New Check/Inventory: macOS Screenlock

At long last, we are excited to announce the most requested Check at Kolide–macOS Screenlock.

You can find this new check and configure notifications for it at https://k2.kolide.com/x/checks/75237/failures/open.

This check is comprehensive in that it not only checks if screenlock settings are configured correctly, it also ensures that the system will go to sleep or activate the screensaver after an appropriate amount of idle time.

To pass this Check on macOS, the following must be true:

  1. The require password after sleep or screensaver begins setting must be checked under the Security and Privacy pane in System Preferences
  2. The grace period dropdown next for this setting must be set to 5 minutes or less.
  3. Your system must either be configured to sleep or activate the screensaver after 10 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet. 

These passing states were carefully chosen after reviewing the Center for Internet Security macOS guidelines and interviewing many of our customers about what values they thought struck a good balance between security and device usability.

New Inventory - Screenlock Configs

In addition, we have also exposed data about macOS screenlock configurations in Inventory. You can find this Inventory item at https://k2.kolide.com/x/inventory/mac_screenlock_configs.

In this Inventory Item we expose the following columns:

  • Screenlock Enabled - true if the require password after sleep or screensaver begins setting is checked under the Security and Privacy pane in System Preferences.
  • Screenlock Grace Period - The amount of time in seconds (or "Immediately") the computer can be asleep or the screensaver activated before a password is required to unlock the computer.
  • Minimum Effective Idle - The amount of time in seconds the computer must be idle before it either sleeps or activates the screensaver.
  • Display Sleep Idle A/C - The amount of time in seconds (or "Never") the computer must be idle while connected to power before the screen turns off.
  • Display Sleep Idle Battery - The amount of time in seconds (or "Never") the computer must be idle while running on battery power before the screen turns off. 
  • Screensaver Idle - The amount of time in seconds (or "Never") the computer must be idle before activating the screensaver based on the end-user's desired preferences
  • Screensaver Idle Last Modified At - The exact time the user (or NULL) modified the screensaver idle time settings in the UI.
  • Screensaver Idle Managed - The amount of time in seconds (or NULL) the computer must be idle before activating the screensaver based on a managed preference set by an administrator.

The long journey getting this data.

If you are curious why this Check was challenging to create or are interested in how we reverse-engineered macOS to accurately gather this information (and how we open-sourced it as a new virtual table in osquery), I suggest reading our write-up on our blog at https://blog.kolide.com/checking-macos-screenlock-remotely-62ab056274f0.

As always, let us know if you have any questions, concerns or feedback about this Check!