ERROR: Unsupported export format: $export_format"
            return 1
            ;;
    esac
    
    log_action "Login data exported successfully"
    echo "$export_file"
}

# Main management function
main() {
    local action="${1:-report}"
    local parameter="$2"
    
    setup_directories
    log_action "MacFleet Login History Management started with action: $action"
    
    case "$action" in
        "brief")
            who
            ;;
        "detailed")
            last
            ;;
        "user")
            if [[ -n "$parameter" ]]; then
                last -1 "$parameter"
            else
                echo "Usage: $0 user <username>"
                exit 1
            fi
            ;;
        "users")
            dscl . list /Users | grep -v "^_"
            ;;
        "analyze")
            analyze_security_patterns
            ;;
        "monitor")
            monitor_suspicious_activity
            ;;
        "audit")
            perform_user_audit
            ;;
        "export")
            export_login_data "$parameter"
            ;;
        "report"|*)
            generate_login_report
            ;;
    esac
    
    log_action "MacFleet Login History Management completed with action: $action"
}

# Execute main function with all arguments
main "$@"

Quick Management Functions

Simple Login Status Check

#!/bin/bash

# Quick login status with enhanced output
quick_login_status() {
    echo "📊 MacFleet Login Status - $(date)"
    echo "=================================="
    
    # Current users
    local current_users
    current_users=$(who | wc -l | tr -d ' ')
    echo "👥 Currently logged in: $current_users users"
    
    if [[ "$current_users" -gt 0 ]]; then
        echo ""
        echo "Active Sessions:"
        who | while IFS= read -r line; do
            echo "  🔹 $line"
        done
    fi
    
    echo ""
    echo "📈 Recent Activity:"
    echo "  - Last 24 hours: $(last -t "$(date -v-1d '+%Y%m%d%H%M%S' 2>/dev/null || date -d 'yesterday' '+%Y%m%d%H%M%S')" | wc -l | tr -d ' ') logins"
    echo "  - This week: $(last | grep "$(date '+%b')" | wc -l | tr -d ' ') logins"
    
    # System uptime
    echo "  - System uptime: $(uptime | awk -F'up ' '{print $2}' | awk -F', ' '{print $1}')"
}

quick_login_status

User Login Summary

#!/bin/bash

# Generate user login summary
user_login_summary() {
    echo "🔍 User Login Summary"
    echo "===================="
    echo ""
    
    echo "Top 10 Most Active Users:"
    echo "------------------------"
    last | grep -v "wtmp begins" | awk '{print $1}' | sort | uniq -c | sort -nr | head -10 | while read -r count user; do
        echo "  $user: $count logins"
    done
    
    echo ""
    echo "Recent User Activity:"
    echo "--------------------"
    dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}' | head -10 | while read -r username; do
        local last_login
        last_login=$(last -1 "$username" 2>/dev/null | head -1 | awk '{print $4, $5, $7}' | tr -s ' ')
        echo "  $username: ${last_login:-"No recent activity"}"
    done
}

user_login_summary

Security Monitoring Functions

Failed Login Detection

#!/bin/bash

# Monitor and report failed login attempts
monitor_failed_logins() {
    echo "🔒 Failed Login Monitoring"
    echo "=========================="
    echo ""
    
    # Check system log for authentication failures
    echo "Recent Failed Login Attempts:"
    echo "-----------------------------"
    
    # Last 24 hours of failed attempts
    grep "authentication failure" /var/log/system.log 2>/dev/null | grep "$(date '+%b %d')" | while IFS= read -r line; do
        echo "  ⚠️  $line"
    done || echo "  ✅ No failed login attempts found today"
    
    echo ""
    echo "Failed Login Summary:"
    echo "--------------------"
    
    # Count failures by user (if available)
    local failure_count
    failure_count=$(grep "authentication failure" /var/log/system.log 2>/dev/null | grep "$(date '+%b %d')" | wc -l | tr -d ' ')
    echo "  Total failures today: $failure_count"
    
    # Recommendations
    if [[ "$failure_count" -gt 5 ]]; then
        echo ""
        echo "🚨 Security Alert: High number of failed logins detected!"
        echo "  - Review user accounts for potential brute force attacks"
        echo "  - Consider implementing account lockout policies"
        echo "  - Check for suspicious IP addresses in logs"
    fi
}

monitor_failed_logins

Session Duration Analysis

#!/bin/bash

# Analyze user session durations
analyze_session_duration() {
    echo "⏱️  Session Duration Analysis"
    echo "============================="
    echo ""
    
    echo "Session Statistics:"
    echo "-------------------"
    
    # Active sessions
    local active_count
    active_count=$(who | wc -l | tr -d ' ')
    echo "  Active sessions: $active_count"
    
    # Completed sessions analysis
    echo "  Recent completed sessions:"
    last | grep -v "still logged in" | grep -v "wtmp begins" | head -10 | while IFS= read -r line; do
        local duration
        duration=$(echo "$line" | awk '{print $10}' | tr -d '()')
        if [[ -n "$duration" ]]; then
            echo "    Duration: $duration"
        fi
    done
    
    echo ""
    echo "Long-running Sessions (Active):"
    echo "-------------------------------"
    who -u | while IFS= read -r line; do
        local login_time pid idle
        login_time=$(echo "$line" | awk '{print $3, $4}')
        pid=$(echo "$line" | awk '{print $6}')
        idle=$(echo "$line" | awk '{print $5}')
        
        if [[ "$idle" != "." ]]; then
            echo "  Session started: $login_time (Idle: $idle)"
        else
            echo "  Session started: $login_time (Active)"
        fi
    done
}

analyze_session_duration

Configuration and Compliance

Login Policy Configuration

# /etc/macfleet/login_monitoring.conf
# MacFleet Login History Monitoring Configuration

# Alert thresholds
ALERT_THRESHOLD_FAILED_LOGINS=5
ALERT_THRESHOLD_UNUSUAL_HOURS=22
ALERT_THRESHOLD_SIMULTANEOUS_SESSIONS=3

# Monitoring settings
MONITOR_INTERVAL_MINUTES=15
LOG_RETENTION_DAYS=90
REPORT_GENERATION_SCHEDULE="daily"

# Security policies
REQUIRE_LOGIN_AUDIT_TRAIL=true
ALERT_ON_ROOT_LOGIN=true
ALERT_ON_AFTER_HOURS_LOGIN=true
MONITOR_REMOTE_LOGINS=true

# Compliance settings
GDPR_COMPLIANCE=true
SOX_COMPLIANCE=false
HIPAA_COMPLIANCE=false
EXPORT_FORMAT="json"  # json, csv, xml

Compliance Reporting

#!/bin/bash

# Generate compliance-ready login reports
generate_compliance_report() {
    local compliance_type="${1:-general}"
    local report_file="$REPORT_DIR/compliance_${compliance_type}_$(date +%Y%m%d).txt"
    
    echo "📋 Generating $compliance_type compliance report..."
    
    {
        echo "LOGIN HISTORY COMPLIANCE REPORT"
        echo "==============================="
        echo "Report Type: $compliance_type"
        echo "Generated: $(date)"
        echo "Period: $(date -v-30d '+%Y-%m-%d') to $(date '+%Y-%m-%d')"
        echo "System: $(hostname)"
        echo ""
        
        case "$compliance_type" in
            "gdpr")
                echo "GDPR DATA PROCESSING RECORD:"
                echo "----------------------------"
                echo "• Login data collected for security monitoring"
                echo "• Data retention: 90 days (configurable)"
                echo "• Access controls: Admin users only"
                echo "• Data subjects: All system users"
                echo ""
                ;;
            "sox")
                echo "SOX ACCESS CONTROL COMPLIANCE:"
                echo "------------------------------"
                echo "• User access monitoring: Enabled"
                echo "• Privileged access tracking: Enabled"
                echo "• Failed login monitoring: Enabled"
                echo "• Audit trail completeness: Verified"
                echo ""
                ;;
            "hipaa")
                echo "HIPAA ACCESS AUDIT REQUIREMENTS:"
                echo "--------------------------------"
                echo "• User authentication logging: Active"
                echo "• Access attempt monitoring: Enabled"
                echo "• Minimum necessary access: Under review"
                echo "• Audit log integrity: Maintained"
                echo ""
                ;;
        esac
        
        echo "DETAILED LOGIN ACTIVITY:"
        echo "------------------------"
        last -30
        
        echo ""
        echo "USER ACCESS SUMMARY:"
        echo "-------------------"
        dscl . list /Users UniqueID | awk '$2 >= 500' | while read -r username uid; do
            local login_count
            login_count=$(last "$username" | grep -v "wtmp begins" | wc -l | tr -d ' ')
            echo "$username (UID: $uid): $login_count login sessions"
        done
        
    } > "$report_file"
    
    echo "✅ Compliance report generated: $report_file"
}

# Generate different compliance reports
# generate_compliance_report "gdpr"
# generate_compliance_report "sox"
# generate_compliance_report "hipaa"

Important Technical Notes

Command Details

  • who: Shows current logged-in users with login times
  • last: Displays login history from /var/log/wtmp
  • dscl: Directory Services command line for user information
  • w: Extended version of who with system load information

Log File Locations

  • /var/log/wtmp: Binary login history database
  • /var/log/system.log: System log including authentication events
  • /var/log/secure.log: Security-related log entries (if enabled)

Security Considerations

  1. Privacy Compliance: Login monitoring must comply with local privacy laws
  2. Data Retention: Implement appropriate retention policies for audit logs
  3. Access Control: Restrict access to login history data to authorized personnel
  4. Real-time Monitoring: Consider implementing real-time alerts for suspicious activity

Best Practices

  1. Regular Auditing: Review login patterns regularly for anomalies
  2. Automated Monitoring: Set up automated alerts for suspicious activity
  3. Data Retention: Maintain appropriate log retention for compliance requirements
  4. User Privacy: Balance security monitoring with user privacy expectations
  5. Documentation: Maintain clear documentation of monitoring procedures
  6. Integration: Consider integrating with SIEM systems for centralized monitoring
  7. Performance Impact: Monitor system performance impact of logging activities
  8. Backup Strategy: Implement backup procedures for critical audit logs

Remember to validate all scripts on test devices before deploying across your MacFleet environment, and ensure compliance with your organization's privacy and security policies when implementing login history monitoring.

Manage Location Services on macOS

Control Location Services across your MacFleet devices using command-line tools. This tutorial covers enabling, disabling, and monitoring location services for better privacy management and security compliance.

Understanding macOS Location Services

Location Services enable macOS applications and services to gather location-based information to enhance user experience. However, enabling these services can create potential security and privacy concerns.

Key considerations:

  • Enhanced functionality - Apps like Maps require location access
  • Privacy concerns - Potential for tracking and data collection
  • Security risks - Increased attack surface for malicious actors
  • Compliance requirements - Enterprise policies may require location restrictions

Enable Location Services

Basic Location Services Activation

#!/bin/bash

# Enable Location Services system-wide
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true

echo "Location Services enabled successfully"
echo "⚠️  Device restart required for changes to take effect"

Enable with Automatic Restart

#!/bin/bash

# Enable Location Services and schedule restart
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true

echo "Location Services configuration updated"
echo "Scheduling system restart in 60 seconds..."

# Give users time to save work
sleep 60
sudo reboot

Verify Activation Success

#!/bin/bash

# Enable Location Services with verification
echo "Enabling Location Services..."
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true

# Check if the setting was applied
if sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" LocationServicesEnabled 2>/dev/null; then
    echo "✅ Location Services configuration updated successfully"
    echo "🔄 Restart required to apply changes"
else
    echo "❌ Failed to update Location Services configuration"
    exit 1
fi

Disable Location Services

Basic Location Services Deactivation

#!/bin/bash

# Disable Location Services system-wide
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false

echo "Location Services disabled successfully"
echo "⚠️  Device restart required for changes to take effect"

Disable with Privacy Notification

#!/bin/bash

# Disable Location Services with user notification
echo "🔒 Implementing privacy protection measures..."
echo "Disabling Location Services for enhanced security"

sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false

echo "✅ Location Services have been disabled"
echo "🔄 System restart required to complete the process"
echo "📱 Applications will no longer have access to location data"

Enterprise Security Disable

#!/bin/bash

# Enterprise-grade location services disable with logging
LOG_FILE="/var/log/macfleet_location_services.log"

# Logging function
log_action() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

log_action "=== Location Services Security Disable Initiated ==="

# Check current status
CURRENT_STATUS=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" LocationServicesEnabled 2>/dev/null)

if [[ "$CURRENT_STATUS" == "1" ]]; then
    log_action "Location Services currently enabled - proceeding with disable"
    
    # Disable location services
    sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false
    
    log_action "Location Services disabled for security compliance"
    log_action "System restart required to complete security hardening"
    
    echo "🔒 Security policy applied: Location Services disabled"
    echo "📋 Action logged to: $LOG_FILE"
else
    log_action "Location Services already disabled - no action required"
    echo "✅ Location Services already secured"
fi

Check Location Services Status

Basic Status Check

#!/bin/bash

# Check current Location Services status
sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd"

echo "Location Services status retrieved"

Detailed Status Report

#!/bin/bash

# Comprehensive Location Services status check
echo "=== Location Services Status Report ==="
echo "Device: $(hostname)"
echo "Date: $(date)"
echo "========================================"

# Check if locationd daemon is running
if pgrep -x "locationd" > /dev/null; then
    echo "📍 Location daemon: Running"
else
    echo "❌ Location daemon: Not running"
fi

# Get current configuration
STATUS_OUTPUT=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" 2>&1)

if echo "$STATUS_OUTPUT" | grep -q "LocationServicesEnabled = 1"; then
    echo "🟢 Location Services: ENABLED"
    echo "📱 Applications can access location data"
elif echo "$STATUS_OUTPUT" | grep -q "LocationServicesEnabled = 0"; then
    echo "🔴 Location Services: DISABLED"
    echo "🔒 Location access blocked for all applications"
else
    echo "⚠️  Location Services: Status unclear"
    echo "Raw output: $STATUS_OUTPUT"
fi

echo "========================================"

Fleet-wide Status Monitoring

#!/bin/bash

# MacFleet Location Services Monitoring Script
LOG_FILE="/var/log/macfleet_location_monitoring.log"
REPORT_FILE="/tmp/location_services_report.txt"

# Create status report
generate_report() {
    {
        echo "MacFleet Location Services Report"
        echo "Generated: $(date)"
        echo "Device: $(hostname)"
        echo "User: $(whoami)"
        echo "================================"
        echo ""
        
        # System information
        echo "System Information:"
        echo "OS Version: $(sw_vers -productVersion)"
        echo "Build: $(sw_vers -buildVersion)"
        echo ""
        
        # Location daemon status
        echo "Location Daemon Status:"
        if pgrep -x "locationd" > /dev/null; then
            echo "Status: Running (PID: $(pgrep -x "locationd"))"
        else
            echo "Status: Not Running"
        fi
        echo ""
        
        # Configuration status
        echo "Location Services Configuration:"
        local status_output
        status_output=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" 2>&1)
        
        if echo "$status_output" | grep -q "LocationServicesEnabled = 1"; then
            echo "Status: ENABLED"
            echo "Privacy Level: Standard"
        elif echo "$status_output" | grep -q "LocationServicesEnabled = 0"; then
            echo "Status: DISABLED"
            echo "Privacy Level: High"
        else
            echo "Status: Unknown"
            echo "Raw Configuration:"
            echo "$status_output"
        fi
        
        echo ""
        echo "Report completed at: $(date)"
        
    } > "$REPORT_FILE"
    
    echo "📊 Report generated: $REPORT_FILE"
}

# Log monitoring action
echo "$(date '+%Y-%m-%d %H:%M:%S') - Location Services monitoring initiated" >> "$LOG_FILE"

# Generate the report
generate_report

# Display summary
echo "=== MacFleet Location Services Summary ==="
cat "$REPORT_FILE"

Advanced Location Management

Conditional Location Control

#!/bin/bash

# Smart location services management based on environment
NETWORK_SSID=$(networksetup -getairportnetwork en0 | cut -d' ' -f4-)
LOCATION_POLICY=""

# Define location policies based on network
case "$NETWORK_SSID" in
    "Corporate_WiFi"|"Company_Network")
        LOCATION_POLICY="disable"
        echo "🏢 Corporate network detected - applying security policy"
        ;;
    "Home_Network"|"Personal_WiFi")
        LOCATION_POLICY="enable"
        echo "🏠 Personal network detected - allowing location services"
        ;;
    *)
        LOCATION_POLICY="disable"
        echo "🔒 Unknown network - applying restrictive policy"
        ;;
esac

# Apply the policy
if [[ "$LOCATION_POLICY" == "disable" ]]; then
    sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false
    echo "🔴 Location Services disabled for security"
else
    sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true
    echo "🟢 Location Services enabled"
fi

echo "⚠️  Restart required for changes to take effect"

Location Services Backup and Restore

#!/bin/bash

# Backup and restore location services configuration
BACKUP_DIR="/var/backups/macfleet"
BACKUP_FILE="$BACKUP_DIR/location_services_$(date +%Y%m%d_%H%M%S).plist"

# Create backup directory
sudo mkdir -p "$BACKUP_DIR"

backup_settings() {
    echo "📦 Backing up Location Services configuration..."
    
    if sudo cp "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist" "$BACKUP_FILE" 2>/dev/null; then
        echo "✅ Backup saved to: $BACKUP_FILE"
    else
        echo "❌ Backup failed - configuration file may not exist"
        return 1
    fi
}

restore_settings() {
    local restore_file="$1"
    
    if [[ -z "$restore_file" ]]; then
        echo "Usage: restore_settings <backup_file>"
        return 1
    fi
    
    if [[ ! -f "$restore_file" ]]; then
        echo "❌ Backup file not found: $restore_file"
        return 1
    fi
    
    echo "🔄 Restoring Location Services configuration..."
    
    if sudo cp "$restore_file" "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist"; then
        echo "✅ Configuration restored successfully"
        echo "🔄 Restart required to apply changes"
    else
        echo "❌ Restore failed"
        return 1
    fi
}

# Execute backup
backup_settings

Security Considerations

Enterprise Security Hardening

#!/bin/bash

# Comprehensive location services security hardening
echo "🔒 MacFleet Security Hardening: Location Services"
echo "================================================="

# 1. Disable location services
echo "Step 1: Disabling Location Services..."
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false

# 2. Verify daemon configuration
echo "Step 2: Verifying daemon configuration..."
if pgrep -x "locationd" > /dev/null; then
    echo "⚠️  Location daemon still running (will stop after restart)"
else
    echo "✅ Location daemon not running"
fi

# 3. Set file permissions
echo "Step 3: Securing configuration files..."
sudo chmod 600 /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist 2>/dev/null
sudo chown _locationd:_locationd /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist 2>/dev/null

# 4. Create security report
SECURITY_REPORT="/var/log/macfleet_location_security.log"
{
    echo "MacFleet Location Security Hardening Report"
    echo "Date: $(date)"
    echo "Device: $(hostname)"
    echo "Action: Location Services Disabled"
    echo "Compliance: Enhanced Privacy Protection"
    echo "Next Steps: System restart required"
} | sudo tee -a "$SECURITY_REPORT"

echo "✅ Security hardening completed"
echo "📋 Report saved to: $SECURITY_REPORT"
echo "🔄 System restart required to complete hardening"

Important Notes

  • System restart required - Changes take effect only after reboot
  • Administrative privileges - All commands require sudo access
  • App-specific settings - These scripts control system-wide settings only
  • macOS version compatibility - Scripts tested on macOS 10.14+
  • Privacy compliance - Consider legal requirements in your jurisdiction
  • User notification - Inform users of location policy changes

Troubleshooting

Common Issues

Permission Denied:

# Ensure proper daemon user context
sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd"

Configuration Not Applied:

# Force restart location daemon
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

Verification Issues:

# Check system integrity
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

Remember to test these scripts on individual devices before deploying across your MacFleet environment.

Newer postsPrevious posts