Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

screensaver setting commands not functional on high sierra #15

Closed
mtibben opened this issue Apr 2, 2018 · 4 comments
Closed

screensaver setting commands not functional on high sierra #15

mtibben opened this issue Apr 2, 2018 · 4 comments
Labels
bug Something isn't working

Comments

@mtibben
Copy link

mtibben commented Apr 2, 2018

stronghold/stronghold.py

Lines 164 to 165 in 4e0a859

sp.run(['defaults', 'write', 'com.apple.screensaver', 'askForPassword', '-int', '1'], stdout=sp.PIPE)
sp.run(['defaults', 'write', 'com.apple.screensaver', 'askForPasswordDelay', '-int', '0'], stdout=sp.PIPE)

These commands are not functional on High Sierra. See drduh/macOS-Security-and-Privacy-Guide#290 for more details
@alichtman
Copy link
Owner

Interesting. I'll look for a workaround. I was wondering if it was just my mac that's been acting up a bit or if my code was buggy.

I was reading through https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2 and saw

Adding the askForPasswordDelay key to the profile helps to remediate the profile, but only slightly. The actual preference only appears to be synced after the user logs in again.

One potential solution could be to force (or ask nicely for) a restart at the program end. Opinions on that?

@alichtman alichtman added the bug Something isn't working label Apr 3, 2018
@mtibben
Copy link
Author

mtibben commented Apr 3, 2018

Possibly, although there still is no reliable way to query the current settings and know if it really needs to be applied. While hacking on a custom security auditing script, I did have some success using AppleScript to launch the System Preferences, automate clicking on the right things, and reading out the values from the GUI, however this requires the user to give the script Accessibility permissions.

Another approach might be to use osquery which I have just discovered, but haven't dug into that yet

@alichtman
Copy link
Owner

there still is no reliable way to query the current settings

To some extent, the current settings may not matter.

  1. If they're correctly configured, we overwrite them with the same values and nothing will change (aside from being inefficient.)
  2. If they're incorrectly configured, we overwrite them and the behavior will be as expected.

@alichtman
Copy link
Owner

Added this fix in #25. I think this is a good solution, so I'm going to close it for now. Feel free to open this again if you come across a better way to do this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtibben @alichtman