Jamf Nation Community

I have that in a configuration profile as a Custom setting. Does that still count as MCX? It uses the same mechanism I believe, it's just applied via profile instead.

Configuration Profiles are really mostly MCX wrapped up in a prettier interface (even the ones with buttons and drop down menus) and deployed via a different mechanism.

So why must this be non-MCX based? MCX or profiles are a supported solution that actually works. Everything else is an unsupported hack. Is there a reason to avoid the supported, known working solutions to this problem?

Thanks for your respones.
We are not using MCX settings from JSS but came across that the only way in 10.8 to lock down this option is ```
sudo dscl . -mcxset /Computers/localhost com.apple.screensaver idleTime always -int 600
```

This is working fine for 10.8. If I run the command in 10.9 I get -mcxset: Invalid Path...
Is there something changed and com.apple.screensaver not longer exists?

Thanks,
Maik

I dont get the error you are Maik but using dscl . -mcxset does nothing to the idleTime setting on my test computer either. I have been struggling with this quite a bit as its a security requirement at many of my customers. Profiles don't seem to honor the always flag, you need to use often and it seems to set it every boot. and then i couple that with disabling the screensaver preference pane and they can only change through defaults write commands at that point.
but it seems less than proper way to do it. the other way i have done is manage the power settings and put the screen to sleep at 15 minutes and require password on screen sleep but then users complain about the power settings not being to their liking.

and really just trying to play with this stuff some more today, the profile i have doesnt work for beans either, the only thing that works is a login script to set the screensaver settings at login. its just plain stupid or I am hard to say. :)

As an FYI, I just redid my "security settings" configuration profile to get rid of all of the "custom" MCX settings I had, and the screensaver settings are an option as a native control.

I built my new profile using Profile Manager on 10.9 Server. "Require password after sleep or screen saver begins" is in "Security & Privacy" in the "OS X and iOS" category, and "Start screen saver after X minutes" is in "Login Window" in the "OS X" category. I had to manually modify the mobileconfig file to get it to 900 seconds though since that was not a dropdown option. Once installed, these settings cannot be changed and are greyed out.

To get all those options, I think you need to enable Device Management on your Server, which entails setting it up as an Open Directory server. I don't use the JSS for configuration profiles but it looks like those same options are there.

that setting in loginwindow is only if a computer is left sitting at login window and i just confirmed it. I can still change the screensaver timeout in the preference pane as well after i login. but at loginwindow the screensaver starts at the appropriate time, which is really not that useful i think. Especially for a device that is not shared such as a laptop.
I can read the com.apple.screensaver.plist file in /Library/Managed Preferences/username and it is different than the one if i do defaults -currentHost read com.apple.screensaver I will go post some feedback on the seed program about this being less than useful.

ok i have to back pedal a bit, i set those settings through the jss profile manager and nothing good happened. I just set those through my server profile manager and applied them to another machine and they work properly and the timeout box is not active. i will try importing that profile into the jss and see if it works.

AlexjDale, Can you confirm this:

I built my new profile using Profile Manager on 10.9 Server. "Require password after sleep or screen saver begins" is in "Security & Privacy" in the "OS X and iOS" category, and "Start screen saver after X minutes" is in "Login Window" in the "OS X" category. I had to manually modify the mobileconfig file to get it to 900 seconds though since that was not a dropdown option. Once installed, these settings cannot be changed and are greyed out.

I am using a 10.8 profile manager, but will upgrade to 10.9 if these features have been added.

+ 1 for Block / remove the desktop & screensavers preference pane

dupe sorry

dupe sorry

The key to locking out the timeout is the Login Window profile. you can set the time in there to say 10 minutes and then edit the file you save to 900 instead of 600. You can manage the actual screensaver as well from this profile if you choose.
Also if you run your profiles saved out of profile manager through xmllnt --format saved.mobileconfig>new.mobileconfig it makes them much easier to read and edit.
One thing i found that is if you set the timeout now, apparently that takes care of the box in the Security & Privacy Require password immediately.
And if you try to set that in a profile that page has a new setting that is allow user to change password, which does not allow the user to change the password in either case box being checked or unchecked. If anybody else can verify that would be great. I filed it as a bug because i can replicate it across all my test machines. So I removed my profile for Security and Privacy and i can change passwords now, but the require password box is still greyed out.

This is what I am doing:

#!/bin/sh
#Get current user
user=`ls -l /dev/console | cut -d " " -f 4`
#Set Screensaver to kick in, in number of secconds
sudo -u $user defaults -currentHost write com.apple.screensaver idleTime -int "1200"
sudo -u $user defaults -currentHost read com.apple.screensaver idleTime

I have a policy to run this every15 ongoing. I have tested this on 10.9 with 3 computers and it seems to be working. This will not lock out the system prefs but it will enforce the setting.