Jamf Nation Community

noah_swanson · ‎12-22-2009

By default Mac OS X allows the logged in user and any administrator to "unlock" the screensaver. For our environment this is a security issue. After doing some research, I found a script to set the screensaver password to only allow the logged user to "unlock":
sudo authutil write system.login.screensaver rule authenticate-session-owner
(authenticate-session-owner-or-admin is default)

What we need accomplished is: Only the logged-in user can unlock the screen for machine use. If an administrator unlocks the screen, the user must to be logged out. I noticed that /private/var/log/secure.log is changed when anyone attempts to unlock the computer. Could a logout script be linked to the log if a "succeeded authentication" occurs?

Is this even possible?

Thanks all!
Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com

Kedgar · ‎12-22-2009

I'm not familiar with authutil... but you can probably edit /etc/authorization. Is there a better way to set settings in /etc/authorization without pushing the whole file?

noah_swanson · ‎12-23-2009

Sorry, I was testing a few things and ended up pasting the wrong script.

I was manually editing /etc/authorization. Open in Plist Editor> rights> system.login.screensaver> rule> "authenticate-session-owner-or-admin". I backed up the original file, and changed the value of "rule" to "authenticate-session-owner-or-admin".

Kedgar · ‎12-23-2009

I agree with you that it would be nice if you could log the user off if logging in as an admin... similar to windows. I guess you could do it through SSH, but that's not as nice and automatic.

I guess it also does make sense that you wouldn't want to force apps to close if the user's work is up and not saved. There really is no quick way to know by sitting down at a machine.

Cheers,
Ken

Jamf Nation Community

Unlock Screensave with Admin to Logout