Classification: UNCLASSIFIED
Caveats: FOUO

Modifying this key:

<key>system.login.screensaver</key> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>The owner or any administrator can
unlock the screensaver.</string> <key>rule</key>

<string>authenticate-session-owner-or-admin</string> </dict>

To

<key>system.login.screensaver</key> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>The owner or any administrator can
unlock the screensaver.</string> <key>rule</key> <string>authenticate-session-owner</string> </dict>

Will only allow the current session owner to login.

Additionally, you could create a new rule allowing only the session
owner or a member of a specific group (other than the local admin
accts). For example a sysadmin group. This will also work with ldap
groups:
Modify the screensaver authorization key to:

<key>system.login.screensaver</key> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>The owner or any administrator can
unlock the screensaver.</string> <key>rule</key>

<string>authenticate-session-owner-or-sysadmin</string> </dict>

And add a new key specifying the new rule:

<key>authenticate-session-owner-or-sysadmin</key> <dict> <key>allow-root</key> <false/> <key>class</key> <string>user</string> <key>comment</key> <string>Authenticate either as the owner or as a
sysadmin.</string> <key>group</key> <string>sysadmin</string> <key>session-owner</key> <true/> <key>shared</key> <false/> </dict>

Michael D. Evans
US ARMY

------------------------------

Message: 4
Date: Wed, 3 Feb 2010 13:15:07 -0500