Jamf Nation Community

I’ve also found it possible, in at least some circumstances, to add otherwise-missing keys/values to a configuration profile without using a Custom profile.

Sometimes, a profile management tool — or a specific version of the tool you use — won’t have a built-in option to set the key/value you want, even though it can set other preferences in the same preference domain (“com.apple.screensaver”). It may be possible to add the desired key/value to an existing profile that manages related settings.

1. Create a profile.
2. Set a value in the same preference domain as the key/value you want to manage. The key/value you want to manage may not be available in your tool that creates profiles, whether that’s JSS or Profile Manager or something else entirely.
3. Export the configuration profile.
4. Open the configuration profile in a text editor.
5. Duplicate the group of lines containing the key/value set in the previous step.
6. Change the duplicated group of lines to reflect the key and the value that you want.
7. Save the configuration profile.
8. Test. This kind of profile may not work correctly if uploaded to a profile management tool.

This effectively adds the key/value you entered into a profile, without it being a “Custom” profile. YMMV as whether you want to do this. A Custom profile is more likely to be supported/supportable. A Custom profile is also more likely to work when uploaded and/or re-edited in a profile management tool. I can imagine that uploading or editing in one of those tools could simply remove the unsupported key/value, since it didn’t know about the key/value in the first place.

As nearly as I can tell, though, the resulting profile is equivalent to creating a Custom profile with a Forced setting.

Thank you both for your responses.

When applying David's steps, I now get the setting greyed out. I can successfully adjust the time but cannot get the box unchecked. This causes the 15 min auto logout setting not to kick in and the machine does not log out. It also does not require the password on screensaver or when machine sleeps. So it's not checked but it's not unchecked.

I did manually turn off the setting and test to make sure the machines would actually log out with the box unchecked and they did.

Also tried editing plist and uploading into JSS config profile. This didn't even grey out the setting. Once again could adjust time.

Thanks for the help on this one.

Could you post the config profile XML? There might be something in there that isn't set quite right.

One possibility would be to change the <key>Forced</key> to <key>Often</key>.

According to MCXtoProfile, Often isn't really supported on Yosemite. So if this is Yosemite, YMMV. But still worth a try.

Yeah, Tim calls out to not use the Often key with profiles on his github page, since the behavior isn't reliable. But you could try it I suppose. I'm not sure if the recommendation to not use it applies to everything.

No behavior involving this box has been reliable thus far so here we go....

The much appreciated second suggestion <key>Often</key> does nothing to the setting. The only thing that changes is that the setting is no longer greyed out.

Thanks again all.

I have discovered something. Used composer to see what exact plist was being affected by the previous steps and it looks like a ByHost Preference.

This doesn't help me but maybe will help someone else.

@jomccann i think you might need to delete the "askForPasswordDelay" key from the plist.

In case anyone is still working on this one, I had a client today that needed it to be set. Config profiles initially appeared to work, then stopped working and the setting reverted back. A bit of fiddling around confirmed it was very unstable.

Tried a defaults write /Users/$3/Library/Preferences/com.apple.screensaver askForPassword 0 on the advanced policy section and set it to run at login. This didn't work.

I created a script locally on the client that ran the above command (with a change for the $3), triggered by a policy. This didn't work.

I created a LaunchAgent (so ignoring Casper entirely) and put it in /Library/LaunchAgents to run the local script. this worked fine. Tested quite a few more times. Still working ok. Packaged the script and the LaunchAgent and deployed to more machines. All working ok.

Hope this helps someone.

This custom setting in the config profile works for me.

Strange, I had the same options and tried with askForPassword only. Either way it worked initially then broke.