Problems with SECURITY: No Password Required on Wake From Sleep (apple osx)

(imported topic written by SystemAdmin)

The fixlet needs the following relevance added before relevance 3 to exclude systems that have this particular setting managed through apple MCX. If the setting is being managed through MCX, then it does not matter what the setting is, since it will override the settings being set by this fixlet.

not (exists file 
"/Library/Managed Preferences/com.apple.screensaver.plist" AND exists integer 
"askForPassword" of dictionary of file 
"/Library/Managed Preferences/com.apple.screensaver.plist")

http://bigfix.me/cdb/Relevance/1541

Also, there are some issues with the current relevance 3:

(

if (it >= 
"10.6") then ((not exists file 
"com.apple.screensaver.plist" of it) OR (not exists integer 
"askForPassword" of it OR integer 
"askForPassword" of it is not equal to 1) of dictionary of file 
"com.apple.screensaver.plist" of it) of folder (pathname of users folder & 
"/" & name of current user & 
"/Library/Preferences") 

else ((not exists file whose (name of it contains 
"com.apple.screensa" and name of it contains 
".plist") of it) OR ((not exists integer 
"askForPassword" of it OR integer 
"askForPassword" of it is not equal to 1) of dictionary of file whose (name of it contains 
"com.apple.screensa" and name of it contains 
".plist") of it)) of folder (pathname of users folder & 
"/" & name of current user & 
"/Library/Preferences/ByHost")) of version of operating system

It seems to only check the “ByHost” location if the OS version is < 10.6, but this seems backwards. 10.6+ OS X do have that setting set in the ByHost location, so it may be that both places need checked for all version, not sure.

Also, there are some issues with the action script:

wait defaults write 
"{posix path of users folder & "/
" & name of current user & "/Library/Preferences/ByHost/com.apple.screensaver.
" & concatenation of substrings separated by "-
" of mac address of link interfaces whose(name of it = name of primary internet connection) of network}" askForPassword -

int 1

Newer Apple computers do not use the mac address appended to the plist file, the use the UUID instead.

It would be nice if TEM/Bigfix had Local MCX & profile inspectors / actions so that settings could be more easily managed using those instead of only plists.

(imported comment written by Jeff Saxton)

Please tell us what TEM site this fixlet is in, then I will be able to route this to the correct party.

Thank you

(imported comment written by jgstew)

This problem is found in the “Patches for Mac OS X” site in IEM/TEM/BigFix.

This is still a problem today and has not been addressed.

(imported comment written by hansen_m)

It would be incredibly useful to have a MCX preferences inspector for Mac OS X that utilizes the proper API (CFPreferences)

https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFPreferencesUtils/Reference/reference.html

It is becoming more difficult to rely on flat preferences files on disk (and never really was supported) when the effective preferences could be coming from a number of sources including a MDM/profile or a network or local directory service.