I have been tasked with locking down our Macintosh workstations. The only goal so far has been to set a screen saver idle time and to require a password to wake the computer from sleep or screen saver.
After much looking around the interwebs I found that there is not a command line utility or apple script command to change these settings. They have to be changed by modifying a preference file. The file is stored separately for each user and is stored here (the tilde is a variable that is the path to the users home folder).
~/Library/Preferences/ByHost/com.apple.screensaver.THE-MAC-ADDRESS-OF-YOUR-MACHINE.plist.
Argh! The file name is different on every machine. To add to the madness, that file does not exist until the user changes a setting for their screen saver. I found several solutions that pointed to extracting the hardware address of the machine and using that to reference the file but all seemed too complicated.
To write a preference file, Apple has a utility called "defaults". That wonderful utility has a -currentHost switch that references files that are named like the screensaver preference file. As you'll see in the script below, there is a very simple answer to a seemingly difficult scripting problem.
First, I'd recommend looking at the end of the article Altiris Client for Mac and Apple Remote Desktop. There is info in there on how to create a script to run at login or directly from Apple Remote Desktop.
Ok, now to the script. The first line is a for loop that gets the short user name of every console user (users that are actively logged into the machine). The rest is cake, it checks the screen saver preference file by switching to that user using the pseudo -u command. Whether or not the file exists will not matter, since the test will evaluate to true if the file is not there. And using the defaults write command will create the file if it does not exist. It checks for two settings, if askForPassword is set to 1 and if idleTime is set to 600.
for consoleName in `who | grep console | cut -c 1-8`
do
echo $consoleName
if [ `sudo -u $consoleName defaults -currentHost read com.apple.screensaver | grep -c askForPassword\ =\ 1` -ne 1 ]
then
sudo -u $consoleName defaults -currentHost write com.apple.screensaver askForPassword -int 1
echo Changed askForPassword
else echo No change for askForPassword
fi
if [ `sudo -u $consoleName defaults -currentHost read com.apple.screensaver | grep -c idleTime\ =\ 600` -ne 1 ]
then
sudo -u $consoleName defaults -currentHost write com.apple.screensaver idleTime -int 600
echo Changed the idleTime
else echo No change for idleTime
fi
done
The only thing I haven't been able to figure out is how to make this setting take affect immediately. Right now it will take affect on the next login.