Force a Screen Saver Policy?

Posted:
in macOS edited January 2014
I admin 150 OS X Macs. All Mac users are domain users who are authenticated/administered via Active Directory. My users are NOT local admins on the Mac workstations.



I need to figure out a way to:



1) Force all Macs to start a screen saver after 30 minutes of inactivity. I do NOT want the end user to be able to modify the screen saver inactivity time threshold.



2) Force the screen saver to require a password to get back into the Mac. I do NOT want the end user to be able to modify the ability to be prompted with a password or not.



I can't seem to make Apple's Security and Screen Saver System Pref Panes cooperate with my intentions. Examples:



Screen Saver Pane: This pane is NOT secured, thus any end user can edit the inactivity threshold (or turn it off!). The scren saver .plist that controls this setting is not easily locked to "force" the settings I want. The scren saver .plist is here:



/Users/<username>/Library/Preferences/byHost/com.apple.screensaver.<MAC address>.plist.



I can't modify this file with a repeating cron job to all Macs on my LAN, since each user's .plist has a unique name! Grrr.



Security Pane: This pane has SOME locked settings (users cant edit), but the "Require this computer to use password to wake from screen saver" option is NOT locked, thus any end user can turn it off. Grrr.



Any ideas?



THis sounds easy, but play with the System Pref Panes and .plist files, and you will see how hard this is!

Comments

  • Reply 1 of 6
    webmailwebmail Posts: 639member
    i can't remember but i believe there is a way (without removing the preference pane) to make it invisible. You should do something like that...
  • Reply 2 of 6
    scottscott Posts: 7,431member
    Can't you just change the owner of the file and make it read only with the settings you want?



    Also don't forget "force log off".
  • Reply 3 of 6
    bungebunge Posts: 7,329member
    Is there a .plist somewhere that indicates which preferences are secure? There must be some way to do it as a third party developer should be able to decide for themselves.



    Speaking of which, could you possibly use a third party screen saver if one exists with the features you need? VersionTracker might help.
  • Reply 4 of 6
    If your Macs are managed using Workgroup Manager, then you can go to the Preferences section and uncheck the preference panes you don't want your users to change.



    Otherwise, you could write the default preferences you want (screen saver after 30 minutes, require password) into the global domain (NSRegistrationDomain). Then, either remove the "Desktop & Screen Saver" preference pane entirely to prevent your users from changing any screen saver preferences, or modify the nib for the Screen Effects pref. pane so that the "Start screen saver:" slider isn't available. Ditto for the "Security" pref pane.
  • Reply 5 of 6
    Quote:

    Originally posted by King Chung Huang

    If your Macs are managed using Workgroup Manager, then you can go to the Preferences section and uncheck the preference panes you don't want your users to change.



    Otherwise, you could write the default preferences you want (screen saver after 30 minutes, require password) into the global domain (NSRegistrationDomain). Then, either remove the "Desktop & Screen Saver" preference pane entirely to prevent your users from changing any screen saver preferences, or modify the nib for the Screen Effects pref. pane so that the "Start screen saver:" slider isn't available. Ditto for the "Security" pref pane.




    How do I remove or hide the slider in Interface Builder?
  • Reply 6 of 6
    Quote:

    Originally posted by dstranathan

    How do I remove or hide the slider in Interface Builder?



    - open /System/Library/PreferencePanes/DesktopScreenEffectsPref.prefPane/Contents/Resources/ScreenEffects.prefPane/Contents/Resources/English.lproj/ScreenSaverPref.nib

    - open Window1 (if necessary)

    - select the control

    - select Show Info in the Tools menu, and go to Attributes (if necessary)

    - either uncheck "Enabled" so that it can't be modified, or completely delete the control
Sign In or Register to comment.