Skip to main content
Question

locking the user console after 30 min

  • May 5, 2015
  • 5 replies
  • 25 views
J
Forum|alt.badge.img+14

In the Windows world I can fairly easily configure a group policy that will allow me to lock a Windows machine after 30 min of inactivity two different ways...

  1. Setting a screensaver time out of 30 min

  2. Setting a scheduled task to kick off a screensaver or go to sleep after 30 minutes of inactivity

Both would prompt for a password when activity is detected.

It would seem I can do #1 with Managed Preferences and probably via Configuration Profiles. I would prefer to do #2 though. The reason is that it's been decreed here to enforce a certain amount of security as many don't have passwords set for locking their desktop after a certain amount of time. By going with solution #2, the goal is to have that set across the board but still let those who want a tighter timeframe be able to set their screensaver or turning the display off to a lower time. No matter what though the user can't be allowed to disable whatever screen locking mechanism it used.

Right now I have the path that can kick off the screensaver but where I'm having difficulty is figuring out a way to monitor the inactivity over a 30 min period. Does anyone here already do this or know of a way to do this that could point me in the right direction?

The path I can use to kick off the screensaver is "open /System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/ScreenSaverEngine.app"

Any ideas or help in how I could implement such a solution which obviously would get deployed with Casper?

    5 replies

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • May 5, 2015

    @jhuls I'd deploy a screen saver config profile that enforces a screen saver after 30 minutes.

    The OS is pretty good at detecting "inactivity" & so why duplicate/make work?

    acodega
    Forum|alt.badge.img+15
    • acodega
    • Valued Contributor
    • May 6, 2015

    The question is how to allow the user to select a time less than the minimum, if they prefer. Config profile will lock the panel.

    Thinking out loud here, if you made a small script with a CocoaDialog GUI that asked the user what they wanted to change it to, then did that via

    #!/bin/sh

su $3 -c 'defaults -currentHost write com.apple.screensaver idleTime -int "600"'

su $3 -c 'defaults -currentHost write com.apple.screensaver askForPassword -int "1"'

su $3 -c 'defaults -currentHost write com.apple.screensaver askForPasswordDelay -int "0"'

    600 being the value for 10 minutes.

    L
    Forum|alt.badge.img+16
    • Look
    • Valued Contributor
    • May 6, 2015

    Don't bother asking the user, just read the current value and ensure it is less than minimum required minutes before proceeding.
    Use a LaunchAgent and have it run every 3 hours or something to allow users to temporarily extend up to 3 hours in the event of a presentation or some such.

    acodega
    Forum|alt.badge.img+15
    • acodega
    • Valued Contributor
    • May 6, 2015

    @Look ...without using a config profile, which would lock the screen saver time setting.

    L
    Forum|alt.badge.img+16
    • Look
    • Valued Contributor
    • May 6, 2015

    @adamcodega Yes don't use a config profile
    Edit the settings with a script called from a LaunchAgent or LaunchDaemon with a setting for StartInterval of 10800 seconds (3 hours unless my maths sucks, which it might...).

    <key>StartInterval</key>
<integer>10800</integer>

    Although a script out of Casper would also do it without too many issues, depending on how strict you want to be you could just run it once daily.

    Terms & ConditionsCookie settingsAccessibility statement