I recently pushed out the agent to a number of macOS systems. By doing this the profile & settings has now overridden the lock on screensaver local setting. Anyone know how to resolve this through the profile & setting configuration? It also is list under reasons for the client not being compliant i.e "password not required for screen saver". Same issue with "auto login is enabled", list at reason client is not compliant. I have gone through all the docs, googled search, nothing. I am stuck now are how to resolve using the profile & settings config.
It would be helpful to know which profiles are currently pushed to your devices, as just installing the agent on it's own wouldn't configure/adjust any system settings.
At my org I'm using a combination of the pre-built template wizard Meraki provides, and I upload custom profiles using Apple's Profile Manager to enforce more advanced settings. Under Meraki's Passcode section, there is a drop down menu for "Auto-Lock" and the default value is set to "never."
I have not deployed the agent as of yet. I have 2 profiles installed on each macOS laptop. The Default Meraki profile and a Custom profile that I created to enforce the company security policy for laptop settings. The custom profile is the one that has the passcode configuration enabled. I currently have Auto-Lock set at 5min. I have a policy setup to audit for the Screen Saver being set at 5 mins. The report says the all the devices are non-compliant because there is no password required for screen saver. 😕
You could upload your custom profile to Dashboard and have SM push that to devices for you. That should ensure the settings you want remain set and you can push the SM agent as well.
here are some screenshot examples of the settings available in Apple's Profile manager that can be exported and then uploaded to Meraki:
This is interesting, we are not using Apple's Profile manager. I will have to look into that. So, I am thinking that means I have to visit each machine to disable auto-login.
I think we may be running into a distinction Apple makes between the screen saver and auto lock settings. "Auto lock" is set for inactivity vs triggered by screensaver activation. Here's some examples:
Auto lock 5 minutes, screensaver 5 minutes: If there is no user activity for 5 minutes the screensaver activates. Then after an additional 5 minutes a password is required to get past the screensaver.
Auto lock immediately, screensaver 5 minutes: If there is no user activity for 5 minutes the screensaver activates. If a user moves the cursor after the screensaver appears they are immediately prompted for a password.
Also... in terms of the "auto login enabled" flag you may want to check your client machines under System Preferences/Users & Groups/Login Options. There is a drop down menu at the top that should be set to "off" for Automatic login.
In Apple Profile Manager there's an option to disable that feature and export a profile (seen in a screenshot from an earlier post).