Jamf Nation Community

Bko · ‎08-28-2017

Hello,

I need to figure out how to run a policy to check screen saver time settings so we can force a set time if it doesn't match. I'd assume that you could check against a value in the "~/Library/Preferences/com.apple.screensaver.plist" but not sure. Any ideas? I see a lot of older posts floating around about forcing a screen saver time in various ways. I need to check the time first before doing that.

Thanks!

stevevalle · ‎08-28-2017

The following terminal command will give you the idle time against the current user

defaults -currentHost read com.apple.screensaver idleTime

Gives me the following output (in seconds)

300

Then you can change the idle time using the following

defaults -currentHost write com.apple.screensaver idleTime 600

Another option is to create a Configuration Profile that sets the screensaver and allocate it to a smart group (lab of computers, for example)

Hope that helps!

Mhomar · ‎08-29-2017

Here is a simple Extension Attribute I am using to report compliance. It can easily be adjusted to report the specific result rather than a Pass/Fail.

user=$( ls -la /dev/console | cut -d " " -f 4 )

RESULT=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime)

# Print out PASS/FAIL
if [ $RESULT -lt 900 ] 
then
    echo "<result>Pass (ScreenSaver time out is less than 15 mins)</result>
";
else
    echo "<result>Fail (ScreenSaver time out is 15 mins or more)</result>
";
fi

alexjdale · ‎08-29-2017

FYI that plist will not always be populated. It's not for us because we use a config profile to set this value. I took this extension attribute code from another post:

#!/usr/bin/python

# EA to check the inactivity interval for the screen saver.
# This will return the number of seconds, which you can scope a smart group from.

import CoreFoundation
domain = 'com.apple.screensaver'
key = 'idleTime'

key_value = CoreFoundation.CFPreferencesCopyAppValue(key, domain)

print "<result>%s</result>" % key_value

Bko · ‎08-29-2017

Actually, they clarified and said we didn't need an actual check. Just to make sure our computers require a password immediately after the screen saver and to set a screen saver time across the board. Either so the user can't change it, or checked once a day to change back to 15 minutes and immediate password required. I'm thinking a configuration profile with the login window option of screensaver time set would do it, but I saw that people were having issues getting the actual time of inactivity to stick unless it was one of the apple defaults?

Ahadub · ‎10-08-2024

Here is another version

#!/bin/bash

loggedInUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }')"
currentTimeout="$(sudo -u "$loggedInUser" defaults -currentHost read com.apple.screensaver idleTime)"

echo "Current Screensaver Timeout: $currentTimeout"

# if user has never changed screensaver settings or the sudo fails then we might not receive back a clean integer
if ! [[ $currentTimeout =~ ^[0-9]+$ ]]; then
   echo "which is not a number so exiting"
   exit 1
fi

# check if current timeout is within tolerances, if outside, ie less than 1 or greater than 1200 then reset to 10 mins 
if [ "$currentTimeout" -le 0 ] || [ "$currentTimeout" -gt 1200 ]; then
   echo "Current value outside of tolerances so resetting to 10 mins"
#   sudo -u "$loggedInUser" defaults -currentHost write com.apple.screensaver idleTime -int 600
fi

Jamf Nation Community

Script or policy to check Screen Saver time.