Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8378: Can a Mac screensaver can be unlocked by any Admin?

Centrify Identity Service, Mac Edition ,  

24 March,17 at 11:31 PM

Applies to: 

Centrify Identity Service, Mac Edition


Question: 

Can a Mac screensaver can be unlocked by any Admin?


Answer:

Yes, default behavior on a Mac is for any admin account to be able to unlock a password protected screen saver and/or lock screen.  This behavior can be changed to Session-Owner using the following commands:

1) First, using terminal, read the current screensaver setting with this command:

sudo security authorizationdb read system.login.screensaver
 

2) If in the output of step 1 , the output says "<string> , The owner or any administrator can unlock the screensaver, set the rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>", then run the command:

sudo security authorizationdb write system.login.screensaver "authenticate-session-owner"
 

3) Read the value again to check if it was applied correctly:

sudo security authorizationdb read system.login.screensaver rule

NOTE: The result should look similar to the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>421613939.00044501</real>
<key>modified</key>
<real>506562538.383636</real>
<key>rule</key>
<array>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
</plist>
 

4) Reboot and retry the same use-case. The admin user should not be able to unlock the other user's desktop, only the session owner.

    


For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.