Help

Just need a sanity check on screen lock Configuration Profile

thebrucecarter
Contributor II

a week ago

Greetings all,

We are trying to enforce screen lock time limits (which InfoSec wants), but when we do, it also enforces a particular screensaver module (which InfoSec doesn't care about in the least).  Some of our users don't like "Flurry" and want to set their own.  These two seem joined at the hip in the GUI.  Copilot had a suggestion using a script, but it didn't work for me.

Does anybody have these two things functioning, but separately.  It doesn't seem like a big deal to me, but some of our users are really not happy about not being able to set their preferred screen saver.

0 Kudos
Reply
8 REPLIES 8

AJPinto
Esteemed Contributor

a week ago

Unless you specify a screensaver path within the configuration profile the users should be able to change it from the default. What happens if a user goes in to system settings and attempts to set their perfered screen saver?

0 Kudos
Reply

thebrucecarter
Contributor II
In response to AJPinto

a week ago

Screenshot 2025-03-10 at 5.09.08 PM.png

It shows up as above (from a test unit) with everything grayed out and the message about it being configured by a profile.  When we just leave out the screensaver it defaults to Flurry anyway, unless this has changed recently.  We even tried raw XML, but no go.  I need to try some more experimentation with this now that we are in the cloud product, but thus far I have not been able to come up with a combination that gives us the lock screen function that InfoSec wants along with the freedom to select a screensaver at will that the users want.

0 Kudos
Reply

sdagley
Esteemed Contributor II

a week ago - last edited a week ago

@thebrucecarter Have you tried creating a signed Configuration Profile with https://imazing.com/profile-editor to force screen lock time limits (sign before uploading to Jamf Pro so the settings aren't mangled)? As you've discovered Jamf's GUI for creating Configuration Profiles often brings along unwanted baggage, but the iMazing Profile Editor allows creating very granular profiles. The question is does Apple disable the UI for selecting screensaver options when the time is forced like they do for Notification options if you have a profile that forces Notifications to be enabled for an app but don't set the specifics.

Reply

thebrucecarter
Contributor II
In response to sdagley

a week ago

I have not tried that specifically.  We kind of assumed we'd get the same result as the raw XML, but I am definitely not opposed to giving it a whirl.  Thank you for the suggestion!

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to thebrucecarter

a week ago - last edited a week ago

@thebrucecarter The issue with using Jamf's Application & Custom Settings payload to apply settings is that they are wrapped in "Forced" and "mcx_preference_settings" keys which don't work for some settings. Profiles created by the iMazing Profile Editor don't use those keys.

0 Kudos
Reply

thebrucecarter
Contributor II
In response to sdagley

a week ago

Interesting, I will put that into our Book of Knowledge!

0 Kudos
Reply

agungsujiwo
Contributor II

a week ago

Hi @thebrucecarter ,

You can try the following Configuration Profiles:
Go to Configuration Profiles > Options > Security & Privacy > General > Require Passcode to Unlock Screen, then select the desired timeout duration in minutes.
Tested on Sonoma OS works.
Screen Lock 5 Minutes.png

TimeSelect.png

System Setting.png

Screen Saver.png

0 Kudos
Reply

thebrucecarter
Contributor II
In response to agungsujiwo

a week ago

Thank you, agungsujiwo, we will experiment with this as well!

0 Kudos
Reply