Why is GNOME ScreenSaver group policy not getting applied in Ubuntu platforms?
Gnome screen lock is a per-user setting. It is hard to make it for a machine Group Policy based setting. Machine screen locking GP is generic for X11 - does not work for Gnome.
There is no global Gnome3 settings, so it is not possible to make it machine GP - it has to be per user.
Ubuntu 12.04 and above have Gnome version 3. Gnome version 3 is planned and not supported with the current Centrify products.
The following applies to Ubuntu 12.x, 14.x and above only.
To make it machine GP, the only way is to create an autostart file in /etc/xdg/autostart.
Autostart script is to set any Gnome setting, and deploy it using copyfile GP.
There is an attachment with this KB with the mapper script for 12.04 and 14.04. Machine GP mapper script can write this file. Then at user login, this file runs gsettings command to change screen lock setting.
Deploy it into /usr/share/centrifydc/mappers/machine folder, and make sure permission is 0755 and rename the original with the following commands--
To do that, do the following--
# sudo mv EnforceScreenlocking.pl EnforceScreenLocking.pl.original
and then rename the script with the following--
# sudo mv EnforceScreenLocking-Ubuntu.pl EnforceScreenLocking.pl
Instead of renaming the .pl file just copy the file in the machine folder and it should work as well.
After that provide 755 permission to the file as follows--
chmod 755 EnforceScreenLocking.pl
With that permission will be seen on the file as follows--
rwxr -xr-x root root ........EnforceScreenLocking.pl
Once set the permission go to GPOE and go to the following GP to make sure it is enabled--
-> Centrify Settings
-> Linux Settings
-> Enforce screen locking
From the Ubuntu machine open the Terminal and run "adgpupdate" to force a GP refresh.
- Regarding Ubuntu 14.04, screen won't turn off when locked. It will just show the unlock screen. Screen will eventually turn off after several minutes.
- Since this new script uses autostart mechanism that happens at login time, if user is already logged in, then need to logout and login again.
- There's one way to prevent user from changing setting, but it will prevent user from changing ANY gnome setting: set permission of ~/.config/dconf to 555.
- There's no way to lock screensaver setting only. Either lock all Gnome setting or lock nothing.