Working around user-level MCX on Yosemite - Screensaver Settings

dgreening
Valued Contributor II

As user-level MCX is flaky or does not not work at all (usually the latter), I had to work around having MCX fail to apply the "Require password" setting in Sys Pref - Security - General.

We have not yet pulled the trigger on MDM (soooon) so I had to get this setting re-applied in the meantime. I wrote this script to address this issue; its an AppleScript wrapped in a Bash script which has the ability to check to see if the screensaver is active or not so that the script will not fail with an error -10810 (requires GUI).

Check it out and let me know what you think! Its working well for me set to check-in and ongoing and available offline (i want this to be as persistent as possible).

#!/bin/bash

# Check to see if the screensaver is active
ps ax|grep [S]creenSaverEngine > /dev/null
# If not active, apply screensaver setting
if [ "$?" != "0" ] ; then
osascript -e 'tell application "System Events" to set require password to wake of security preferences to true' echo "screensaver was not active. script ran."
# If active bail out
else echo "screensaver is active. bailing."
fi

13 REPLIES 13

mostlikelee
Contributor

Using these MCX settings? I haven't had any problems with this:

User Level Enforced
com.apple.screensaver askForPassword 1

User Level Enforced
com.apple.screensaver askForPasswordDelay 0.0

dgreening
Valued Contributor II

I'm not able to get the askForPassword key to apply via user-level MCX for an AD based mobile account nor a normal local account. I have completely refreshed the MCX via script, and still no dice on 10.10.1.

gachowski
Valued Contributor II

Daniel,

I had to move to Config Profiles for X.10 ... there is another thread were a few other people are seeing the same thing in X.10 with AD accounts

dgreening
Valued Contributor II

Yes, we are planning on moving to MDM shortly. The approval is in process with our Global Security Office.

mm2270
Legendary Contributor III

Same here. Apple more or less forced the issue of "MCX is dead" with the release of 10.10. We're finally moving to Config Profiles. We managed to avoid it for a while, but no longer.

jhbush
Valued Contributor II

Uploading this plist into the JSS under Profiles using com.apple.screensaver has been working well for me.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>askForPassword</key>
    <integer>1</integer>
    <key>askForPasswordDelay</key>
    <integer>0</integer>
    <key>idleTime</key>
    <integer>600</integer>
</dict>
</plist>

thoule
Valued Contributor II

Just as another option, I have a script I wrote to manage ScreenSaver policies locally. It's run by a launchd. I wanted some bash functionality, such as if the idletime is less then 'myminimum', then fix it. It gives the user the option to be more secure than I require. Sometimes it takes some time before the prefs are read into SystemPreferences so be patient if running the script and watching. Especially the 'askForPassword' checkbox.
https://github.com/tmhoule/ScreenSaverManagement

RobertHammen
Valued Contributor II

Sounds like I did the same thing as @thoule for a client. LaunchAgent/script combo that sets the defaults for askForPassword, askForPasswordDelay, and idleTime. The users (who are not admins by default) can change these settings, but they are reset to the defaults at the next login.

dgreening
Valued Contributor II

Good stuff guys! Now if I could only solve my localization at imaging problems! Or better yet be able to apply localization via config profile. Now THAT would be awesome!

mostlikelee
Contributor

sorry @dgreening my user base isn't on 10.10.X yet. Interesting that Apple is deprecating MCX, while configuration profiles (in many cases) still dump plist files into /Library/Managed Preferences.

bentoms
Release Candidate Programs Tester

We've been successfully using Computer & User level MCX via the JSS from 10.6.x to 10.9.x.

We've found that with 10.10, User level MCX are no longer being applied. Knowing the writing was on the wall for MCX we moved everything to profiles & it's all working.

For the screen saver time out, we're using a user level profile with the same payload as @jhbush1973.

But, this brings us to the issue with profiles vs MCX.

MCX gave you the options of Once, Often (every login or MCX refresh) & Always. (Forced).

Payloads set via profiles are Always only. So in the case of the screen saver timeout, the user cannot change the setting (which we allow & we reset at every login). So to regain this behaviour I'm looking to move back to my script for it.

Now, the caveat to the above is that profiles are essentially MCX that are delivered via another method. Hence the occurrence options available in Tim Suttons MCXToProfile (https://github.com/timsutton/mcxToProfile). That may help, but I'm wary of relying on profiles which do not apply Always as Apple may pull that option too.

Treger
Contributor

HI guys,

I am looking into this too now, has anyone noticed that in Yosemite that the plist has changed from and integer to real?

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>askForPassword</key> <integer>1</integer> <key>askForPasswordDelay</key> <real>0.0</real> </dict> </plist>

I am struggling to get the time to update on it, it locks the prefs and sets the lockout but it is staying at 20mins for the screensaver to kick in and I need it to go down to 15mins due to SOX requirements...

Treger
Contributor

Ignore that, I have actually found that it is the by Host screensaver.plist that controls this, I have now grabbed it and manipulated it to what I wanted and used Tim Sutton mcxToProfile to turn it into a Configuration Profile and voila, Yosemite is now sorted on a 15 min timer, it still shows as 20 mins in the prefs but I have timed it and it locks out in 15 mins.