Jamf Nation Community

rblaas · ‎03-01-2016

Hi All,

I have this annoying problem.

For some reason the option to change the setting for "Require password .... after sleep....." is greyed out.

When I remove a configuration policy which only does some setting on the Login Window. (A Banner, force logon prompt to name/password field, show shutdown button, disable automatic login, Allow Domain Users + domain server, Local-only users may log in and combine available workgroup settings)

somehow the above configuration profile is also managing the security setting.

I have also tried to add another configuration profile to set the option automatically but this is doing absolutely nothing ...

So either I am doing something wrong or there some kind of bug/feature which is causing problems.

Casper version: 9.82
Mac OS Client version: 10.11.3

We do see random results in the network with different client versions as in 10.10.x which have randomly access or no access to the above named option.

Any help is appreciated!

regards,

Ronald

rblaas · ‎06-30-2016

I would like to add to this discussion that my problem was actually caused by the configuration profile from Casper.

As it turns out with the login window setting the 'ask for password' is also set. This seem to me like a defect on JAMF side.

A simpel solution is to add the Privacy and security payload. In this payload we can (again) set the 'ask for password' option.

View solution in original post

bentoms · ‎03-01-2016

@rblaas See this from @kitzy

rblaas · ‎03-01-2016

@bentoms

Hi I have seen this article. So it seems a bug. I have also tried to force the setting via plist but that did not work for me.

Thanks for mentioning the article

jonnydford · ‎03-01-2016

@rblaas

I'm working on the same issue right now.

The kitzy 'fix' does work, but only when there's no Login Banner profile on the device. It seems that profile overrides any settings set by the Security & Privacy profile.

This is with 9.82 and 9.9.

The Security & Privacy profile:
Login Window: Screen Saver Preferences
Ask for Password: True

The Login Banner profile:
Login Window: Screen Saver Preferences
Ask for Password: False

McJee · ‎06-29-2016

Would really like to see JAMF resolve this. Configuration profiles are how we keep our Macs compliant for SOC and for some of the PCI controls. But with the bugs associated with Configuration Profiles we need to use workarounds and exceptions which auditors really dislike.

gachowski · ‎06-29-2016

We need to start hounding Apple, I am reasonably sure you see the same issue with Apple's profile manager..

The real issue is that profiles need to be one setting per profile, not nested like MCX.

C

rblaas · ‎06-30-2016

I would like to add to this discussion that my problem was actually caused by the configuration profile from Casper.

As it turns out with the login window setting the 'ask for password' is also set. This seem to me like a defect on JAMF side.

A simpel solution is to add the Privacy and security payload. In this payload we can (again) set the 'ask for password' option.

bpriscott · ‎06-30-2016

It maybe a simply solution but after testing it doesn't work. To validate that it doesn't work, I created the same profile setting in Profile Manager. I built the profile for the Login Window and Security Settings, downloaded it. Packaged it up, to push to the waiting room then install by command line as part of our imaging process.

Call me when it actually fixed. 9.91

rblaas · ‎06-30-2016

@bpriscott What do you mean with Downloaded it, packaged it up??

All we do is push the configuration profile to the machines who need it.. And this is done instantly.

So I can only guess we are talking about different issues here.

As my issue was about setting the 'require password' to immediately and my (simpel) solution was working I added this to this discussion.

bpriscott · ‎06-30-2016

@rblaas

In a nutshell we create and downloaded the .mobileconfig from Profile Manager, packaged it into dmg and place the file into... /Library/Application Support/JAMF/Waiting Room/

Our first run script right after imaging is... sudo /usr/bin/profiles -I -F /Library/Application Support/JAMF/Waiting Room/Yourprofilename.mobileconfig

We don't set Privacy here neither... we only do the basics and don't set Logout cause Profile Manager actually does work where Jamf hasn't been for us.

Tested with 9.91 JSS and 10.11.5 latest implementation.

bpriscott · ‎06-30-2016

@rblaas forgot to add we found that even though it isn't set in the JSS it was setting it anyway.

bentoms · ‎07-13-2016

@bpriscott maybe this will help?

andy_granger · ‎03-27-2017

This is fixed in 9.98:

[D-009503] Fixed an issue where configuring the Login Window payload for a computer configuration profile also caused the Require password immediately after sleep or screen saver begins checkbox in the Security & Privacy payload to be incorrectly enforced.

Jamf Nation Community

Cannot change settings "require password after sleep...."