Topic
3 replies Latest Post - ‏2013-10-31T18:30:47Z by hansen_m
SystemAdmin
SystemAdmin
119 Posts
ACCEPTED ANSWER

Pinned topic Problems with SECURITY: No Password Required on Wake From Sleep (apple osx)

‏2012-12-10T16:43:31Z |
The fixlet needs the following relevance added before relevance 3 to exclude systems that have this particular setting managed through apple MCX. If the setting is being managed through MCX, then it does not matter what the setting is, since it will override the settings being set by this fixlet.


not (exists file 
"/Library/Managed Preferences/com.apple.screensaver.plist" AND exists integer 
"askForPassword" of dictionary of file 
"/Library/Managed Preferences/com.apple.screensaver.plist")


http://bigfix.me/cdb/Relevance/1541
Also, there are some issues with the current relevance 3:


(

if (it >= 
"10.6") then ((not exists file 
"com.apple.screensaver.plist" of it) OR (not exists integer 
"askForPassword" of it OR integer 
"askForPassword" of it is not equal to 1) of dictionary of file 
"com.apple.screensaver.plist" of it) of folder (pathname of users folder & 
"/" & name of current user & 
"/Library/Preferences") 

else ((not exists file whose (name of it contains 
"com.apple.screensa" and name of it contains 
".plist") of it) OR ((not exists integer 
"askForPassword" of it OR integer 
"askForPassword" of it is not equal to 1) of dictionary of file whose (name of it contains 
"com.apple.screensa" and name of it contains 
".plist") of it)) of folder (pathname of users folder & 
"/" & name of current user & 
"/Library/Preferences/ByHost")) of version of operating system


It seems to only check the "ByHost" location if the OS version is < 10.6, but this seems backwards. 10.6+ OS X do have that setting set in the ByHost location, so it may be that both places need checked for all version, not sure.
Also, there are some issues with the action script:


wait defaults write 
"{posix path of users folder & "/
" & name of current user & "/Library/Preferences/ByHost/com.apple.screensaver.
" & concatenation of substrings separated by "-
" of mac address of link interfaces whose(name of it = name of primary internet connection) of network}" askForPassword -

int 1


Newer Apple computers do not use the mac address appended to the plist file, the use the UUID instead.

It would be nice if TEM/Bigfix had Local MCX & profile inspectors / actions so that settings could be more easily managed using those instead of only plists.
Updated on 2012-12-26T20:51:59Z at 2012-12-26T20:51:59Z by Jeff Saxton
  • Jeff Saxton
    Jeff Saxton
    21 Posts
    ACCEPTED ANSWER

    Re: Problems with SECURITY: No Password Required on Wake From Sleep (apple osx)

    ‏2012-12-26T20:51:59Z  in response to SystemAdmin
    Please tell us what TEM site this fixlet is in, then I will be able to route this to the correct party.
    Thank you
    • jgstew
      jgstew
      1 Post
      ACCEPTED ANSWER

      Re: Problems with SECURITY: No Password Required on Wake From Sleep (apple osx)

      ‏2013-07-29T20:03:37Z  in response to Jeff Saxton

      This problem is found in the "Patches for Mac OS X" site in IEM/TEM/BigFix.

      This is still a problem today and has not been addressed.

    • hansen_m
      hansen_m
      1 Post
      ACCEPTED ANSWER

      Re: Problems with SECURITY: No Password Required on Wake From Sleep (apple osx)

      ‏2013-10-31T18:30:47Z  in response to Jeff Saxton

      It would be incredibly useful to have a MCX preferences inspector for Mac OS X that utilizes the proper API (CFPreferences)

      https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFPreferencesUtils/Reference/reference.html

      It is becoming more difficult to rely on flat preferences files on disk (and never really was supported) when the effective preferences could be coming from a number of sources including a MDM/profile or a network or local directory service.