How can I be auto logged in with the computer locked?

I want to have the computer log me in so all my login items can get started, but I need it to be secure, aka it still needs to ask me for my password before I can actually use the computer.


Solution 1:

I outlined how to do this at https://www.engadget.com/2011-03-07-terminally-geeky-use-automatic-login-more-securely.html but I will summarize it for you:

  1. set your account to autologin
  2. create a login item (using launchd) which calls:

/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend

NOTE: that command should be ONE LONG LINE not two lines with a line break/line feed.

A more thorough explanation is available at TUAW, so I won't repeat it all here, because those are the relevant details.

What it does:

The idea is very simple, your account is set to auto-login, so all of your login items will run, however, one of those login items (the CGSession command listed above) will tell the loginwindow to appear. If you have used Fast User Switching before, you will be familiar with how it works.

"But what if someone holds down the shift key to stop autolaunching?"

In my testing, that will also prevent the user from being automatically logged in.

Is this 100% as safe as not using auto-login?

Probably not, but I'd consider it close to 99.999% as safe.

That said, use at your own risk, etc.

Solution 2:

Since not everybody is familiar with creating a launchd / launchctl script, here's how you do it.

This explains step two of @TJ Luomas' answer and provides another option for locking your computer based on @jordanbtucker's answer:

  1. Set your account to auto login

  2. Open TextEdit and create a new file containing the following

    #!/bin/bash
    
    /System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend
    
    • Another option is to put the screen to sleep combined with requiring a password every time your computer wakes from sleep, which keeps more processes enabled
    • To use this alternate method:

      • Go to System Preferences > Security & Privacy > General and enable Require password immediately after sleep or screen saver begins
      • Use this script instead

        #!/bin/bash
        
        pmset displaysleepnow
        
  3. Name the file suspend.sh and save it to your User folder (~)

    • Starting in Catalina, launchd may not be able to access the script from your User folder due to new privacy restrictions; I have confirmed it works from your Applications folder without requiring any privilege changes
  4. Open TextEdit and create a new file with the following content

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.fl034.suspendAfterLogin</string>
        <key>Program</key>
        <string>/Users/fl034/suspend.sh</string>
        <key>RunAtLoad</key>
        <true/>
    </dict>
    </plist>
    
    • Replace fl034 with your username
    • Ensure the Program path matches the location you chose in step 3
  5. Save the file to ~/Library/LaunchAgents/com.fl034.suspendAfterLogin.plist, replacing fl034 with your username

  6. Restart your Mac to see if it works


WARNING: This script leads to problems with App Store.app in macOS Catalina