locking the user console after 30 min

jhuls
Contributor III

In the Windows world I can fairly easily configure a group policy that will allow me to lock a Windows machine after 30 min of inactivity two different ways...

  1. Setting a screensaver time out of 30 min

  2. Setting a scheduled task to kick off a screensaver or go to sleep after 30 minutes of inactivity

Both would prompt for a password when activity is detected.

It would seem I can do #1 with Managed Preferences and probably via Configuration Profiles. I would prefer to do #2 though. The reason is that it's been decreed here to enforce a certain amount of security as many don't have passwords set for locking their desktop after a certain amount of time. By going with solution #2, the goal is to have that set across the board but still let those who want a tighter timeframe be able to set their screensaver or turning the display off to a lower time. No matter what though the user can't be allowed to disable whatever screen locking mechanism it used.

Right now I have the path that can kick off the screensaver but where I'm having difficulty is figuring out a way to monitor the inactivity over a 30 min period. Does anyone here already do this or know of a way to do this that could point me in the right direction?

The path I can use to kick off the screensaver is "open /System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/ScreenSaverEngine.app"

Any ideas or help in how I could implement such a solution which obviously would get deployed with Casper?

5 REPLIES 5

bentoms
Release Candidate Programs Tester

@jhuls I'd deploy a screen saver config profile that enforces a screen saver after 30 minutes.

The OS is pretty good at detecting "inactivity" & so why duplicate/make work?

adamcodega
Valued Contributor

The question is how to allow the user to select a time less than the minimum, if they prefer. Config profile will lock the panel.

Thinking out loud here, if you made a small script with a CocoaDialog GUI that asked the user what they wanted to change it to, then did that via

#!/bin/sh

su $3 -c 'defaults -currentHost write com.apple.screensaver idleTime -int "600"'

su $3 -c 'defaults -currentHost write com.apple.screensaver askForPassword -int "1"'

su $3 -c 'defaults -currentHost write com.apple.screensaver askForPasswordDelay -int "0"'

600 being the value for 10 minutes.

Look
Valued Contributor III

Don't bother asking the user, just read the current value and ensure it is less than minimum required minutes before proceeding.
Use a LaunchAgent and have it run every 3 hours or something to allow users to temporarily extend up to 3 hours in the event of a presentation or some such.

adamcodega
Valued Contributor

@Look ...without using a config profile, which would lock the screen saver time setting.

Look
Valued Contributor III

@adamcodega Yes don't use a config profile
Edit the settings with a script called from a LaunchAgent or LaunchDaemon with a setting for StartInterval of 10800 seconds (3 hours unless my maths sucks, which it might...).

<key>StartInterval</key>
<integer>10800</integer>

Although a script out of Casper would also do it without too many issues, depending on how strict you want to be you could just run it once daily.