Jamf Nation Community

abenedict · ‎11-04-2011

Back in 10.6 I had to edit the /private/etc/pam.d/screensaver file so that
admins could unlock the screen saver if a user wasn't there (even if the
user was an admin). The problem with lion is that there doesn't seem to be
a way to do this with the new login box when waking from screensaver. Has
anyone figured out a way around this?

Thanks,
Alan

--
Alan Benedict
?
Macintosh Technician
The Integer Group
http://www.integer.com

Report Inappropriate Content · ‎11-12-2012

I just ran into this on 10.8 - found http://hints.macworld.com/article.php?story=20120116131248157 and tested on 10.8.2 and can confirm that editing those two files, then restarting, allows the old-style screensaver unlock.

That said, as always, if you notice a change in OS that impacts your helpdesk's ability to diagnose and resolve things quickly - in this case, requiring the logged-in user's password - I recommend posting a comment on Apple's feedback page at [www.apple.com/feedback/macosx.html](www.apple.com/feedback/macosx.html).

bbass · ‎11-12-2012

I know this has been posted before but I couldn't find it using search. In any case, this should work for you:

------

#!/bin/bash

/usr/libexec/PlistBuddy -c 'Set rights:system.login.screensaver:comment "The owner or any administrator can unlock the screensaver."' /etc/authorization

if grep -q "ruser" /etc/pam.d/screensaver
then sed -i.bak '/ruser/ d' /etc/pam.d/screensaver
fi

exit 0

------

nessts · ‎11-13-2012

the MacWorld article seems to be correct, at least on 10.8, @bbass solution did not produce results of any use for me.

bbass · ‎11-13-2012

That's curious since the script does the same thing as the Macworld Hint.

Interestingly, I checked my /etc/authorization and it does not include the "(Use SecurityAgent.)" portion of the string (consistent with the script I posted above) and yet I am still able to unlock the screensaver with any admin user. This leads me to believe that it's the adjustment of the /etc/pam.d/screensaver file that is what does the real work here.

Sorry it didn't work for you but it configured all of the machines in our environment.

bbass · ‎11-13-2012

Suspicion confirmed. Here is the relevant Apple Doc:

http://support.apple.com/kb/HT5145

All you need to do at this point is adjust the /etc/pam.d/screensaver file. It will still work if you also adjust /etc/authorization but it will give you an ugly window versus one that's more consistent with the 10.7 and 10.8 UI.

nessts · ‎11-13-2012

you edited a different line in the pam.d/screensaver line, i got no useful results, i will try it again after reading your kb article. thx.

bbass · ‎11-13-2012

I took the applicable code from above and just tested this and it removes the correct line.

------

#!/bin/bash

if grep -q "ruser" /etc/pam.d/screensaver
then sed -i.bak '/ruser/ d' /etc/pam.d/screensaver
fi

exit 0

------

In the end this is all you should need (along with a logout or reboot). Hope you get it worked out.

nessts · ‎11-13-2012

removing the code was not the issue, the issue it was the need to press option return to get the alternate authentication box. At some point i will just start pressing option with everything i do just to see what kind of magic happens.
and yes i can confirm that @bbass solution uses the new bland GUI interface, and the other solution uses the old school dialog, and if you are needing keyboard input selection it works with both as well.

tomt · ‎03-28-2013

I want to enable this but on my test systems the Option-Return does not bring up the alternate login dialog box.

I'm on 10.8.3 but seeing the same result on a 10.7.5 machine. The 10.8.3 account is a Mobile AD account with admin rights. The 10.7.5 is just a local admin account.

technicholas · ‎04-01-2013

Option key and enter should works on 10.7.5 allows us to enter the username and password to login to the machine.

Jamf Nation Community

Unlock Lion Screensaver as admin