Jamf Nation Community

tlarkin · ‎04-02-2010

So,

Do any of you enforce client machines to log out if idle for x amount of time? If so, could you give me some details on how exactly you implement this?

Thanks in advance,

Tom

talkingmoose · ‎04-02-2010

MCX setting in Casper:
On 4/2/10 1:39 PM, "Thomas Larkin" <tlarki at kckps.org> wrote:

Domain: .GlobalPreferences
Key Name: com.apple.autologout.AutoLogOutDelay
Key Type: Integer
Value: 3600

Value = idle seconds before logout.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

tlarkin · ‎04-02-2010

Cool,

Any caveats with this? I work with mainly tons and tons of laptops. So they would go to sleep or have closed lids at times.

-T

Report Inappropriate Content · ‎04-02-2010

Yes, the caveat is that it is not a forced logout. If the user left unsaved docs open, the logout will fail. This has been the core of many, many discussions with server engineering. The choice being - do you allow them to stay logged in and not lose any work, or do you force the logout regardless of end user impact?
-- John DeTroye Email: johnd at apple.com
Sr. Consulting Engineer Systems Management Specialist
Edu IT resources - http://www.apple.com/education/it-professionals/resources/
Tutorials - http://www.apple.com/education/it-professionals/online-tutorials.html

Aziz · ‎08-26-2015

@talkingmoose @tlarkin

Did you ever figure out a way to FORCE a a log off after being idle for x amount of time? Changing System Preferences > Security and privacy > Advanced > Auto logout doesn't work.

I'm totally aware that I just bumped a five year old post, but this is stumping me!

mm2270 · ‎08-26-2015

I get the feeling Apple has made this impossible to do now. Didn't I recall reading somewhere that even doing something like a shutdown on a schedule now requires that the Mac be sitting at the login screen or something to that effect? Or was it the other way around, and someone must be logged in for a shutdown to happen.

Anyway, don't count on being able to do this with a setting or Configuration Profile. You might be able to do something with a LaunchAgent and script though.

talkingmoose · ‎08-26-2015

Wow, that's really reaching waaaaay back in the gray matter. I even have more gray matter on top of the gray matter now.

I remember this was an issue with shared Macs between work shifts. Daytime user would leave and not log out. Evening user couldn't unlock the first user's account and would crash/reboot the Mac.

I left that environment before Lion got implemented. Lion would've probably saved me most of my grief because of its feature to restore windows from an earlier session. Most apps today don't hold up logout like they did before Lion.

hansen_m · ‎08-27-2015

You may want to consider these alternatives:

https://github.com/CLCMacTeam/IdleLogout

https://github.com/sheagcraig/auto_logout

tlarkin · ‎08-27-2015

I am not sure if forcing a logout is a good idea. Especially if apps are open, and documents are not saved. You can force a reboot, and you may still be able to force a logout with Applescript, but I have not tried in in a long time. Hence this thread was from 2010.

What is your higher goal @Abiaziz ? I would hate for something to trigger a forced logout via a false positive, or have to build a workflow that gets the entire app list of what the user is running and either prompt them to quit and log out or force quit and logout.

I guess maybe in a lab scenario where there are many humans to one machine this could be useful, but still I am not sure it is a good idea. Could you describe some more of your needs/requirements for this workflow?

Thanks,
Tom

dferrara · ‎08-27-2015

@Abdiaziz I'm glad you necro'd this thread, I am having the same problem and it seems like the built-in behavior hasn't changed much at all.

@tlarkin The idea in our environment, where we have hundreds of lab computers, is that data privacy is maintained. The current auto-logout works for that by throwing a curtain down, but when someone else comes up to the computer, it's totally locked (as described above). Hard shutdowns seem like they'd be bad for the machine over time.

@hansen_m Thanks, IdleLogout looks promising. Warning the user would be absolutely key.

Aziz · ‎08-27-2015

@tlarkin

We have many labs and students, many of whom do not log out. Having a log out policy (20 minutes of inactivity) would be great. After 20 minutes, it's the students responsibility if they forget to save something and logout. Preferably a solution that doesn't require a restart.

I just enabled "Fast User Switching" for now.

@dferrara

 but when someone else comes up to the computer, it's totally locked

If you enable "Fast User Switching", students will be able to click on "Switch User". Not the best solution, but it works.

dferrara · ‎08-27-2015

@Abdiaziz Do you ever find the computers have slowed to a crawl if multiple users stay logged in? I guess I'll be turning that back on.

Aziz · ‎08-27-2015

@dferrara

I haven't heard of any complaints from students or faculty, I'm relying on the HelpDesk to inform of any issues. We also have a nightly restart schedule implemented.

jtratta · ‎08-31-2015

@Abdiaziz
I uploaded a native OSX agent I create for our labs the might do what you're looking for. It forces the users out after 20 minutes of inactivity. It will go through and force quit any application so that won't hang-up the logout process. It will also logout the previous user in 5 minutes if multi-user switching is being used. This working pretty well, on occasion you'll see an app hold up logout, but for the most part we've had great success with this approach.

Here's a link to the repo.

https://github.com/jason-tratta/IdleLoggerAgent

Jamf Nation Community

auto log out if idle policy