Posted on 08-28-2017 04:59 PM
Hello,
I need to figure out how to run a policy to check screen saver time settings so we can force a set time if it doesn't match. I'd assume that you could check against a value in the "~/Library/Preferences/com.apple.screensaver.plist" but not sure. Any ideas? I see a lot of older posts floating around about forcing a screen saver time in various ways. I need to check the time first before doing that.
Thanks!
Posted on 08-28-2017 08:10 PM
The following terminal command will give you the idle time against the current user
defaults -currentHost read com.apple.screensaver idleTime
Gives me the following output (in seconds)
300
Then you can change the idle time using the following
defaults -currentHost write com.apple.screensaver idleTime 600
Another option is to create a Configuration Profile that sets the screensaver and allocate it to a smart group (lab of computers, for example)
Hope that helps!
Posted on 08-29-2017 08:25 AM
Here is a simple Extension Attribute I am using to report compliance. It can easily be adjusted to report the specific result rather than a Pass/Fail.
user=$( ls -la /dev/console | cut -d " " -f 4 )
RESULT=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime)
# Print out PASS/FAIL
if [ $RESULT -lt 900 ]
then
echo "<result>Pass (ScreenSaver time out is less than 15 mins)</result>
";
else
echo "<result>Fail (ScreenSaver time out is 15 mins or more)</result>
";
fi
Posted on 08-29-2017 09:11 AM
FYI that plist will not always be populated. It's not for us because we use a config profile to set this value. I took this extension attribute code from another post:
#!/usr/bin/python
# EA to check the inactivity interval for the screen saver.
# This will return the number of seconds, which you can scope a smart group from.
import CoreFoundation
domain = 'com.apple.screensaver'
key = 'idleTime'
key_value = CoreFoundation.CFPreferencesCopyAppValue(key, domain)
print "<result>%s</result>" % key_value
Posted on 08-29-2017 10:01 AM
Actually, they clarified and said we didn't need an actual check. Just to make sure our computers require a password immediately after the screen saver and to set a screen saver time across the board. Either so the user can't change it, or checked once a day to change back to 15 minutes and immediate password required. I'm thinking a configuration profile with the login window option of screensaver time set would do it, but I saw that people were having issues getting the actual time of inactivity to stick unless it was one of the apple defaults?
Tuesday
Here is another version
#!/bin/bash
loggedInUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }')"
currentTimeout="$(sudo -u "$loggedInUser" defaults -currentHost read com.apple.screensaver idleTime)"
echo "Current Screensaver Timeout: $currentTimeout"
# if user has never changed screensaver settings or the sudo fails then we might not receive back a clean integer
if ! [[ $currentTimeout =~ ^[0-9]+$ ]]; then
echo "which is not a number so exiting"
exit 1
fi
# check if current timeout is within tolerances, if outside, ie less than 1 or greater than 1200 then reset to 10 mins
if [ "$currentTimeout" -le 0 ] || [ "$currentTimeout" -gt 1200 ]; then
echo "Current value outside of tolerances so resetting to 10 mins"
# sudo -u "$loggedInUser" defaults -currentHost write com.apple.screensaver idleTime -int 600
fi