Back to Resources

Level Verified

macOS Lock Device Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

When a macOS endpoint is suspected of unauthorized access or is at risk of compromise, completely locking down the system becomes essential. This script swiftly handles that by logging out active users and disabling their local accounts, ensuring no one can re-enter without the proper credentials or unlocking procedure, all while retaining remote management through Level.

Description

This script forcefully logs out every active user session, including those running with root privileges, preventing further interaction at the local level. It then disables local user accounts, effectively halting any new logins. Despite this lockout, Level remains connected and capable of subsequent device management tasks, enabling you to maintain control while securing the endpoint against unauthorized use.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-macos-lock-device
10
11# Initialize script-scoped error flag
12script_errors=false
13
14log_out_users() {
15    echo "Logging out all active users..."
16    users_list=$(who | awk '{print $1}' | sort -u)
17
18    for user in $users_list; do
19        if [[ "$user" != "root" ]]; then
20            # Get the user session ID
21            user_id=$(id -u "$user" 2>/dev/null)
22
23            if [[ -n "$user_id" ]]; then
24                sudo launchctl bootout gui/"$user_id" &> /dev/null
25                if [[ $? -eq 0 ]]; then
26                    echo "User $user has been forcefully logged out."
27                else
28                    echo "ALERT: Failed to log out user $user via launchctl. Attempting kill method..."
29                    sudo pkill -KILL -u "$user_id"
30                    if [[ $? -eq 0 ]]; then
31                        echo "User $user has been forcefully logged out via kill."
32                    else
33                        echo "ALERT: Failed to log out user $user using any method. (May be a system-protected process)"
34                        script_errors=true
35                    fi
36                fi
37            fi
38        fi
39    done
40}
41
42
43# Function to disable all local user accounts (INCLUDING ROOT)
44disable_local_accounts() {
45    echo "Disabling all local user accounts (including root)..."
46    local_users=$(dscl . list /Users | grep -vE '^(Guest|nobody|_.*|daemon)$')
47
48    for user in $local_users; do
49        sudo pwpolicy -u "$user" disableuser &> /dev/null
50        if [[ $? -eq 0 ]]; then
51            echo "Local account $user has been locked."
52        else
53            echo "ALERT: Failed to lock local account $user."
54            script_errors=true
55        fi
56    done
57}
58
59# Execute actions
60log_out_users
61
62disable_local_accounts
63
64if [[ "$script_errors" == true ]]; then
65    echo "ALERT: Errors occurred during execution. Exiting with code 1."
66    exit 1
67else
68    echo "All users have been logged out and locked successfully."
69    exit 0
70fi

Use Cases

  • Emergency lock for misplaced or stolen devices
  • Preventing unauthorized changes on critical endpoints
  • Heightened security after suspicious user activity
  • Temporary lockdown for maintenance or compliance audits

Recommendations

  • Test in a non-production environment to ensure compatibility
  • Manually run the script in Level to trigger this script on demand
  • Alternatively, build an Automation in Level with a schedule trigger or tag trigger for lockdowns
  • Monitor locked accounts to confirm legitimate users remain restricted
  • Use the macOS Unlock Device Script or remove the Lock tag to restore access

FAQ

  • Will this script remove the device from Level management?
    No. It only locks local accounts and logs out current sessions while preserving remote management through Level.
  • How do I restore access to a locked device?
    Run our macOS Unlock Device Script or utilize the Lock and Unlock Automation to remove the Lock tag and reactivate user accounts.
  • What if the script fails to log out certain users?
    System-protected or critical processes may not log out successfully. In such cases, the script will exit with an error.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

macOS - Lock Device

Description

This script forcefully logs out all active users and disables all local accounts, including root, on a macOS system. It enhances security by preventing unauthorized access.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.