macOS "password not required for screen saver, auto login is enbled"

MichaelQ
Conversationalist

macOS "password not required for screen saver, auto login is enbled"

I recently pushed out the agent to a number of macOS systems. By doing this the profile & settings has now overridden the lock on screensaver local setting. Anyone know how to resolve this through the profile & setting configuration? It also is list under reasons for the client not being compliant i.e "password not required for screen saver". Same issue with "auto login is enabled", list at reason client is not compliant. I have gone through all the docs, googled search, nothing. I am stuck now are how to resolve using the profile & settings config.

8 REPLIES 8
sshort
Building a reputation

Hi!

 

It would be helpful to know which profiles are currently pushed to your devices, as just installing the agent on it's own wouldn't configure/adjust any system settings.

 

At my org I'm using a combination of the pre-built template wizard Meraki provides, and I upload custom profiles using Apple's Profile Manager to enforce more advanced settings. Under Meraki's Passcode section, there is a drop down menu for "Auto-Lock" and the default value is set to "never."

 

 Screen Shot 2018-03-08 at 2.00.20 PM.png

Screen Shot 2018-03-08 at 1.54.37 PM.png

MichaelQ
Conversationalist

I have not deployed the agent as of yet. I have 2 profiles installed on each macOS laptop. The Default Meraki profile and a Custom profile that I created to enforce the company security policy for laptop settings. The custom profile is the one that has the passcode configuration enabled. I currently have Auto-Lock set at 5min. I have a policy setup to audit for the Screen Saver being set at 5 mins. The report says the all the devices are non-compliant because there is no password required for screen saver. 😕

MRCUR
Kind of a big deal

You could upload your custom profile to Dashboard and have SM push that to devices for you. That should ensure the settings you want remain set and you can push the SM agent as well. 

MRCUR | CMNO #12
sshort
Building a reputation

here are some screenshot examples of the settings available in Apple's Profile manager that can be exported and then uploaded to Meraki:

 

Screen Shot 2018-03-08 at 2.05.58 PM.pngScreen Shot 2018-03-08 at 2.06.28 PM.png

MichaelQ
Conversationalist

This is interesting, we are not using Apple's Profile manager. I will have to look into that. So, I am thinking that means I have to visit each machine to disable auto-login. 

sshort
Building a reputation

I think we may be running into a distinction Apple makes between the screen saver and auto lock settings. "Auto lock" is set for inactivity vs triggered by screensaver activation. Here's some examples:

 

Auto lock 5 minutes, screensaver 5 minutes: If there is no user activity for 5 minutes the screensaver activates. Then after an additional 5 minutes a password is required to get past the screensaver.

 

Auto lock immediately, screensaver 5 minutes: If there is no user activity for 5 minutes the screensaver activates. If a user moves the cursor after the screensaver appears they are immediately prompted for a password.

 

 

sshort
Building a reputation

Also... in terms of the "auto login enabled" flag you may want to check your client machines under System Preferences/Users & Groups/Login Options. There is a drop down menu at the top that should be set to "off" for Automatic login.

 

In Apple Profile Manager there's an option to disable that feature and export a profile (seen in a screenshot from an earlier post).

florian2
New here

@sshort can you elaborate how to export and import a profile with these more advanced settings into Meraki MDM? 

Many thanks in advance!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels