Jamf Nation Community

@jlong would you be open to sharing screenshots of your Security and Login config profiles? Our users are experiencing the screen lock issue badly.

Sure, @jenieze Definitely interested to know whether it helps you or not.

Originally we had a configuration profile setup for each payload, on the advice of our jump start tech. So we had one profile that contained a Security payload, and another that contained a Login. I revoked both of these first, and then issued a new profile with the combined payloads (as mentioned by several others). The profile looks like this:

This alone was enough for some clients, and seems to have been all that was necessary for most in this thread. But in our environment we also had run a script in a separate policy, once per computer. Additionally, after both updating the profiles and running the script some clients had to reboot before the settings took effect.

Someone with more scripting experience could easily do a better job, but here's the script I used:

#!/bin/bash
#
# get current logged in user
loggedInUser=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
#
# Set screen lock delay preference for user to 0 seconds
defaults write /Users/$loggedInUser/Library/Preferences/com.apple.screensaver.plist askForPasswordDelay -int 0
#
# change ownership of preference back to user
chown -R $loggedInUser /Users/$loggedInUser/Library/Preferences/com.apple.screensaver.plist

Instead of running a separate script -- add a Custom Setting (screensaver plist) into the config profile.

Our config profile contains the following payloads:

Login Window
Security & Privacy:- Require password immediately after sleep or screen saver begins
Custom Payload: com.apple.screensaver

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>askForPassword</key>
    <integer>1</integer>
    <key>askForPasswordDelay</key>
    <real>0.0</real>
    <key>tokenRemovalAction</key>
    <integer>0</integer>
</dict>
</plist>

This works perfectly for current and newly imaged machines. It applies instantly to both 10.10 and 10.11 machines. We are on 9.82

http://www.johnkitzmiller.com/blog/security-privacy-configuration-profile-bug-in-casper-9-82/

@jlong Thanks so much! So far so good with the fixes you've sent!

@acorn Thanks for the suggestion. I did attempt John Kitzmiller's method, and while it worked for some clients, it unfortunately did not work for all. Running the script to force the defaults settings paired with the combination payload in the config profile was the only thing that's worked consistently for us. This might have been because we were using the defaults command to set the screen lock delay value before adjusting that option was supported in the config profiles but that is little more than a guess.

@jenieze No problem, and glad to hear it is working so far.

Followed instructions on http://www.johnkitzmiller.com/blog/security-privacy-configuration-profile-bug-in-casper-9-82/ and now issue resolved.

Methinks that folks at JAMF should've fixed this during QA.

Corbin

It's not just Jamf it's all MDMs .....Apple has the same issue just in a different profile.. The real issue is that everyone is still using MCX as the model and profiles are different also after 6 years Apple hasn't changes how the MCX setting are nested in the OS.

One setting = one profile is the only real way to prevent this issue in the future... We are going to have to all build custom profiles and then sign them before we upload them to the JSS.

C

After all of these issues related to lock screens, screen saver times, sleep times etc, I have decided to simply diable the setting altogether. Not worth the trouble at my company because we dont have a top-down mandatpry policy for lock screens (we are not bound by SOX or HIPPA etc).

I have unchecked the setting "Require password X after sleep or screen saver begins" in the Security & Privacy Payload, and I have unchecked the setting "Start screen saver after X" in the Login Window Payload, but my end users are still complaining that they still cant disable/change these settings.

Screenshot below clearly shows the setting is no longer enabled on the JSS, but the clients are still prompted for passwords at 5 seconds. Apparently this is making users grumpy.

I just want to punt on this particular Profile. Not worth the energy and time to babysit it.

If I nuke the entire Profile (delete it from the JSS) will it remove itself from all managed Mac systems?

@dstranathan The problem is, I think this setting is applied by default starting with 10.10.x. In fact, I've had the complete opposite problem, I can't get the Require password box unchecked! See this thread:

https://jamfnation.jamfsoftware.com/discussion.html?id=12927

I still don't have a workaround.

hey all -

i installed 9.9 on my test JSS yesterday to see if it fixed this and it did not.

I am still having the same issues in my environment: 1) Screen lock setting not being properly applied with config profile
2) Systems intermittently freezing upon waking from sleep (keyboard stops responding)

Both issues happened on my 10.11.4 laptop. (Second issue is documented here: https://jamfnation.jamfsoftware.com/discussion.html?id=19067)

Has anyone else had any luck with 9.9 fixing these issues?

Thanks, skoonin

@skoonin

You have to build the profiles by hand if you use the prebuilt ones in the JSS, Configurator 2 and Mac OS X they cause conflicts.

one of the examples is a new key "maxInactivity"

https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

C

Hi,
had the same issue. I solved deploying one Configuration Profile with 3 payloads: Security&Privacy Login Window Custom (com.apple.screensaver.plist).
So far so good.

J

Same problem (9.9.1), except in our case, the Security & Privacy payload is causing Spotlight to spike to 100% CPU consumption. Has anyone else experienced that before?

@william.gregorian I have seen a couple of instances of Spotlight cpu usage spiking in the last month and couldn't find the solution for it. I'll see if removing this profile will help.

Also, I can't seem to get this to stick around. My users will initially be asked for passwords but after a few hours it stops requiring it.

This bug has been solved two times. With 9.92 I again have this problem, does someone experience the same issue?

@martin This is my solution.

Follow-up: What is the status of this issue now that 9.93 is in production?

Hi @dstranathan,

No, it's still not fixed. Combining the Login Window and Security & Privacy payload works for me.

Thanks @martin> combinging the 2 does not work for me. Same problem exisits.

Maybe I'm not on the same page as everybody else here. I'm trying to control the OS X Security and Privacy pane as follows:

Require Password:

NOT LOCKED.

I want the user to be toggle this on/off and select a time window. (We dont have a security policy at my employer)

Show a Message on lock screen:

LOCKED.

I set my company name using a profile. I dont wasnt user changing it.

Disable automatic login:

LOCKED.

I have it disabed in a JAMF profile and do not want it to be changed.

Allow apps to be downloaded from:

LOCKED.

"I have the radio button set to "Mac App Store and identified developers". I do not want users to change this.

Am I not able to configure the Security & Privacy in a JAMF 9.93 profle on managed Macs running 10.10 and 10.11?

I really hope this is addressed in 9.96....

Not fixed in 9.96.

Moving the two (Login and Security) into one profile worked for me. We are on 10.12.3

Thanks

Confirmed. Putting the two into one profile works. After some digging, I found the cause.

In the Login Options payload, you can set the time frame for the screensaver to start but not whether the screensaver requires a password. If you open the mobileconfig file though, there are two entries for the password requirement, pasted below. Those keys are set to false and 0 by default in that mobileconfig but are overridden by the keys in the Security payload when they're bundled together.

When MacOS loads those payloads separately, when they're in two different profiles, it seems to be pretty hit or miss on which it applies. Users in my organization would need the password one day and then not for the next week, only to have it required again for a couple days after that.

<key>askForPassword</key><false/>
<key>askForPasswordDelay</key><integer>0</integer>

Like dstranathan, I want to allow my users to change whether or not the "Require password" and be able to select the time drop down while locking down "Allow apps downloaded from" and "Disable automatic login". Does anyone have a solution for this besides not using the Configuration Profile?

Okay so we are in the same boat as many of you above we are running JSS 9.97 and this seems to mainly be effecting our 10.12.x machines. I have tried the fixes with the profiles of only login and security. It applies fine and we see one of two things. Either it un checks the immediate checkbox while still greyed out at some point, a recent phenomenon or it stays checked but the machine does not lock when using hot corners or the keychain lock in the menu bar. So with that said we are going back to basics and I am going to use the script offered above to implement this. The one thing I have not tried is the Maximum grace period for device lock set to immediate under passcodes. If anyone has insight into this that is not stated above I am all ears.

I'm seeing this in 9.96. Has this been fixed in a newer version of Casper Suite/Jamf Pro?

This seems to be an issue with the design of the "Login Window" payload...

@prbsparx how do you have your configuration profile set for the screen saver?

I have a configuration profile with two payloads: Login Window and Security & Privacy

I'm also on 9.96 and ours its working fine. (our macs are on 10.11.x and 10.12.x)

We had the settings as two separate profiles, I noticed people recommended switching to both in one profile and have done that. It appears to be working now.

Surprised that Jamf hasn't made it where it can be deployed as two separate profiles.

@prbsparx vote this up

https://www.jamf.com/jamf-nation/feature-requests/6281/break-up-multi-mdm-payload-gui-payloads

: )

C

Supposedly this is fixed as of 9.98. And 9.101 doesn't cause it to occur.

Can confirm this is not fixed as of 9.101. Having the same issue.

Combined Config Profile works for 10.11 and 10.12

Not working so well for 10.13...

Anybody seen this issue in 10.13 and found a fix?