Logout inactive computers after 20 minutes with advanced warning message in 10th minutes.

I don't think there's any built in config profile type stuff that would do what you're looking for with this. You'll likely need to script something and have it fired off with LaunchAgent or LaunchDaemon to display the message at ~10 minutes before logout. It may never be 100% accurate, but you can probably get it close.

The first step would be to get the idle time of the Mac. This can be done in the following way:

ioreg -c IOHIDSystem | awk '/HIDIdleTime/{print int($NF/1000000000); exit}'

This prints back the idle time in seconds. If you want to test the above, you can add in a sleep command before it, but the sleep value must slightly exceed the value you're expecting to see because of how it only gets whole integers. For example, to sleep for 3 seconds, and then print "3" as a result, you have to add a sleep of 3.1 seconds, so it's slightly over the value. The command above only prints whole integers.

$ sleep 3.1; ioreg -c IOHIDSystem | awk '/HIDIdleTime/{print int($NF/1000000000); exit}'
$ 3

With that, you could look at developing a LaunchDaemon that runs a script at the very least every 10 seconds (no less than that) which gets the idle time and calculates if it's at or above 10 minutes, and then display a message. Here's a script that could do this.

#!/bin/bash

## Set the minutes idle to check value here
minVal="10"

## Get the minVal in seconds
secVal=$((minVal*60))

## Path to jamfHelper
jhPath="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

## Get the idle time of the Mac in seconds
idleSecs=$(/usr/sbin/ioreg -c IOHIDSystem | /usr/bin/awk '/HIDIdleTime/{print int($NF/1000000000); exit}')

if [[ "$idleSecs" -ge "$secVal" ]]; then
    ## First check to make sure someone is logged in
    if [[ $(/usr/bin/stat -f%Su /dev/console) != "root" ]]; then
        ## Display message to logged in user
        "$jhPath" -windowType utility -title "" -heading "" -description "Your Mac has been idle for $minVal minutes. If there is no activity in another $minVal minutes, this account will be automatically logged out." -icon "/System/Library/CoreServices/loginwindow.app/Contents/Resources/LogOut.tiff" -button1 "OK" -defaultButton 1
    else
        echo "No user logged in. Nothing to display."
        exit 0
    fi
else
    echo "Idle time not reached. Exiting"
    exit 0
fi

And here's an example LaunchDaemon that would fire this off every 10 seconds. In practice, I would probably increase the time to about 30 seconds at a minimum. It's not a great idea to be running scripts every 10 seconds on your machines, plus launchd is very picky about jobs running any more than every 10 seconds. If it happens to run sooner it will pipe errors into the system.log and may even end up disabling the job if it thinks its gone awry.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.org.idletimecheck</string>
    <key>Program</key>
    <string>/path/to/idletimescript.sh</string>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>10</integer>
</dict>
</plist>

In the above, you'd need to change the /path/to/idletimescript.sh for the Program line to match where you saved the script on the local system.
The above items can be packaged up in their specific locations and then deployed in a pkg to the machines. You may also consider adding in a postinstall script to the package to load the LaunchDaemon right away or else it won't be active until after the first restart.

All this being said, there may be other more developed toolsets that can help with this. For example, you can look at crankd, which may have the ability to run jobs/scripts on set idle time and other events. I know it can trigger on network events and other stuff, but not completely sure if it handles idle time.

Hope that helps.

mm2270, Thank you so much for the detailed explanation.

My other question is in the first script that you wrote (idletimescript.sh) where should I put the command line to logout the user if no one didn't press OK for the idle time message?

Also the last set of quotes that you wrote (where I have to change the path for idletimescript) is this the plist that I have to create and place it in LaunchAgents or LaunchDaemons?

Thanks again.

Hi @raghdasi I think my thinking on the above was that you would use the LaunchDaemon and local script to kick off at around the 10 minute idle time, sit on screen in case any user happens to be there or come by within the next 10 minutes, and use your current command line setting (presumably already deployed to the Mac(s)) to auto log out of the account at the 20 minute idle time mark. What I wrote above doesn't assume doing the actual logout of the account later. It was just to display the 10 minute warning message. The defaults setting you wrote above (or better yet, an installed Config Profile with that setting) would do the actual logout later.

As for your second question, the path I mentioned would be the path to the script. So in other words, you may want to place the script in a location like /private/var/scripts/ The "scripts" being a custom directory. Then in the LaunchDaemon plist, you would change that line to be <string>/private/var/scripts/idletimescript.sh</string>
Of course, be sure to actually name the script idletimescript.sh or if you choose a different name, be sure to have the LaunchDaemon line reflect that.

Once you have all this together, you can package them up in Composer. Drag the /private/var/scripts/idletimesript.sh and /Library/LaunchDaemons/com.org.idletimecheck.plist for example, into Composer's sidebar to create a new source. Make sure permissions on the LaunchDaemon are 644 (owner: read & execute, group and everyone: read) and owner: root, group: wheel. The script should be 755 POSIX.
Then, if you want, you could add a postinstall script to the Composer source and add something like the below to it:

#!/bin/sh

if [ -e "/Library/LaunchDaemons/com.org.idletimecheck.plist" ]; then
     /bin/launchctl load /Library/LaunchDaemons/com.org.idletimecheck.plist
fi

Does all this make sense?

Hi @mm2270,
Thank you so much for the clarification and great help. It worked fine. The only thing is I am thinking is to add remaining time (countdown) so I can add the countdown on the popup window where is says :

        "$jhPath" -windowType utility -title "" -heading "" -description "Your Mac has been idle for $minVal minutes. If there is no activity in another **$minVal ** minutes, this account will be automatically logged out." -icon "/System/Library/CoreServices/loginwindow.app/Contents/Resources/LogOut.tiff" -button1 "OK" -defaultButton 1

I am trying to add the remaining time with counting down in hh.mm.ss
format. I found many scripts but i can't make them work within the idletimescipt script or tried to recall the countdown script from idletimescript. Also tried to see if can see the variables with idletimescript as well (like replacing $minVal with secVal or new variable .

@raghdasi What you may want to try is using the -timeout <val> and -countdown flags for jamfHelper, which display a timeout string. Unfortunately, jamfHelper defaults to a text string saying "Please make selection in <time remaining>", which doesn't exactly make sense since in this case you wouldn't be asking someone to make a "selection", just providing a warning of the time remaining.

In case you want to try it, you would use something like this to make that appear

"$jhPath" -windowType utility -title "" -heading "" -description "Your Mac has been idle for $minVal minutes. If there is no activity in another $minVal minutes, this account will be automatically logged out." -icon "/System/Library/CoreServices/loginwindow.app/Contents/Resources/LogOut.tiff" -button1 "OK" -defaultButton 1 -timeout 600 -countdown

Note the -timeout 600 and -countdown flags. The 600 of course corresponds to 600 seconds, or 10 minutes.
The above would produce something like the following screenshot. The timer actually counts down to 0 and then the window automatically dismisses, which would be about the time that the Mac would log out.

Another option for displaying these windows would be the cocoaDialog beta, which can also display a countdown, but uses the text string of "Time remaining: x minutes..." which makes more sense for this use case. Example of what it would look like below: