Screensaver password on Lion

jwojda
Valued Contributor II

So i've been tasked with forcing the screensaver password to kick in, however there doens't seem to be an easy of doing so - the MCX will grey out the settings - and I don't really wnat that as I'm sure Im going to get pushback from the departments to remove it.

I found this...http://macmule.com/2010/11/18/setting-10-5-10-6s-screen-saver-via-policy/

which seems to set the paramaters, but when I activate the SS it never prompts for the PW, despite the check boxes being set correctly.

I couldn't find anything in the config profiles to set this, is there someplace I am missing?

10 REPLIES 10

donmontalvo
Esteemed Contributor II

That's one of the biggest requests we ever had in enterprise, and Apple have never given us a reliable way to manage these settings.

Mandate for our clients is usually lock-after-15-min and the user can't change it (unless they are admin; but as Miles says "then all bets are off").

Anxiously awaiting responses to this thread. :)

Don

--
https://donmontalvo.com

talkingmoose
Honored Contributor II
Honored Contributor II

I'm using Managed Preferences (MCX) in Casper to manage our screen savers. Two preference settings:

Domain: com.apple.screensaver
Name: Require password for screensaver
Apply To: System Level Enforced
Key Name: askForPassword
Type: integer
Value: 1

Domain: com.apple.screensaver
Name: Idle Time
Apply To: User Level Enforced
Key Name: idleTime
Type: integer
Value: 900

The first setting enables the screen saver lock. The second setting activates the screen saver after 15 minutes.

I don't recall why I have System Level Enforced for the first and User Level Enforced for the second but this is what's working for me for 10.5-10.7.

As a matter of extra security I manage hot corner settings to prevent users from enabling a hot corner to prevent the screen saver from activating.

Yes, this disables users from being able to change the settings, however, this is either your organization's policy or it's not. I don't suggest implementing security policies of any kind unless your upper management will back you. Security is never convenient.

Alternatives:

  1. Enforce the lock and enforce the time but allow folks to enable a hot corner to prevent screen saver locking.
  2. Set the Apply To for idleTime to User Level at Every Login. This will allow users to change the setting but will revert whenever the user logs in again.

bentoms
Esteemed Contributor
Esteemed Contributor

jarednichols
Honored Contributor
and I don't really want that as I'm sure Im going to get pushback from the departments to remove it.

This is where you point at the policy you've just enforced and just stare at them.

bentoms
Esteemed Contributor
Esteemed Contributor

Ha ha just noticed the OP has linked to my blog!

Apologies it's now working on 10.7, tbh i don't have the requirement here..

Are you setting the "askForPassword" integer to 1?

nkalister
Valued Contributor

I've always used talking moose's method, works perfectly. heh, I even use 15 minutes as well! :)

bentoms
Esteemed Contributor
Esteemed Contributor

Hi Nick, can users change the settings themselves through the pref pane?

We found they could hence the script, however this was a while ago & using WGM's MCX in OD.

nkalister
Valued Contributor

they can change the screensaver kick off time (since all my users are admins), but they can't disable the password prompt. the kick off time is reset at every login. our compliance department has signed off on that, but ymmv.

jwojda
Valued Contributor II

@Ben - I set it to 1, I set the delayed time to 0.0, set the require PW to 1

It activates the check boxes and sets to immedaite, but when I put it into teh screensaver it doens't prompt for PW.

bentoms
Esteemed Contributor
Esteemed Contributor

@Nick, thamks for clarifying.. we had a SOX policy that required it to be set hence the script.

@John, I've not tested on Lion as we've not had that requirement in my new place of work.

We do have the same askForPassword MCX a Bill using Casper, but these are set @ user level.