The Pane Login

The pane Login controls system preference settings for the login screen that shows the entry fields for name and password before an actual user session can begin. macOS will only use a login if you haven’t configured it to perform an automatic login with a predefined user account. You can enable the login by using the sequence Users & Groups > Login Options > Automatic login: Off in System Preferences.

macOS also uses automatic login if you have enabled the FileVault feature to encrypt the system disk. In this case, the firmware uses its own built-in login screen, asking for the password, which is then used to decrypt and start the operating system. The password is hereby passed from the firmware to the system, avoiding that it has to be entered twice. You cannot disable automatic login in this case, so the login screen won’t be used. The alternative login screen of the firmware (which partially depends on the recovery partition) cannot be customized via TinkerTool System.

Options you modify on the Login pane of TinkerTool System will take effect immediately. To return the login screen preferences to the factory settings defined by Apple, press the button Reset all to defaults at the lower right corner of the window. Note that pressing this button will affect the options on all tab items offered by the Login pane, not only the options visible in the front item. The only exception are the “hide” settings for local user accounts, because resetting them requires a special type of login. More details can be found in the following sections.

Display Style

The first tab controls the basic style of the login screen. You can switch between using

Login screen settings
Login screen settings

If the latter option is selected, you will be able to further influence which users should be included in the list:

Depending on the list of user accounts found on the local system and in network directory services, the login screen may choose to ignore one or all of the above settings. This is necessary to guarantee that at least one user can successfully log in. Otherwise, it could happen that the list is empty and the login screen would become unusable.

Attention However, you should not rely on this safety feature. Depending on operating system version and the user accounts available on your computer, disabling too many user categories could cause the system to no longer offer “useful” logins. In case of emergency, you can use the TinkerTool System Standalone Utility to reset the login screen to factory defaults. Remember that this tool must be installed in advance to be available.

Additional options allow the control which buttons should be displayed at the bottom of the window:

Special Features

The login screen is capable of supporting several advanced features for professional users. By default, the login screen only displays the current time (and the battery status for mobile systems) in addition to the entry fields. For diagnostic purposes, especially in large networks, more information about the computer can be shown if necessary. The login screen can display the computer’s TCP/IP host name, the OS version number, and the computer’s primary IP address. The items will be shown in this order after you click onto the clock in the upper right corner of the login screen. To enable this feature, set a check mark at Show host name/OS version/IP address when clicking the clock.

Special features
Special features

Another “pro” feature of the login screen is its capability to shutdown the graphical user interface, switching to operation in classic UNIX text mode instead. This is done by entering the text >console as user name and specifying no password. The user will then receive a login request from the Darwin base operating system. You can disable this feature by checking the option Don’t allow to switch to text mode via “>console”.

If you have installed more than one version of macOS on one computer, the operating system will support the additional feature that user accounts from one installation can log into the operating system of another installation. This is called an external user account. The option Enable external accounts controls if the login screen of your current operating system should allow these other users to log in.

Screen Saver

If desired, you can choose the screen saver used for the login screen. Set a check mark at Enable the custom screen saver set below and select an activation time (Start screen saver after…). The interval can be set either by entering the numerical value in minutes, or by using a slider. The type of screen saver will be determined by the setting Screen saver which has three options:

In the latter case, press the button Select… to navigate to one of the screen saver plug-ins available in your installation of macOS. You can also select third-party screen savers under the condition that they can be opened by everyone. Note that the login screen does not allow to specify any additional options for these screen savers. They will always run with their default settings.

Screen saver
Screen saver

Hide User

macOS supports a feature to hide selected user accounts in case you had activated the display style List of users for the login screen. This can make sense to keep the list clean, offering “real” users in the list only, not some special accounts which might have been created for administrators, technicians, or other service tasks. Such role accounts can still log in via the Other button in the list.

Hide accounts in the login list of users
Hide accounts in the login list of users

TinkerTool System shows all local user accounts which belong to standard users that have permission to log in, on the tab item Hide User. The accounts are sorted by their numerical identification codes which usually match the order in which they have been created. To hide a user, set a check mark in the column Hide and press the button Save… to store your settings.

After pressing the save button, TinkerTool System will ask for name and password to authenticate with the Open Directory account database on the local computer. Although you can use the same names and passwords of administrative users as in standard login situations, this type of login is technically different.

In this particular case, it is actually TinkerTool System, not macOS, asking for the password. The credentials are then verified by the Open Directory subsystem which will grant or deny permission, depending on the results.

To undo changes which have not been saved yet, press the button Revert. TinkerTool System only offers local user accounts in the list, not network users which might be stored on other directory services.

The hidden user accounts may still be visible indirectly, e.g. by their private home folders at /Users and by their individual entries for file sharing. To hide these items as well, experienced administrators can additionally do the following:

  1. Move the affected home folder of the hidden user to an invisible Unix folder, for example inside /var. Then open System Preferences > Users & Groups, right-click the affected account, and select Advanced options in the context menu. Set Home directory to the new location of the user’s private folder.
  2. Open System Preferences > Sharing > File Sharing and remove all entries in the list Shared Folders which should no longer be active.