DON'T Require Password After Screen saver begins or display is turned off

dtmille2
Contributor III

Hi all,

 

I've discovered that this profile we push to lab machine to disable the requirement for a password when the computer display is turned off is no longer working in Sonoma:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>askForPassword</key>
<integer>0</integer>
</dict>
</plist>

This profile now causes the setting in System Settings>Lock Screen>Require Password After Screen saver begins or display is turned off to be set to IMMEDIATELY.

Anyone see this or have alternate solution for environments where we don't want the screen to lock when the display turns off (other than setting it manually?)?

14 REPLIES 14

PaulHildahl
New Contributor

I don't have a solution, but I can confirm we are seeing the same behavior.

chrisdaggett
Contributor II

Same issue. In Security & Privacy config, it doesn't matter if you set Immediately or Never for "Require Passcode to Unlock Screen", on the device it sets to Immediately. 

Mike4
New Contributor III

I've run into the same issue while preparing my Sonoma configuration for lab rebuilds, but seem to have worked out the solution. See below for the working settings. This sets require password after screen saver or sleep to never.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>askForPassword</key>

<true/>

<key>askForPasswordDelay</key>

<real>2147483647</real>

</dict>

</plist>

 

ctarbox
Contributor II

I am seeing exactly this issue with my lab rebuilds also -- sonoma. I tried the solution above and it worked perfectly. Thank you Mike4!!!!

iamYaje
New Contributor III

@Mike4 Thanks for posting a solution!

How did you deploy this .plist? If you delivered it via a custom configuratoin payload, which domain did you use? I did not ind similar settings in the com.applescreensaver.plist when digging around just now.

micmil
New Contributor III

Thanks to @Mike4 for pointing us in the right direction! This is a very frustrating change on Apple's part, and I'm disappointed that Jamf hasn't patched this yet months after Sonoma's release. 

To answer @iamYaje 's question: the domain we want to apply these changes to is com.apple.screensaver. More info can be found here:

https://developer.apple.com/documentation/devicemanagement/screensaver
https://developer.apple.com/documentation/devicemanagement/screensaveruser

However, I was not able to get this to work using @Mike4's settings. Specifically, I had to change the value type for 'askForPasswordDelay' from 'real' to 'integer', per the documentation linked above. After that, it works perfectly. Maybe Apple changed something in an update and 'real' is no longer valid. I tested on OS 14.2.1.

I also added an extra key to disable the screensaver completely (why in 2024 Apple doesn't just have the screensaver disabled by default is mindboggling). These settings will accomplish that:

<key>idleTime</key>
<integer>0</integer>

Note: this setting is listed on the docs as applying only to the user's individual screensaver settings, but adding the key to the computer-wide 'com.apple.screensaver' plist works just fine.

iamYaje
New Contributor III

@micmil thanks for posting this reply.

We use autologin to a standard user-account in our secure lab environment. That autologin feature now only works after a computer restart (following upgrade to Sonoma) after the password has been entered once for the account in a given time-period. If the screen saver goes active, we then need to enter the password again if the computer is restarted.

I'm attempting to configure the .plist for com.apple.screensaver and it hasn't been working so far. It looked like it was overlapping with our Security and Privacy payload setting (same key), so I unconfigured that. When exporting the profiles to XML to review, I'm not seeing the <integer>xxx...</integer> key show up in the configuration for some reason and the password is still being required when the screensaver comes up. Any ideas as to what we might be missing?:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>askForPassword</key>
<true/>
<key>askForPasswordDelay</key>
<integer>2147483647</integer>
</dict>
</plist>

Is it possible we might need to disable the screensaver entirely using the screensaveruser domain as you did?

Fwatson
New Contributor II

Hi,

I've been a little confused about this because com.apple.screensaver doesn't seem to be a domain that exists anymore? I'm on 14.5 and can't write any changes to that domain because it's not present.

My Mac labs are now on 15. I had to do it manually on each machine as I couldn't figure it out and was on a time crunch. If you figure it out, let us know!

micmil
New Contributor III

I don't have any insight regarding doing this manually using Defaults or something else. We use Jamf Pro to deploy this as a configuration profile at the Computer level. It seems to work without issue on OS 14 machines, and the very few OS 15 machines we have deployed. 

Fwatson
New Contributor II

I guess I don't know how to take that and turn it into something Jamf can deploy. Inputting it as a custom schema just gets rejected.

Screenshot 2024-10-28 at 14.09.32.png

micmil
New Contributor III

Ah I see. While you can use JSON schema to configure settings, the format is different. As I am a noob when it comes to JSON, I can't help you with that. But here is the profile I was referencing; I hope this helps. Just make sure the profile is set to "Computer Level."

Screenshot 2024-10-28 at 9.18.14 AM.pngScreenshot 2024-10-28 at 9.18.21 AM.png

If all you're trying to do is disable the screen lock timeout, the Security and Privacy settings are optional. We just decided to lump them all together since all our "shared" machines should get these settings anyway.

Fwatson
New Contributor II

Ah, it never even occurred to me that you'd have to go to the "Upload" section to input XML code. I didn't see anywhere other than the JSON section and thought it must be that.

 

A configuration profile as set up in the screenshot above is indeed working perfectly as intended on 14.5.

davidbpk
New Contributor

I am trying to actually require the password after screen saver begins or display is turned off.  Right now my users can change this setting to NEVER.  I need it to be locked to immediately or 5 seconds or even 1 minute.   I've tried PLIST and the setting in JAMF and nothing seems to work in Sonoma 14.4.   Anyone know how to enforce this?