cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

580
Views
2
Helpful
2
Replies
Allen P Chen
Contributor

Screensaver check for Mac OS

Greetings.

I know password-protected screensaver check for Mac OS is currently not supported as a posture condition, but we are able to do it on Windows using registry keys.  Is there already an enhancement request filed for password-protected screensaver check for Macs (User Story)?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Craig Hyps
Advocate

Not sure what you mean by "not supported".  Just because there is not predefined check, does not mean a custom check is not supported.

Yes, it is possible to use Registry checks to verify that screen saver with password protection is enabled in Windows.  Not sure if still available, but I provided example in original ISE 1.0 Lab Guide with RA VPN along with remediation using a custom registry file.  I think you should be able to accomplish similar with Mac OS. 

I have not tested, but try creating a File Condition checks like the following:

  • Name: ScreenSaver-RequirePassword-Check
  • Operating System: Mac OSX
  • Compliance Module: Any Version
  • File Type: PropertyList
  • File Path: home                            /Library/Preferences/com.apple.screensaver.plist
  • Data Type: Number
  • Property Name: askForPassword
  • Operator: Equals
  • Value: 1

Depending on version, you may need to set the above Data Type to "String" and value to "true". 

I would also expect other parameters like ScreenSaver delay can be set with the askForPasswordDelay property.

Not sure if path would be relative to home in above, or if absolute.  I am assuming it appends to home and not require ~.  If issue finding file, then can try omitting the leading /.

Regarding remediation scripts, there are a number of examples on the web:

https://discussions.apple.com/thread/2649977?tstart=0

https://www.jamf.com/jamf-nation/discussions/9982/require-password-after-sleep-or-screen-saver-begins

Security & Privacy: Require Password... - Jamf Nation

/Craig

View solution in original post

2 REPLIES 2
Craig Hyps
Advocate

Not sure what you mean by "not supported".  Just because there is not predefined check, does not mean a custom check is not supported.

Yes, it is possible to use Registry checks to verify that screen saver with password protection is enabled in Windows.  Not sure if still available, but I provided example in original ISE 1.0 Lab Guide with RA VPN along with remediation using a custom registry file.  I think you should be able to accomplish similar with Mac OS. 

I have not tested, but try creating a File Condition checks like the following:

  • Name: ScreenSaver-RequirePassword-Check
  • Operating System: Mac OSX
  • Compliance Module: Any Version
  • File Type: PropertyList
  • File Path: home                            /Library/Preferences/com.apple.screensaver.plist
  • Data Type: Number
  • Property Name: askForPassword
  • Operator: Equals
  • Value: 1

Depending on version, you may need to set the above Data Type to "String" and value to "true". 

I would also expect other parameters like ScreenSaver delay can be set with the askForPasswordDelay property.

Not sure if path would be relative to home in above, or if absolute.  I am assuming it appends to home and not require ~.  If issue finding file, then can try omitting the leading /.

Regarding remediation scripts, there are a number of examples on the web:

https://discussions.apple.com/thread/2649977?tstart=0

https://www.jamf.com/jamf-nation/discussions/9982/require-password-after-sleep-or-screen-saver-begins

Security & Privacy: Require Password... - Jamf Nation

/Craig

View solution in original post

Allen P Chen
Contributor

Hi Craig,

Thanks for the reply.  I saw it mentioned on old TAC cases that password-protected screensaver wasn't supported on Macs, so I assumed this to be the case.  I took the details above and tested it in my lab.  By keying off of the "askForPassword" string in the com.apple.screensaver.plist, I was able to get it to work.

Thanks again, you da man!

Content for Community-Ad