Working around user-level MCX on Yosemite - Screensaver Settings

Using these MCX settings? I haven't had any problems with this:

User Level Enforced
com.apple.screensaver askForPassword 1

User Level Enforced
com.apple.screensaver askForPasswordDelay 0.0

I'm not able to get the askForPassword key to apply via user-level MCX for an AD based mobile account nor a normal local account. I have completely refreshed the MCX via script, and still no dice on 10.10.1.

Daniel,

I had to move to Config Profiles for X.10 ... there is another thread were a few other people are seeing the same thing in X.10 with AD accounts

Yes, we are planning on moving to MDM shortly. The approval is in process with our Global Security Office.

Same here. Apple more or less forced the issue of "MCX is dead" with the release of 10.10. We're finally moving to Config Profiles. We managed to avoid it for a while, but no longer.

Uploading this plist into the JSS under Profiles using com.apple.screensaver has been working well for me.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>askForPassword</key>
    <integer>1</integer>
    <key>askForPasswordDelay</key>
    <integer>0</integer>
    <key>idleTime</key>
    <integer>600</integer>
</dict>
</plist>

Just as another option, I have a script I wrote to manage ScreenSaver policies locally. It's run by a launchd. I wanted some bash functionality, such as if the idletime is less then 'myminimum', then fix it. It gives the user the option to be more secure than I require. Sometimes it takes some time before the prefs are read into SystemPreferences so be patient if running the script and watching. Especially the 'askForPassword' checkbox.
https://github.com/tmhoule/ScreenSaverManagement

Sounds like I did the same thing as @thoule for a client. LaunchAgent/script combo that sets the defaults for askForPassword, askForPasswordDelay, and idleTime. The users (who are not admins by default) can change these settings, but they are reset to the defaults at the next login.

Good stuff guys! Now if I could only solve my localization at imaging problems! Or better yet be able to apply localization via config profile. Now THAT would be awesome!

sorry @dgreening my user base isn't on 10.10.X yet. Interesting that Apple is deprecating MCX, while configuration profiles (in many cases) still dump plist files into /Library/Managed Preferences.

We've been successfully using Computer & User level MCX via the JSS from 10.6.x to 10.9.x.

We've found that with 10.10, User level MCX are no longer being applied. Knowing the writing was on the wall for MCX we moved everything to profiles & it's all working.

For the screen saver time out, we're using a user level profile with the same payload as @jhbush1973.

But, this brings us to the issue with profiles vs MCX.

MCX gave you the options of Once, Often (every login or MCX refresh) & Always. (Forced).

Payloads set via profiles are Always only. So in the case of the screen saver timeout, the user cannot change the setting (which we allow & we reset at every login). So to regain this behaviour I'm looking to move back to my script for it.

Now, the caveat to the above is that profiles are essentially MCX that are delivered via another method. Hence the occurrence options available in Tim Suttons MCXToProfile (https://github.com/timsutton/mcxToProfile). That may help, but I'm wary of relying on profiles which do not apply Always as Apple may pull that option too.

HI guys,

I am looking into this too now, has anyone noticed that in Yosemite that the plist has changed from and integer to real?

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>askForPassword</key> <integer>1</integer> <key>askForPasswordDelay</key> <real>0.0</real> </dict> </plist>

I am struggling to get the time to update on it, it locks the prefs and sets the lockout but it is staying at 20mins for the screensaver to kick in and I need it to go down to 15mins due to SOX requirements...

Ignore that, I have actually found that it is the by Host screensaver.plist that controls this, I have now grabbed it and manipulated it to what I wanted and used Tim Sutton mcxToProfile to turn it into a Configuration Profile and voila, Yosemite is now sorted on a 15 min timer, it still shows as 20 mins in the prefs but I have timed it and it locks out in 15 mins.