diff --git a/roles/autofs/files/umask.csh b/roles/autofs/files/umask.csh
new file mode 100755
index 0000000..c021f50
--- /dev/null
+++ b/roles/autofs/files/umask.csh
@@ -0,0 +1,3 @@
+if ($uid > 999 && "`/usr/bin/id -gn`" == "`/usr/bin/id -un`") then
+    umask 007
+endif
diff --git a/roles/autofs/files/umask.sh b/roles/autofs/files/umask.sh
new file mode 100755
index 0000000..4ed8452
--- /dev/null
+++ b/roles/autofs/files/umask.sh
@@ -0,0 +1,5 @@
+# shellcheck shell=sh
+if [ "$(id -u)" -gt 999 ] && [ "$(id -gn)" = "$(id -un)" ]; then
+    umask 007
+fi
+
diff --git a/roles/autofs/tasks/main.yml b/roles/autofs/tasks/main.yml
index 19f9565..3514acb 100644
--- a/roles/autofs/tasks/main.yml
+++ b/roles/autofs/tasks/main.yml
@@ -80,3 +80,14 @@
   with_items:
     - usercache.sh
     - usercache.csh
+
+- name: Set umask for users
+  ansible.builtin.copy:
+    dest: "/etc/profile.d/{{ item }}"
+    src: "{{ item }}"
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_items:
+    - umask.sh
+    - umask.csh