Posted on 09-02-2022 11:22 AM
Both CIS and Tenable provide a configuration profile method to undo any hot corner set to disable screen saver.
CIS uses <≠6>
Tenable uses <!=6>
Neither seem to work. Anyone have any luck with this?
Solved! Go to Solution.
Posted on 09-02-2022 04:00 PM
Just took a look at both.
I think what you’re seeing are examples of how not to write documentation. They’re trying to to tell you “something other that 6” or “not 6”. I don’t think they intend you to use those as actual values.
Integers ≠ strings.
Posted on 09-02-2022 11:55 AM
I’m not familiar with either of those management systems, but those values are not integers. They may be doing some proprietary magic on their end to make this work.
In my testing, setting the corner to the “ - “ in the dropdown list changes the plist value to “1”. I know of no way to disable a single property in a list of properties — just how to enforce a single property.
And I haven’t tested whether a profile enforces these properties.
1 = -
2 = Mission Control
3 = Application Windows
4 = Desktop
5 = Start Screen Saver
6 = Disable Screen Saver
10 = Put Display to Sleep
11 = Launchpad
12 = Notification Center
13 = Lock Screen
14 = Quick Note
09-02-2022 03:50 PM - edited 09-03-2022 06:16 AM
Yep, someone told me it's possible to undo a corner if it is set to 6 using a configuration profile and sent me the info, so I thought I'd give it a shot.
CIS
Tenable
The way we've always done it is to monitor for corners that are set to 6, and set to 0.
It would be fantastic if this could be automated using a Configuration Profile some day.
Posted on 09-02-2022 04:00 PM
Just took a look at both.
I think what you’re seeing are examples of how not to write documentation. They’re trying to to tell you “something other that 6” or “not 6”. I don’t think they intend you to use those as actual values.
Integers ≠ strings.
Posted on 09-02-2022 11:13 PM
I agree.
”I’m gonna write a stupid article.” - CIS
“Hold my beer.” - Tenable
Posted on 09-06-2022 08:21 AM
I use this and it works perfectly for me.
<?xml version="1.0"?>
<plist version="1.0">
<dict>
<key>wvous-bl-corner</key>
<integer>1</integer>
<key>wvous-bl-modifier</key>
<integer>0</integer>
<key>wvous-br-corner</key>
<integer>1</integer>
<key>wvous-br-modifier</key>
<integer>0</integer>
<key>wvous-tl-corner</key>
<integer>1</integer>
<key>wvous-tl-modifier</key>
<integer>0</integer>
<key>wvous-tr-corner</key>
<integer>1</integer>
<key>wvous-tr-modifier</key>
<integer>0</integer>
</dict>
</plist>
By "perfectly" I should note that the GUI for the screen corners is never grayed out, but any changes to the screen corners does not stick so it has the same effect - no screen corners can be set.
09-07-2022 08:16 AM - edited 09-07-2022 08:16 AM
@mm2270 nice, but see my last post. Unfortunately Apple hasn't provided a way to unset any corner set to 6, using a configuration profile. #sigh
You coming to JNUC 2022?
Posted on 09-07-2022 03:41 AM
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>wvous-bl-corner</key>
<integer>0</integer>
<key>wvous-br-corner</key>
<integer>0</integer>
<key>wvous-tl-corner</key>
<integer>0</integer>
<key>wvous-tr-corner</key>
<integer>0</integer>
</dict>
</plist>
The Above should work (custom payload). They can set a hot corner, but when they exit the screen it will have cleared it.
09-07-2022 08:12 AM - edited 09-07-2022 08:14 AM
@SCCM thanks, but we aren't looking to "lock down" all of the hot corners. Using Custom Payload won't work, it'll just be converted to a Dock payload, not that it matters in this case.
We are going stick to the current method of using an EA to determine if a user has any of the hot corners set to 6, and if so use a script to set it to 0.
We want users to have a choice, we just can't allow 6 for security reasons.
For our use case, configuration profiles isn't an option.
Posted on 09-07-2022 12:14 PM
I see what you're after now @donmontalvo. Yeah, unfortunately given the on/off permanent nature of most Configuration Profile settings, using a profile for this won't work if you want to allow users to choose options other than "Start screen saver". So a script will be your best option in this case.
In our case we just made the decision that no-one can use any hot corners and disabled them all for security reasons (bank environment).
Posted on 01-18-2023 01:39 PM
I don't suppose you would be willing or able to share the EA, policies, and scripts for doing this?
Posted on 02-28-2023 01:24 PM
Hey @davidi4
Here's our extension attribute that runs a script:
user=$(ls -l /dev/console | cut -d " " -f 4)
a=$(defaults read /Users/$user/Library/Preferences/com.apple.dock.plist | grep "corner" | cut -d "=" -f2 | cut -d ";" -f1 | sed 's/ //g')
if [[ ${a[*]} =~ "6" ]]; then
echo "<result>yes</result>"
else
echo "<result>no</result>"
fi
from there, just create a smart group that checks for the extension attribute you named it (have it look for "yes"
Then run your script to remove or reset the dock for those machines
Posted on 09-08-2022 01:09 AM
@donmontalvo fair enough but with the way your setting it, does it even pass a cis audit? how frequently have you got your inventory set i.e. daily / weekly? The user will have the setting avaliable for them up untill it checks in and reports the change. You prob would be better off creating a lauch demon running locally which just changes the setting if found on a defaults read of com.apple.dock
Like @mm2270 we just disabled it, as the auditors said allowing it to be set for the day wasnt good enough, and we wanted to limit the number of demons running.
09-21-2022 05:26 AM - edited 09-21-2022 05:33 AM
Having an active EA to identify when someone's hot corner is set to disable screen lock, with a script to remove the setting has been enough to pass audit in most companies. I submitted through Feedback Assistant (FB11558798) a request to give us a way to unset if someone sets it, so it's manageable using a Configuration Profile.