5.7 Ensure an Administrator Account Cannot Log In to Another User's Active and Locked Session

Information

macOS has a privilege that can be granted to any user that will allow that user to unlock an active user's sessions.

Disabling the administrator's and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

Solution

Terminal Method:

Run the following command to disable a user logging into another user's active and/or locked session:

$ /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver authenticate-session-owner

YES (0)

Running this command will disable Touch ID to unlock the screen saver. To re-enable Touch ID for users, run the following command:

$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1

Impact:

While Fast user switching is a workaround for some lab environments, especially where there is even less of an expectation of privacy, this setting change may impact some maintenance workflows.

See Also

https://workbench.cisecurity.org/benchmarks/15552