Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data App library Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Ensure a password is required to wake the computer from sleep or screen saver is enabled
search

Ensure a password is required to wake the computer from sleep or screen saver is enabled

Checks that password is required to wake the computer from sleep or screen saver is enabled.

Control

Create or edit a configuration profile with the following information:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Screensaver</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.screensaver.AB633B1B-EAEF-4AB6-B5F6-DE67193267E9</string>
      <key>PayloadType</key>
      <string>com.apple.screensaver</string>
      <key>PayloadUUID</key>
      <string>AB633B1B-EAEF-4AB6-B5F6-DE67193267E9</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>askForPassword</key>
      <true/>
      <key>askForPasswordDelay</key>
      <integer>0</integer>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Require password after screensaver or sleep</string>
  <key>PayloadIdentifier</key>
  <string>com.fleetdm.password_policy</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>5A2DC0F2-C5FE-4808-9083-D9879684D7FA</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

Create or edit the following script and configure it to run when the check fails:

Check

Use the policy below to verify

SELECT 1 WHERE 
  EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPassword' AND 
        (value = 1 OR value = 'true') AND 
        username = ''
    )
  AND EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPasswordDelay' AND 
        value <= 5 AND 
        username = ''
    )
  AND NOT EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPassword' AND 
        (value != 1 AND value != 'true')
    )
  AND NOT EXISTS (
    SELECT 1 FROM managed_policies WHERE 
        domain='com.apple.screensaver' AND 
        name='askForPasswordDelay' AND 
        value > 5
    );

Platform

macOS Windows Linux ChromeOS

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs REST API Guides A pencil iconEdit page