Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

subjonas

macrumors 603
Original poster
Feb 10, 2014
6,215
6,703
There are a few things I’m not understanding regarding automatic login and automatic restart.

1. If automatic login is enabled, can’t anyone have unfettered access to your computer simply by restarting it when you’re not around?
2. Isn’t automatic restart (due to freeze or power failure) only useful if your computer is not password protected and/or has automatic login enabled—both of which leave the computer completely vulnerable when you’re not around? Is automatic restart mainly meant for some other function that doesn’t require logging in that I’m not aware of?
3. Are these features simply not meant to be useful for people who want their computers to be password protected when they’re not around? Isn’t that most people?
4. Is there no way to automatically start login items/applications, say after a power failure, while the computer is still under the security of a password? If not, is there a logical or technological limitation that prevents this?

I’m very curious about #1-3, but #4 is really what I’m getting at. I leave my Mac Mini running 24/7 as a file server that can be accessed remotely. Freezes and power interruptions are an infrequent but problematic occurrence as it causes me to lose remote access until I can return home. Very problematic if I’m on a trip. I have a UPS that will keep the computer going during short power outages, but long outages or UPS failure and computer freezes remain problems, as I want my computer always password protected when I’m not around.
 

brianmowrey

macrumors 6502
Oct 5, 2020
419
133
1. If automatic login is enabled, can’t anyone have unfettered access to your computer simply by restarting it when you’re not around?
Yes.

Mildly adequate workaround: Add screensaver engine to your Login Items. It is at

/System/Library/CoreServices/ScreenSaverEngine.app

This starts screensaver upon login. With security settings set to require password immediately, that will lock your user. However, it takes a few seconds after login to start the screensaver, and it can be interrupted during that time just by shaking the mouse.* So there's no technical limitation to what you want. Mac OS just has to disregard mouse and keyboard for a few seconds after login. But it doesn't. Maybe Big Sur changes this, idk.

You could layer other security measures over that, like exporting whatever files you need to access remotely to a separate, Standard User and setting that as the Automatic Login, and turning on Firmware password. If the files you need remotely are more sensitive than the ones you don't, that doesn't help a lot.

*Edit: Theoretically, with the Mini, someone could design a physical lock to block USB connections which would buttress the safety of this workaround.
 
Last edited:

subjonas

macrumors 603
Original poster
Feb 10, 2014
6,215
6,703
Yes.

Mildly adequate workaround: Add screensaver engine to your Login Items. It is at

/System/Library/CoreServices/ScreenSaverEngine.app

This starts screensaver upon login. With security settings set to require password immediately, that will lock your user. However, it takes a few seconds after login to start the screensaver, and it can be interrupted during that time just by shaking the mouse.* So there's no technical limitation to what you want. Mac OS just has to disregard mouse and keyboard for a few seconds after login. But it doesn't. Maybe Big Sur changes this, idk.

You could layer other security measures over that, like exporting whatever files you need to access remotely to a separate, Standard User and setting that as the Automatic Login, and turning on Firmware password. If the files you need remotely are more sensitive than the ones you don't, that doesn't help a lot.

*Edit: Theoretically, with the Mini, someone could design a physical lock to block USB connections which would buttress the safety of this workaround.
Thanks for the suggestions. The screensaver would be a perfect solution if it wasn’t for that few second window. And I don’t know how I would go about making a physical lock that I‘d feel secure with haha.
I want all my files to be private so using a different login wouldn’t work for me.
I wonder though if there’s a way to have it automatically log in with my main login and then immediately switch to a guest login or something while my main login continues working in the background.

I just find it strange that there is no specifically designed solution for this, whether 1st or 3rd party. It’s not a mainstream use case for sure, but there’s gotta be more than a few people who want this.

I use automatic login at home on my Mac mini since I live alone. Same with a desktop PC. I'm the only one here.
Do you not keep sensitive data or saved logins in your computer? If someone somehow got into my computer, they would have pretty much everything.
 

Blowback

macrumors 65816
Jan 10, 2018
1,301
735
VA
Off-topic (?) but watch and finger-print login solve this on the MBPro or laptops with control strip....if I‘m understanding the issue correctly.
 

ApfelKuchen

macrumors 601
Aug 28, 2012
4,335
3,012
Between the coasts
Yes.

Mildly adequate workaround: Add screensaver engine to your Login Items. It is at

/System/Library/CoreServices/ScreenSaverEngine.app

This starts screensaver upon login. With security settings set to require password immediately, that will lock your user. However, it takes a few seconds after login to start the screensaver, and it can be interrupted during that time just by shaking the mouse.* So there's no technical limitation to what you want. Mac OS just has to disregard mouse and keyboard for a few seconds after login. But it doesn't. Maybe Big Sur changes this, idk.

You could layer other security measures over that, like exporting whatever files you need to access remotely to a separate, Standard User and setting that as the Automatic Login, and turning on Firmware password. If the files you need remotely are more sensitive than the ones you don't, that doesn't help a lot.

*Edit: Theoretically, with the Mini, someone could design a physical lock to block USB connections which would buttress the safety of this workaround.

And a Safe Boot would disable Login Items.

The fundamental concern for the OP seems to be the risk of unauthorized physical access (when the cat's away...). One can seek out all sorts of software-based solutions to locking down a device that's left out in the open (and still risk some combination of rare circumstances that leaves the server offline), or you can raise the bar to physical access (or both, of course).

However, my snarky answer would be, "This is why cloud computing has become so popular." 100% up-time is challenging to maintain. Redundancy/fail-over solutions at all steps in the chain while still maintaining security is expensive in small-scale installations (and Murphy's Law will still apply - As one corollary to that august Law states, "In a circuit protected by a fuse, the circuit will blow in order to protect the fuse."). A monthly cloud computing bill will probably be cheaper than anything you do to ensure 100% up-time in a remotely managed private server.

Would it be a good idea to maintain a backup copy of the cloud-based data? Sure. But a local machine setup to mirror the cloud doesn't require remote access or 100% up-time - when there's downtime the archive will re-sync to the cloud afterwards. There's a small risk that the cloud will fail at the same time the local backup fails, but there's a much higher probability of uptime in the cloud, and a smaller likelihood of data loss.

But if you must... For a simple, relatively low-cost kludge, try this: Automatic Login, Automatic Restart, and place the mini inside a securely locked, well ventilated enclosure. Will it deter a determined attack with power tools? Of course not, but if your primary concern is the idly curious rather than the outright malicious, it may do the trick.
 

Boyd01

Moderator
Staff member
Feb 21, 2012
7,947
4,879
New Jersey Pine Barrens
I use a Mini as an iTunes server so I can access about 2tb of my own media on my Apple TV's and other devices. It runs 24/7 and is set to automatically restart and login. I live alone and don't use this machine for anything else (no e-mail, no web-browsing) so I don't think there's much risk.

But I would not do this on any of my other Macs.
 

subjonas

macrumors 603
Original poster
Feb 10, 2014
6,215
6,703
Off-topic (?) but watch and finger-print login solve this on the MBPro or laptops with control strip....if I‘m understanding the issue correctly.
You may not be because I’m not understanding the relevance of biometrics to the issue...

And a Safe Boot would disable Login Items.

The fundamental concern for the OP seems to be the risk of unauthorized physical access (when the cat's away...). One can seek out all sorts of software-based solutions to locking down a device that's left out in the open (and still risk some combination of rare circumstances that leaves the server offline), or you can raise the bar to physical access (or both, of course).

However, my snarky answer would be, "This is why cloud computing has become so popular." 100% up-time is challenging to maintain. Redundancy/fail-over solutions at all steps in the chain while still maintaining security is expensive in small-scale installations (and Murphy's Law will still apply - As one corollary to that august Law states, "In a circuit protected by a fuse, the circuit will blow in order to protect the fuse."). A monthly cloud computing bill will probably be cheaper than anything you do to ensure 100% up-time in a remotely managed private server.

Would it be a good idea to maintain a backup copy of the cloud-based data? Sure. But a local machine setup to mirror the cloud doesn't require remote access or 100% up-time - when there's downtime the archive will re-sync to the cloud afterwards. There's a small risk that the cloud will fail at the same time the local backup fails, but there's a much higher probability of uptime in the cloud, and a smaller likelihood of data loss.

But if you must... For a simple, relatively low-cost kludge, try this: Automatic Login, Automatic Restart, and place the mini inside a securely locked, well ventilated enclosure. Will it deter a determined attack with power tools? Of course not, but if your primary concern is the idly curious rather than the outright malicious, it may do the trick.
Well for one thing, there is no cloud service that lets me remotely use the applications I need. But also, while cloud is an ideal solution for some things, for others it’s wasteful and unnecessarily gives companies personal data, as would be the case here. At this point, I’m not looking for 100% guaranteed remote access at all times. If it was that mission critical, then yes I might have to just pay for a service. But as of now, I just want to use the full extent of what is made available to me already via my hardware, software, and internet connection. It’s mostly adequate now, except for the issue of not being able to automatically restart while remaining password protected. It seems like such a simple and obvious thing, which is why it’s baffling to me that it’s not possible.

Physical security appears to be the only way to go. I’m not aware of what options are out there yet, but I’m not optimistic. Either it will be huge and not very practical, or it will be small and not very secure. I tend to think a smash and grab thief would have no trouble hacking through smaller amounts of metal.

I use a Mini as an iTunes server so I can access about 2tb of my own media on my Apple TV's and other devices. It runs 24/7 and is set to automatically restart and login. I live alone and don't use this machine for anything else (no e-mail, no web-browsing) so I don't think there's much risk.

But I would not do this on any of my other Macs.
Ah. That seems like the only really solid use case for these features so far.
 
  • Like
Reactions: Boyd01
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.