Centrify Identity Service, Mac Edition
Can a Mac screensaver can be unlocked by any Admin?
Yes, default behavior on a Mac is for any admin account to be able to unlock a password protected screen saver and/or lock screen. This behavior can be changed to Session-Owner using the following commands:
1) First, using terminal, read the current screensaver setting with this command:
sudo security authorizationdb read system.login.screensaver
2) If in the output of step 1 , the output says "<string> , The owner or any administrator can unlock the screensaver, set the rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>", then run the command:
sudo security authorizationdb write system.login.screensaver "authenticate-session-owner"
3) Read the value again to check if it was applied correctly:
sudo security authorizationdb read system.login.screensaver rule
NOTE: The result should look similar to the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
4) Reboot and retry the same use-case. The admin user should not be able to unlock the other user's desktop, only the session owner.
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal.