Policies/

Ensure a password is required to wake the computer from sleep or screen saver is enabled

Sharon Katz

Checks that password is required to wake the computer from sleep or screen saver is enabled.

Control

Create or edit a configuration profile with the following information:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Screensaver</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.screensaver.AB633B1B-EAEF-4AB6-B5F6-DE67193267E9</string>
      <key>PayloadType</key>
      <string>com.apple.screensaver</string>
      <key>PayloadUUID</key>
      <string>AB633B1B-EAEF-4AB6-B5F6-DE67193267E9</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>askForPassword</key>
      <true/>
      <key>askForPasswordDelay</key>
      <integer>0</integer>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Require password after screensaver or sleep</string>
  <key>PayloadIdentifier</key>
  <string>com.fleetdm.password_policy</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>5A2DC0F2-C5FE-4808-9083-D9879684D7FA</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

Create or edit the following script and configure it to run when the check fails:

Check

Use the policy below to verify:

Query PowerShellNEW BashNEW

SELECT 1 WHERE 
  EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPassword' AND 
        (value = 1 OR value = 'true') AND 
        username = ''
    )
  AND EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPasswordDelay' AND 
        value <= 5 AND 
        username = ''
    )
  AND NOT EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPassword' AND 
        (value != 1 AND value != 'true')
    )
  AND NOT EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPasswordDelay' AND 
        value > 5
    );