From 5939a381ec4d919a5b7978788922137feb825c04 Mon Sep 17 00:00:00 2001
From: "T. R. Bernstein" <137705289+trbernstein@users.noreply.github.com>
Date: Wed, 3 Jul 2024 05:20:05 +0200
Subject: [PATCH] Disallow login for single FileVault user

---
 bin/azw-ensure-single-fv-user | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bin/azw-ensure-single-fv-user b/bin/azw-ensure-single-fv-user
index 293cd1c..c7bd2ba 100755
--- a/bin/azw-ensure-single-fv-user
+++ b/bin/azw-ensure-single-fv-user
@@ -24,9 +24,13 @@ function main {
 		return 0
 	}
 
+	function disableUser() {
+		pwpolicy -u ${username} -disableuser
+	}
+
 	[[ $(id -un) == 'root' ]] || { lop -- -e 'This script needs to be run by root. Aborting.'; return }
 	isFilevaultEnabled || { lop -- -e 'FileVault is disabled. Aborting.'; return }
-	doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
+	doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock && disableUser
 }
 
 if [[ "${ZSH_EVAL_CONTEXT}" == toplevel || "${ZSH_EVAL_CONTEXT}" == cmdarg ]]; then