Require password "immediately" after sleep or screen saver begins (not working)

scentsy
Contributor

Require password "immediately" after sleep or screen saver begins (not working)

I'm on JSS 9.93

anyone experiencing the same issue?

19 REPLIES 19

dan-snelson
Valued Contributor II

@scentsy Did this work as expected prior to 9.93? May or may not be related to:

Known Issues Configuration profiles created in v9.93 with a Security & Privacy payload and a FileVault 2 Redirect payload contain an inactive automatic logout setting.

See: http://docs.jamfsoftware.com/9.93/casper-suite/release-notes/Known_Issues.html

strider_knh
Contributor II

Ever since JSS 9.90 (?) there have been configuration profile issues. The Login Window may have an improper payload that sets that setting which may conflict with the one from Security and Privacy which then means it is impossible to tell which setting will take priority. I have not heard anything about them fixing that issue but we are still on JSS 9.91.

Also, we recently has the Security and Privacy profile start having a payload that disables iCloud Drive. We changed nothing in the profile but when the JSS randomly decided to re-install all the profiles on a station like it does, that payload it being included.

Fun with configuration profiles.

It has to be some disconnect as to what the JSS thinks should be included and what Apple thinks should be included? It is getting really annoying that you never know what setting will be deployed and is making this job really difficult.

I also do NOT like the solution of making a custom profiles for every setting I want to use. I pay to have the JAMF software to do this for me, waste of money at that point. It has been about 8 months now and there are still problem arising and no definite solutions from Jamf.

dan-snelson
Valued Contributor II

The only Band-Aid of which I know is to build the Configuration Profile in Profile Manager, sign it (prevents the JSS from making changes) and upload it to the JSS.

Far from ideal.

Parm
New Contributor II

We had three individual config profiles for login window, Security and restrictions - we had lots of issues,including the one above, when we amalgamated these into one policy everything started behaving on the majority of our machines.

scentsy
Contributor

@dan.snelson Yes it was working before the upgrade to 9.93 (previous version 9.91).

pchen_plaid
New Contributor II

Exact same issue, the end result was what @Parm mentioned.

scentsy
Contributor

Disclaimer: do not know if it will work in your environment.

For now our work around is to create another configuration profile and setting the level to "User Level"
instead of using "Computer Level"2ccc3b20c4464484a729db6bf419706c

we also have another configuration profile "Security & Privacy" set to "Computer Level"
along with the "Login Window" payload.

and that seems to work for us.

For us is important to have the message Banner and the screen saver to activate "immediately".
ccd6f8d19345467abf8b1a606f24c0a4

Hopefully this workaround/lucky guess works for you.

Sachin_Parmar
Contributor

Hi @scentsy , have you tried looking at this fix? Worked for me first time and been using it like this ever since

bmortens115
New Contributor III
New Contributor III

Here seems to be an explanation for I have been experiencing. The workaround has been working for me. Similar to above posts

scentsy
Contributor

@Sachin_Parmar I have not done that fix on our new version 9.93; I've done it on our previous version 9.91 and it has worked.

I was going to do that fix, but that's when I decided to test what I've posted, and since it worked for me (at the moment) I'll leave it the way it is.

Thank you for posting the link.

KCH080208
New Contributor II

my newly imaged machines are setting this to required and I don't even have a configuration profile setup for this since changing to 9.93.

dan-snelson
Valued Contributor II

@KCH080208 Do you happen to have a Configuration Profile with the FileVault 2 Redirect payload?

Retrac
Contributor

I created a custom plist for this that defines the two keys and then deployed to only our 10.11.x Macs via a CP.

askForPassword=1
askForPasswordDelay=0.0

Works a treat.

bmortens115
New Contributor III
New Contributor III

Here seems to be an explanation for I have been experiencing. The workaround has been working for me. Similar to above posts

scentsy
Contributor

So remember I told you I created two configuration profiles for the screen saver to work “properly” weelllll, it turns out it was causing other issues.

So I contacted the Jamf support and they send me a link (http://www.johnkitzmiller.com/blog/security-privacy-configuration-profile-bug-in-casper-9-82/), I was going to do the custom property list file, but I just set it to “Require password 5 seconds after sleep or screen saver begins” and that worked!

I pushed that configuration (the same one we had, only changed the “immediately” to “5 seconds”).

I had a weird feeling having two configuration profile of the same settings it will cause problems.

So now there’s only one configuration profile (as it should) for the screen saver.

Thanks.

scentsy
Contributor

After a few days I notice the screen saver keeps switching randomly to "Ask for password" and it goes back to when the screen saver turns on and when I wake it up it doesn't ask for a password.

I'm on 9.93 JSS and macs running 10.11.6

as I posted on 08/18/16 I tried the suggestion from johnkitzmiller blog and it doesn't work for me.

Sachin_Parmar
Contributor

@scentsy - Do you have multiple config profiles? Try merging them into one and try johnkitzmiller fix and see if that helps.

scentsy
Contributor

42959e5391de459eb8e452a6ee1c502b
0a181680dcb848d995196b9d1347a396

This is the way we have it setup.

bentoms
Release Candidate Programs Tester

FWIW, this method still seems to work for us with askForPasswordDelay & even works to get over the FV2 redirection auto logout issue in 9.93.