Posted on 12-14-2010 06:34 AM
Hi All,
I realize that there is an MCX template for "idleTime" for
com.apple.screensaver.ByHost, but having it just run at login will likely
not be sufficient to enforce a set time properly since the users can
change that value and it won't reset back unless they have to log out for
some reason.
I know that I can attempt to use defaults to rewrite the value with a
script on an interval, but I wasn't sure how to go about that being a
ByHost file.
Can this be easily scripted and when I set that value do I need the unique
ByHosts value in the domain for that plist? I assume so, but is there an
existing script that already does something similar somewhere? I started
digging through the Resource Kit, too. The sudo jamf mcx command doesn't
seem to help with this either.
What I'm also not certain about is if I can even change this value when
the user is logged in. I'm reading a few things about using launchctl
unload and load at the moment...
Any help would be appreciated. Working with plists is not my bag
currently...
Thanks,
Craig E
Posted on 12-14-2010 12:30 AM
Well,
I decided to take a peek at the file. Seems there is a way to do it if you want to set a standard, you can disable the screen saver preference pane and force the settings on the user. Not sure how you want to do this or not, and I know most of this is due to security standards. So, if your security policy says a screen saver must kick in with in 15 minutes of idle time, you can set it that way and just let every user get it, regardless.
The other, hack sort of work around is, set a launchd (or casper policy) that runs every 10 minutes and sets the setting to desired results. A simple one liner command actually is all you need. It seems that OS X hashes out these settings with some random hash codes, which when I was trying to wild card it never ever worked. So I looked into the defaults command, and this did it for me.
defaults -currentHost write com.apple.screensaver idleTime 15
Another even more tricky way would be to set a launchd item to watch a file path, and specify the file path to this specific file and if it detects any changes, it executes the command or script to change it back.
So, maybe this will help you guys out.
-Tom
Posted on 12-14-2010 12:37 AM
oops, i meant to out the value in seconds not minutes, so 15 minutes is 900, so the command in my email set the idleTime to 15 seconds, gah!
Posted on 12-14-2010 08:40 AM
We run this via the every15 interval.. Offline too...
Works 10.5+
Script:
Variables are:
$4 > Screen Saver Tims > 900 (seconds, 15 minutes)
$5 > Ask for Password > 1 (bool true)
$6 > Password Delay > 0 (seconds)
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut
-c27-50` == "00000000-0000-1000-8000-" ]]; then
LEOUUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut
-c51-62 | awk {'print tolower()'}`
# Check if hardware is new Intel
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut
-c27-50` != "00000000-0000-1000-8000-" ]]; then
LEOUUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut
-c27-62`
fi
loggedInUser=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'
# Sets time of screen saver to come on.
/usr/bin/defaults write
/Users/"$loggedInUser"/Library/Preferences/ByHost/com.apple.screensaver."$L
EOUUID" idleTime -int "$startTime"
echo "Set Screen Saver To Come On After:" "$startTime"
#Correctng Permissions for
/Users/loggedInUser/Library/Preferences/ByHost/com.apple.screensaver.UUID
chmod 777
/Users/"$loggedInUser"/Library/Preferences/ByHost/com.apple.screensaver."$L
EOUUID".plist
# Sets screen saver to require password
/usr/bin/defaults write
/Users/"$loggedInUser"/Library/Preferences/com.apple.screensaver
askForPassword -int "$password"
echo "Set Screen Saver to Require Password, for" "$password"
# Sets screen saver password delay
/usr/bin/defaults write
/Users/"$loggedInUser"/Library/Preferences/com.apple.screensaver
askForPasswordDelay -int "$passwordDelay"
echo "Set Screen Saver to Password Delay, to" "$passwordDelay"
# Correct Permissions for /Library/Preferences/com.apple.screensaver
chmod 777
/Users/"$loggedInUser"/Library/Preferences/com.apple.screensaver.plist
Regards,
Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883
Posted on 12-14-2010 09:19 AM
Just a thought, but if you edit the default settings in the user template, every user will get those settings regardless, unless they go in and change them. Then you could make it self healing, and/or monitor it with a script, or use MCX to just enforce it
Posted on 12-14-2010 09:34 AM
Yep..
We often have to enforce policies on macs we've not built (long story).. So running the below on all managed computers stops us having to rely on others builds.
Regards,
Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883
Posted on 12-14-2010 11:29 AM
I see the 10.5+ in there. Anyone got something for 10.4, too? =)
Thank you for this Ben. The issue is just that, Tom. I was testing this stuff in MCX within the JSS and the setting for screensaver idleTime was a per user setting, and can also be changed by the user after the login trigger corrects it. Some of our office users don't log out for days, and could easily circumvent the desired security change. A script that I can run at an interval will be necessary to make this setting work.
And since options for the other settings (disable auto login, require password from screensaver or sleep, and require immediately) varies quite a bit from 10.4 through 10.6, I won't have one nice place to deal with it all it seems.
Appreciate the help folks.
Craig E