Screensaver and Password Policy

aoom
New Contributor

Hi Everyone,

We have been using a script to enforce a screensaver and password policy for a while, but, in recently doing routine testing of our base security policies, we found that the policy only worked superficially.

Example-- I will change my screensaver time to "never" or "one hour" or whatever, and the password requirement for after the screensaver comes on to anything. When the policy runs, it will change these back to the intended values (10 min screensaver, 5 sec password) in both the plist and in the System Preferences GUI, but the machine will sit there indefinitely without the screensaver coming back on. The display will sometimes go to sleep, but it will not request a password.

Our JSS is 9.96. I tested this on a Macbook Pro running 10.11.6 and an Air running 10.10.5 and got the same result. I have also come in on a weekend without anyone here and seen workstations with the desktop up. Clearly not working.

For extra interesting context, my personal Macbook Pro at home is having a similar issue, sans policy. I turned off my screensaver to keep my desktop accessible for whatever reason, and, since changing it back, my screensaver never turns on no matter what I do. Even after updating to Sierra. Possibly related? Is this an OSX/MacOS bug?

Lastly, we do not want to be using a configuration profile as our users need to occasionally have flexibility with this, and we'd like to allow them to dictate these terms if necessary, though with the policy there for safety.

Here is what we currently have---

#!/bin/sh

# Quits System Preferences if open

osascript -e 'quit app "System Preferences"'

# Redirects STDERR to STDOUT

exec 2>&1

# Variables to be used, are passed to the script by the policy in the JSS

idleTime=""
askForPassword=""
askForPasswordDelay=""

# If values are set in the JSS - set our established variables to those values.

if [ "$4" != "" ] && [ "$idleTime" == "" ]; then
     idleTime=$4
fi
if [ "$5" != "" ] && [ "$askForPassword" == "" ]; then
     askForPassword=$5
fi
if [ "$6" != "" ] && [ "$askForPasswordDelay" == "" ]; then
     askForPasswordDelay=$6
fi

# set console user

console_user="$(/usr/bin/stat -f%Su /dev/console)"

# If the IdleTime setting exists read it in, otherwise set it to zero
if su "$console_user" -c "/usr/bin/defaults -currentHost read com.apple.screensaver idleTime"; then
    curIdleTime=$(su "$console_user" -c "/usr/bin/defaults -currentHost read com.apple.screensaver idleTime")
else
    curIdleTime=0
fi

# If the askForPasswordDelay setting exists read it in, otherwise set it to 1000
# On older version of OS X this setting does not exist if the user hasn't modified it
# Setting it to 1000 will make it fail and thus it'll be written out the first time it runs

if su "$console_user" -c "/usr/bin/defaults read com.apple.screensaver askForPasswordDelay"; then
    curDelay=$(su "$console_user" -c "/usr/bin/defaults read com.apple.screensaver askForPasswordDelay")
else
    curDelay=1000
fi

# If there is no user logged in (and thus the current user is root) don't run (since these are user settings)

if [[ "$console_user" == "root" ]]; then
    echo "No users logged in. Exiting now."
    exit 1
else
    # If the current idleTime is greater than the variable definition (but not zero) set it to that
    # Added -int because it's the default and otherwise it gets set as a string
    if [[ "$curIdleTime" == 0 ]] || [[ "$curIdleTime" -gt $idleTime ]]; then
        su "$console_user" -c "/usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int $idleTime"
    fi
    # Require a password to unlock the screen saver
    # Without this casting it was being set as a string and was causing problems
    su "$console_user" -c "/usr/bin/defaults write com.apple.screensaver askForPassword -int $askForPassword"
    # If the current password delay is higher than the variable definition (zero is OK) set it to that
    # Added -float because it's the default and otherwise it gets set as a string
    if [[ "$curDelay" -gt $askForPasswordDelay ]]; then
        su "$console_user" -c "/usr/bin/defaults write com.apple.screensaver askForPasswordDelay -float $askForPasswordDelay"
    fi
fi

# Removes cached preferences

killall cfprefsd

exit $?

Any ideas?

Thanks!

0 REPLIES 0