Skip to main content
Solved

CIS level 2

  • February 4, 2026
  • 5 replies
  • 65 views
tdenton
Forum|alt.badge.img+12

Hello 

I have started testing CIS level 2 for MacOS 26.

I get this prompt as soon as the screen is locked I though it has something to do with screensaver but i have removed all CIS config and it still seems to be happening. Im guessing its some left over config somewhere but havent been able track it down.

 

Does anyone know if there anyway to undo this, we use the snowagent and its possible that might be causing it 

 

Thanks

Tom 


 

 

Best answer by tdenton

Thanks ​@daniel_behan 

Manged to go backwards.

Had to reset macOS Authorization Database
Restart
Apply Jamf connect jamf connect authchanger
Restart 

Didnt appear after that.

Be nice to have some sort of reset script but I guess thats not straightforward. Are most people using Monitor & enforce or just  Monitor.

 

    5 replies

    B
    Forum|alt.badge.img+4
    • BM-Degenkamp
    • Contributor
    • February 4, 2026

    Just got CIS monitoring (all three) running since a couple of days, but did not hit this. Looks like some policy got enabled forcing this?

    tdenton
    Forum|alt.badge.img+12
    • tdenton
    • Author
    • Valued Contributor
    • February 4, 2026

    havent been able to fix it  ​@BM-Degenkamp  all config profiles have been removed have removed as much as I can.

    I have reset the macOS Authorization Database and seem to have fixed it but now need put Jamf connect back togther as reset the login window 

     

    W
    Forum|alt.badge.img+4
    • Will_M1
    • New Contributor
    • February 4, 2026

    I believe when you set the CIS level 2 to monitor and enforce, it run’s scripts to enforce the benchmark along with the config profiles.  You can remove the config profiles, but you can’t undo the scripts that were run.  This may have been caused by a script.

    D
    Forum|alt.badge.img+11
    • daniel_behan
    • Valued Contributor
    • February 5, 2026

    The issue is outlined in rule 5.7 right in the CIS GUI in Jamf.  It’s also outlined here:

    5.7 Disable Login to Other User's Active and Locked Sessionsos_unlock_active_user_session_disable

    Discussion

    The ability to log in to another user’s active or locked session MUST be disabled.

    macOS has a privilege that can be granted to any user that will allow that user to unlock active user’s sessions. Disabling the admins and/or user’s ability to log into another user’s active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

    NOTE

    		 Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1. This setting can also be deployed with a configuration profile.

    WARNING

    		 This rule may cause issues when platformSSO is configured.
    Organization defined value

    Review the /System/Library/Security/authorization.plist file for more information.

    authenticate-session-owner

      tdenton
      Forum|alt.badge.img+12
      • tdenton
      • Author
      • Valued Contributor
      • Answer
      • February 5, 2026

      Thanks ​@daniel_behan 

      Manged to go backwards.

      Had to reset macOS Authorization Database
      Restart
      Apply Jamf connect jamf connect authchanger
      Restart 

      Didnt appear after that.

      Be nice to have some sort of reset script but I guess thats not straightforward. Are most people using Monitor & enforce or just  Monitor.

       

        Terms & ConditionsCookie settingsAccessibility statement