Locking down JamfHelper + LockScreen

rob_potvin
Contributor III
Contributor III

We had a situation at work where we needed to lock down a few laptops over the summer break. The problem with jamfHelper and OS 10.7 and 10.8 is that you can CMD+Q and it will quit. That is okay if you just want to be annoying, but I want to lock down the computer so you can't CMD+Q the message.

I played around with a few things, like setting the keyboard to some strange language where the Q was located somewhere else but I found a better way.

/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/MacOS/LockScreen

This is what Remote Desktop calls when you lock the screen, but it doesn't run on top of JamfHelper and it locks out the keyboard when it is running.

LockScreen supports an attribute tag called -msgHex and if you convert your message to hex it will display fine. But it is easier to use jamfHelper with that, as long as I run LockScreen after it locks out the keyboard and locks down the computer with my custom jamfHelper message.

Example script below..

#!/bin/sh

iconpath=""
icon=""
heading=""
description=""

/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -icon "$iconpath$icon" -heading "$heading" -description "$description" &
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/MacOS/LockScreen -session 256 &

Now you could use this with your software update routines or other installer routines, just remember you have to kill the process if you want to get keyboard control back

/usr/bin/killall LockScreen

Anyway it is working for us rather well, just wanted to share... let me know if I missed anything or it is working for you.

Cheers

7 REPLIES 7

wyip
Contributor

On 10.8 and 10.9, you can just use -msg to have lockscreen print out your message e.g.

/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/MacOS/LockScreen -session 256 -msg "Hello World!" &

I also found that on 10.9, you can launch LockScreen.app if the computer is at the Login Window. This doesn't work on 10.8 though so I'm not sure if this is a new feature or a bug ;)

Here's how you do it:

open /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app

The only thing is you can't pass any arguments to LockScreen.app (at least I couldn't figure out how to). My kludgey workaround is to change the image that lockscreen displays to include some text. The location of this file is:

/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/Resources/Lock.jpg

I haven't found any size restrictions on this file, but I also haven't tried to do anything too crazy... I just added some text to the default image using Preview.

designbridge
New Contributor II

Hi

thanks for this. I trying to use it to stop users from opening up applications when doing the office update. But I'm having problems unlocking the screen.

I've got a policy that runs the lock screen script 'Before" and another script with the 'After' tag set to /usr/bin/killall LockScreen but the screen stays locked. Any ideas where i might be going wrong?

thanks

As

rob_potvin
Contributor III
Contributor III

@designbridge could you post your before script?

designbridge
New Contributor II

Hi Rob,

thanks for replying. I'm using the same script in your example.

#!/bin/sh

iconpath=""
icon=""
heading=""
description="Dear all, Casper is updating your computer"

/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -icon "$iconpath$icon" -heading "$heading" -description "$description" &
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/MacOS/LockScreen -session 256 &

thanks As

jescala
Contributor II

@rpotvin Thanks for your script! Works great on 10.10 while a user is logged in. However, I haven't been able to get it to work at the login screen. Any suggestions?

mtafirozee
New Contributor II

@designbridge

Try killing jamfHelper as well. It worked for me.

My kill script.

#!/bin/sh

/usr/bin/killall LockScreen
/usr/bin/killall jamfHelper

marklamont
Contributor III

I know this is an old thread but it seems to get responses still so I'll add my bit.
I created a customisable set of scripts for use with casper polices for screen locking.
one script, the worker script, is dropped on the machine and the other, the modifier, is run from a policy meaning you can change various values so it can be reused for many uses.
my link text