Skip to main content

Now...maybe this might be me being an idiot or stress getting to me.

Previously I built my images by creating a default user account and then copying all these over into the default user profile. I made a bunch of setting changes here including the time with which the computer requests the password after sleep or screensaver. I have it set to immediately.

With Yosemite I decided to change things up and start using the other tools available and instead of creating that local profile to use as a template, I'm using the fresh never booted OS created using AutoDMG.

For the life of me, I cannot figure out how to change that time setting post imaging before the restrictions from Profiles take effect nor if this is a feature that can be set through Casper.

Any help at all would be appreciated.

It would probably help to mention that by default, Yosemite sets it to 5 minutes.


Interesting, the config profile only lets you configure if to require a password after sleep or screen saver but not the time period that is available in the GUI. You should be able to configure this with MCX, com.apple.screensaver.plist. I believe this is the key you are looking for, time in seconds. Given apple's moving away from MCX it would be nice to be able to configure this in a config profile. Perhaps something to make a Feature Request on.

<dict>
    <key>askForPassword</key>
    <integer>1</integer>
    <key>askForPasswordDelay</key>
    <real>0.0</real>
</dict>
</plist>

Hmm, that setting is stored in the com.apple.screensaver domain and uses a "askForPassword" key that takes integers, like 1 or 0 etc.
I'm poking around on our dev v9 JSS now to see where to set that up now in a Config Profile and I haven't run into it just yet, but it must be there somewhere.
If not, you could always just use the Custom Settings payload in a profile and upload a converted plist file to fill in the settings. But I have to believe there's some place to set that up natively. I'm just not seeing it at the moment. End of the day for me though, so I'm probably just tired.


We've got some of these settings built into a first boot script that runs after the OS is laid down in the imaging process.

Something like…

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "askForPassword" -int 1

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "idleTime" -int 0.0

…would require passwords immediately.

You can check out @rtrouton's first boot script here https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/first_boot as a good starting point for some of these settings.


I'm having a weird problem where the com.apple.screensaver.plist file is set to 300 seconds, but when I got to System Preferences it says the password is set to be required immediately after sleep / screensaver. Any ideas of how to get around this so I can set the default password requirement to 5 minutes?


@emilykausalik, given your first boot script that runs when the OS is laid down, how would you go about changing this for all new and existing users on a particular machine?

We had an event where 30 trustees were using student laptops and we were unable to disable the password prompt so they could use them without having to enter the password for the generic user account we use events.


So we enforce it after imaging through Managed Preferences. You could create a computer group for those machines and exclude them from the setting. That would allow them to change it and not have it snap back due to the Managed Preference config.


@aporlebeke

I use the following script( not mine found it on the interwebs) as login item with outset for each user to disable ask for password and set screensaver time. perhaps you could modify it to meet your needs

#!/bin/sh
defaults write com.apple.screensaver askForPassword -int 0
defaults -currentHost write com.apple.screensaver idleTime 7200
defaults write com.apple.screensaver askForPassword -bool false

@emilykausalik that's interesting. Our Jumpstart trainer basically told us to avoid Managed Preferences because they were mostly "deprecated," so I know basically nothing about how they work or applied differently or the same as Configuration Profiles.


@aporlebeke your jumpstart trainer is basically right; the preference is for Configuration Profiles, though Managed Preference still work with varying degrees of success. Do whatever is best for your environment.


@emilykausalik got it. Thanks!