OS X screen locking solution needed urgently!
October 1, 2008 1:39 PM   Subscribe

How can I lock the screen saver timeout duration for user accounts on Mac OS X 10.5 in the most efficient way possible?

Our small company is working on implementing a standardized image installation of OS X for the roughly 15 or so Macs we have in the building. We have most of it set up how we want, but we are running into one big issue with locking the screen after a set period of time predetermined by IT.

I have been working with one of my co-workers who is a programming and command-line whiz, but the best we have been able to come up with is a script and daemon that kicks the user back to the login window (but keeps them logged in) after ten minutes of inactivity (using fast user switching). This is not a bad solution except for the fact that there appears to be a bug in QuickTime that doesn't play well with fast user switching. Almost all of our Mac users use Final Cut or some other pro app that utilizes QuickTime heavily, and when they are kicked back to the login window and then unlock and come back, the apps will freeze up and cause lots of issues, killing productivity.

So what we would like to do is simply lock the screen saver timeout duration to ten minutes in such a way that the user cannot change it, or that if they do it basically has no effect. All the ways we've tried to do this don't seem to work. We have attempted scripts and all sorts of command-line magic, as well as using the Workgroup Manager... no go. I imagine this would probably be an easy thing to do under Leopard Server, but we don't have one and don't plan on getting one.

So is there a solution to this? Bonus points if I can get a solution that we can implement by Friday.
posted by joshrholloway to Computers & Internet (23 answers total) 1 user marked this as a favorite
the DeskLock feature of DeskShade sounds like it might do the trick... I've never used it but there is a free trial on their site.
posted by hummercash at 2:05 PM on October 1, 2008

I found a little more info about the DeskLock feature:

"It’s called DeskLock. What this does is it allows you to lock your computer just like Windows. Another very useful feature I have come to love about DeskLock is you can set it so the ‘Hacker Log’ opens up after you unlock your computer. I use this to figure out if someone is coming close to guessing my password. I the DeskLock daily, it prevents unwanted viewers from seeing what I am working on."

Screen shot of the DeskLock prefs HERE.
posted by hummercash at 2:10 PM on October 1, 2008

Response by poster: Yeah, it looks okay, but it fundamentally fails at what we want to do. It has to be set up individually for each user, it has to be running in the background, and the password to unlock the screen is not at all tied to your account password.

Thanks though!
posted by joshrholloway at 2:13 PM on October 1, 2008

if the users don't have admin privileges, i think (in leopard) you should be able to just go into sysprefs/security/general and check off the 'Require password to unlock each system prefs pane'...
posted by hummercash at 2:20 PM on October 1, 2008

Response by poster: We don't really want to do that either. We want them to be able to control certain aspects of their user experience, just not this one.
posted by joshrholloway at 2:22 PM on October 1, 2008

check page 95 of this PDF... this might help:

# Securing Desktop & Screen Saver Preferences
# -----------------------------
# Set idle time for screen saver. XX is the idle time in seconds.
defaults -currentHost write com.apple.screensaver idleTime -int XX
posted by hummercash at 2:27 PM on October 1, 2008

Response by poster: We did know about that command, but I wasn't sure if there was a better way.

If we just set up a cron job to run that every nine minutes or whatever, should that do it? (Forgive me if this is an idiotic question. I'm the OS X magic newbie, my co-worker is the genius.)
posted by joshrholloway at 2:30 PM on October 1, 2008

perhaps simply change the permissions on the ~/Library/Preferences/ByHost/com.apple.screensaver.XXXX.plist file once you have the idle time set?

downside is the XXXX is different for each user but there are other files in that folder you can get that number from so once you have one set up the way you want you just have to copy that plist file and change the XXXX.

just a thought, i don't have a machine i can try that on right now.
posted by hummercash at 3:15 PM on October 1, 2008

Write up on how to do it here

You can use workgroup manager, and should be able to manage the local directory (which can be kind of a pain in the long wrong, if you have an active directory server, you may want to look into extending the schema so you can have it host your MCX settings for you).

You can also create a localhost computer mcx setting, that you can then include on your images, that would have this screensaver setting (computer setting will override user setting, set it to manage always). Here is a writeup about dslocal and such tricks (you will have write a script to update the localhost to include the primary mac address for each client, which is included in the article). Here you go.
posted by mrzarquon at 3:57 PM on October 1, 2008

Response by poster: mrzarquon, that first link you posted shows how to always enforce a password to come back from the screen saver. That's only half of the equation, and it's the part we already figured out. The part we couldn't figure out was locking the screen saver timeout duration to a value that the user couldn't change. I don't think the second link helps us either, but I'll have to look at it further.
posted by joshrholloway at 4:17 PM on October 1, 2008

Best answer: Follow the steps for adding the "askForPassword" key, and also create an idleTime key, class number, 900 for 15 minutes (its in seconds).

use the afp548.com article to use a localhost computer entry to manage the machine settings, instead of trying to manage preferences using workgroup manager on each user account. MCX settings can be overriden by someone with admin access, but they have to do it in the workgroup manager, they wont be able to do so in system profiler.

At the end of the day, you end up with a localhost.plist file you have to copy to each machine (or include on your image) and an at boot script to update the .plist file with the mac address of the machine running it (note: you will probably have to restart the machine twice the first time just to make sure the settings stick).

Sorry I don't have time to provide a more indepth guide on how to do it, but that should get you going in the direction you want.
posted by mrzarquon at 4:56 PM on October 1, 2008

er, system preferences.
posted by mrzarquon at 4:57 PM on October 1, 2008

Response by poster: Have you actually done it before? Because I believe we tried using the idleTime key, but it would not allow it. We'll definitely give it another shot, but I'm pretty sure we have been through those steps before.
posted by joshrholloway at 5:29 PM on October 1, 2008

As previously mentioned, the idleTime key is stored in the user's ~/Library/Preferences/ByHost/com.apple.screensaver.[hardwareaddress].plist file. The hardware address is the MAC address of the primary network interface (en0). If you lock this file, you will prevent users from changing any of their screensaver options. A better way to go about locking down the specific setting would be to create a LaunchAgent that will re-set the proper idleTime whenever it detects the file has changed.

Fortunately, the files in ByHost don't change often so you can tell the LaunchAgent to run whenever anything in that folder changes. This allows you to ignore the unique hardware addresses on different computers. Here's the code for the launch agent. (Replace all [ with <>
[?xml version="1.0" encoding="UTF-8"?>
[!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
[plist version="1.0">
In this file, the 300 string is the number of seconds (5 minutes) to wait before activating the screen saver, so replace it with your own interval. Save this as com.yourcompany.saveridle (or whatever) and copy it to the user's ~/Library/LaunchAgents folder. You may need to create this folder. When the user logs in next, the LaunchAgent will run to ensure the idleTime is set correctly and it will run whenever a file in the ByHost folder changes.

Are you modifying the default user template as part of your master image?
posted by pmbuko at 8:59 PM on October 1, 2008 [1 favorite]

sorry for the extra line breaks. looked fine in preview
posted by pmbuko at 9:01 PM on October 1, 2008

josh- didn't have a chance to try it, but that should in theory work, and again, you would be editing the machine mcx preference set, not the user (os x provides 4 levels of mcx profiles, user, workgroup, machin, machine group). But pmbuko's script will get you want you want at the end of the day, without poking around with mcx.

pmbuko- that is a really nice non mcx solution.

For an image, while not an officlally supported (as it the contents of the folder may change), is to add that .plist to:

/System/Library/User Template/English.lproj/Library/LaunchAgents (you have to do this as root)

On your image (if you didn't know already). All new user accounts will be created using that folder as the template, so the launchagent plist will be installed automatically for every user (if you use the accounts pane to create a new user).
posted by mrzarquon at 10:24 PM on October 1, 2008

And if you haven't already, pickup John DeTroy's macintosh management tips and tricks
posted by mrzarquon at 10:26 PM on October 1, 2008

Response by poster: Awesome, guys. Thanks for the assist on this one. I will be trying these out when I get into work today. Wish me luck!
posted by joshrholloway at 5:27 AM on October 2, 2008

Response by poster: pmbuko: Your plist did not work for some reason. I'm not sure why.

mrzarquon: When I said we had tried setting the idleTime key using the Workgroup Manager before, I was correct, but we had only tried it through the GUI. It looks like the Workgroup Manager GUI does not allow you to put the idleTime key in the "always" domain, which is what we wanted. However, this command...

dscl . -mcxset /Computers/localhost com.apple.screensaver idleTime always -int XX

...does work, even though it exhibits some slightly unexpected behavior. Now all we have to do is deploy it to the machines, none of which are currently managed with Workgroup Manager. Any suggestions on the best way to do this?
posted by joshrholloway at 8:37 AM on October 2, 2008

Best answer: dscl is actually keeping that configuration (or it should be) here:


you can either copy this file to each machine, and then update the .plist to have the mac address of that computer (the update script I had mentioned before), or since you aren't doing much tweaking (and you have a copy of apple remote desktop right?) you can just push out the two commands as a unix command:

Run this at each machine to create the localhost file,
dscl . -create /Computers/localhost ENetAddress $(ifconfig en0 | awk ' /ether/ {print $2}')

dscl . -mcxset /Computers/localhost com.apple.screensaver idleTime always -int XX

I don't have my localhost changer script on hand right now, i can get it later today however.

Also difference between Always and Often: always is for apps that respect the preference settings, and will allows MCX to override their own, Often means that OS X will write a new preference file each time the user logs in, overwriting any changes they had made in the past.
posted by mrzarquon at 9:05 AM on October 2, 2008

Best answer: (or the shorter answer: all workgroup manager is doing is giving you a gui interface to manage the DSLocal database, those two commands should be all you need to run to get a localhost file created, and then the idletime setting tweaked, i guess you want to add the ask for password key also).
posted by mrzarquon at 9:08 AM on October 2, 2008

Best answer: Here is the script, which I put in /etc/localhostChange.sh, but should probably live in /Library/Scripts/YourCompany/


dscl . -create /Computers/localhost ENetAddress $(ifconfig en0 |grep ether | awk '{print $2}')

Here is the launchd item (the less than / greater than symbols should carry through, preview is showing that they are) to run that script at boot, and goes in /Library/LaunchDaemons/ (for more info on launchd, go here):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<string>Updates localhost dslocal entry to include the ethernet ID of the machine, at launch</string>
posted by mrzarquon at 3:48 PM on October 2, 2008

Response by poster: Thank you so much, mrzarquon. It looks like this solution is going to work for us and it will be the best way we can go.
posted by joshrholloway at 7:08 PM on October 2, 2008

« Older XBox 360 -> Internet using my iMac's Airport.   |   Do you have any recommendations on youth... Newer »
This thread is closed to new comments.