Having recently updated my JSS to 9.82, I quickly noticed that my “Require password immediately after sleep or screen saver begins” setting was no longer being enforced. After some investigation, it became apparent that the JSS was not passing the “Ask For Password Delay” value into the profile when set to “immediately.” Further testing revealed that this only applied when set to “immediately” and that other settings, such as “5 seconds” worked as expected, as shown below.
On the left, we see the Ask For Password Delay set to 5 seconds. On the right, we see that the Ask For Password Delay is not present.
While a 5 second delay is adequate (and even preferable) to some, security is paramount in my organization. We wanted to make sure the option for immediately requiring a password was still available to our users (we allow them to choose between immediately and 5 seconds via a policy in Self Service).
I was able to come up with a workaround with the help of Paul Nichols at JAMF Software, who verified that this is a known issue (D-010036) in version 9.82 of the Casper Suite. The workaround is to create com.apple.screensaver.plist with the appropriate settings and upload it as a custom setting in a Configuration Profile in the JSS.
Here is an example plist that I created.
The plist should be uploaded in a Custom Settings payload inside a Configuration Profile as shown in the screen shots below.
In my testing, it was also necessary to include the Security & Privacy payload with “Require password immediately after sleep or screen saver” enabled as well, as shown below.
Once deployed, the password timeout for the screen saver should be immediate as expected.