diff --git a/instfiles/Makefile.am b/instfiles/Makefile.am
index 1c1af39f..8d39af0c 100644
--- a/instfiles/Makefile.am
+++ b/instfiles/Makefile.am
@@ -78,6 +78,10 @@ SUBDIRS += \
   pulse
 endif
 
+if MACOS
+SUBDIRS += pam.d
+endif
+
 #
 # install-data-hook for each platform
 # TODO: subst these directories as well as service files
diff --git a/instfiles/pam.d/Makefile.am b/instfiles/pam.d/Makefile.am
index 6cc6bddf..72031575 100644
--- a/instfiles/pam.d/Makefile.am
+++ b/instfiles/pam.d/Makefile.am
@@ -3,6 +3,7 @@ PAM_FILES = \
   xrdp-sesman.redhat \
   xrdp-sesman.suse \
   xrdp-sesman.freebsd \
+  xrdp-sesman.macos \
   xrdp-sesman.unix
 
 EXTRA_DIST = $(PAM_FILES) mkpamrules
diff --git a/instfiles/pam.d/mkpamrules b/instfiles/pam.d/mkpamrules
index 88444205..2d268281 100755
--- a/instfiles/pam.d/mkpamrules
+++ b/instfiles/pam.d/mkpamrules
@@ -30,6 +30,11 @@ guess_rules ()
     return
   fi
 
+  if test -s "$pamdir/authorization"; then
+    rules="macos"
+    return
+  fi
+
   rules="unix"
   return
 }
diff --git a/instfiles/pam.d/xrdp-sesman.macos b/instfiles/pam.d/xrdp-sesman.macos
new file mode 100644
index 00000000..9eb7920e
--- /dev/null
+++ b/instfiles/pam.d/xrdp-sesman.macos
@@ -0,0 +1,12 @@
+# xrdp-sesman: auth account password session
+# based on Apple's sshd PAM configuration
+auth       optional       pam_krb5.so use_kcminit
+auth       optional       pam_ntlm.so try_first_pass
+auth       optional       pam_mount.so try_first_pass
+auth       required       pam_opendirectory.so try_first_pass
+account    required       pam_nologin.so
+account    required       pam_sacl.so sacl_service=ssh
+account    required       pam_opendirectory.so
+password   required       pam_opendirectory.so
+session    required       pam_launchd.so
+session    optional       pam_mount.so