Posted on 07-24-2012 01:07 PM
So i've been tasked with forcing the screensaver password to kick in, however there doens't seem to be an easy of doing so - the MCX will grey out the settings - and I don't really wnat that as I'm sure Im going to get pushback from the departments to remove it.
I found this...http://macmule.com/2010/11/18/setting-10-5-10-6s-screen-saver-via-policy/
which seems to set the paramaters, but when I activate the SS it never prompts for the PW, despite the check boxes being set correctly.
I couldn't find anything in the config profiles to set this, is there someplace I am missing?
Posted on 07-24-2012 01:12 PM
That's one of the biggest requests we ever had in enterprise, and Apple have never given us a reliable way to manage these settings.
Mandate for our clients is usually lock-after-15-min and the user can't change it (unless they are admin; but as Miles says "then all bets are off").
Anxiously awaiting responses to this thread. :)
Don
Posted on 07-24-2012 01:44 PM
I'm using Managed Preferences (MCX) in Casper to manage our screen savers. Two preference settings:
Domain: com.apple.screensaver
Name: Require password for screensaver
Apply To: System Level Enforced
Key Name: askForPassword
Type: integer
Value: 1
Domain: com.apple.screensaver
Name: Idle Time
Apply To: User Level Enforced
Key Name: idleTime
Type: integer
Value: 900
The first setting enables the screen saver lock. The second setting activates the screen saver after 15 minutes.
I don't recall why I have System Level Enforced for the first and User Level Enforced for the second but this is what's working for me for 10.5-10.7.
As a matter of extra security I manage hot corner settings to prevent users from enabling a hot corner to prevent the screen saver from activating.
Yes, this disables users from being able to change the settings, however, this is either your organization's policy or it's not. I don't suggest implementing security policies of any kind unless your upper management will back you. Security is never convenient.
Alternatives:
Posted on 07-24-2012 02:34 PM
This is what I used to do: http://macmule.com/2010/11/18/setting-10-5-10-6s-screen-saver-via-policy/
Posted on 07-24-2012 04:37 PM
and I don't really want that as I'm sure Im going to get pushback from the departments to remove it.
This is where you point at the policy you've just enforced and just stare at them.
Posted on 07-25-2012 06:38 AM
Ha ha just noticed the OP has linked to my blog!
Apologies it's now working on 10.7, tbh i don't have the requirement here..
Are you setting the "askForPassword" integer to 1?
Posted on 07-25-2012 08:06 AM
I've always used talking moose's method, works perfectly. heh, I even use 15 minutes as well! :)
Posted on 07-25-2012 08:13 AM
Hi Nick, can users change the settings themselves through the pref pane?
We found they could hence the script, however this was a while ago & using WGM's MCX in OD.
Posted on 07-25-2012 08:37 AM
they can change the screensaver kick off time (since all my users are admins), but they can't disable the password prompt. the kick off time is reset at every login. our compliance department has signed off on that, but ymmv.
Posted on 07-25-2012 08:38 AM
@Ben - I set it to 1, I set the delayed time to 0.0, set the require PW to 1
It activates the check boxes and sets to immedaite, but when I put it into teh screensaver it doens't prompt for PW.
Posted on 07-25-2012 08:49 AM
@Nick, thamks for clarifying.. we had a SOX policy that required it to be set hence the script.
@John, I've not tested on Lion as we've not had that requirement in my new place of work.
We do have the same askForPassword MCX a Bill using Casper, but these are set @ user level.