Did a bit of research on this and it wasn't completely straight forward so I want to get this out there. Currently tested on 10.10.5 only.
The short of it is as follows:
Export screensaver security settings:
security authorizationdb read system.login.screensaver > /tmp/screensaver
your screensaver file should look like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>
<key>created</key>
<real>442958177.72442001</real>
<key>modified</key>
<real>442958177.72442001</real>
<key>rule</key>
<array>
<string>use-login-window-ui</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
Replace
<string>use-login-window-ui</string>
with
<string>authenticate-session-owner</string>
So your xml file looks now like
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>
<key>created</key>
<real>442958177.72442001</real>
<key>modified</key>
<real>442958177.72442001</real>
<key>rule</key>
<array>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
Import the settings in using:
sudo security authorizationdb write system.login.screensaver < /tmp/screensaver
Reboot
Resources:
man security
https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
https://jamfnation.jamfsoftware.com/viewProductFile.html?fid=374
