Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4295: Differences between the "Specify login script" and "Specify multiple login scripts" GPs

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:19 AM

Applies to: Centrify DirectControl for Mac OS X 10.7 and higher

Question:

There are two main types of login script group policies available for Mac systems; "Specify login/logout script" and "Specify multiple login scripts".

They can be found in the following locations:
  • Computer Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify multiple login scripts"
  • User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify multiple login scripts"
  • User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify login script"
  • User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify logout script"

What are the differences between these GPs and is there any advantage to using one over the other?


Answer:

"Specify login script"
"Specify logout script" 
  • These GPs uses the older login hooks mechanism to run
  • These scripts are run as root user and can be used to run privileged commands
  • Only one script can be specified in these policies (One login script and one logout script).

"Specify multiple login scripts"
  • These GPs uses the newer launchd process to run
  • Scripts can only be run as the logged in user 
  • Multiple scripts can be specified


It is recommended to use "Specify multiple login scripts" because login hooks are now deprecated.

From the following Apple documentation: (Provided as a courtesy)

- Customizing Login and Logout
  • Login and logout scripts are a deprecated technology. In most cases, you should use launchd jobs instead, as described in Creating Launch Daemons and Agents.
  • Login and logout scripts are run as root, which presents a security risk.
  • Only one of each script can be installed at a time. They are intended for system administrators; application developers should not use them in released software.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.