Secureframe Agent: Screen Lock / Session Timeout Check

Screen Lock / Session Timeout

Here are step-by-step instructions to enable screen lock / session timeout for a device.
 

Windows:

There are two methods to enable Windows screen lock.

Method 1 (via Control Panel):

  • Open Control Panel > Screen Saver, or hit the Windows key and search for Screen Saver.
     
  • This should open a window similar to this screenshot:
     
  • Set the Wait value to 15 minutes or fewer.
     
  • Check the box next to On resume, display logon screen
     
  • Click Apply to save the new settings.
     

 

Method 2 (via registry entries):

  • The Secureframe Agent checks for the following registry settings to be enabled:
    • HKEY_USERS\%\Control Panel\Desktop\ScreenSaveActive
      • The value should be 1
      • Forces the screensaver to run after screen lock
    • HKEY_USERS\%\Control Panel\Desktop\ScreenSaverIsSecure
      • The value should be 1
      • This ensures that a password is required to login after screen lock
    • HKEY_USERS\%\Control Panel\Desktop\ScreenSaveTimeOut
      • The value should be <= 900
      • This is how many seconds of inactivity before screen lock (900 seconds = 15 minutes)
         
    • "%" represents your Security identifier or SID. It will look something like "S-#-#-#...-####" where # are numbers.
  • There are multiple ways to set these registry keys. The following instructions use the Registry Editor:
    • Click the Windows menu and type in Registry Editor, right click and Run as administrator
       
    • On the left side, click on HKEY_USERS > % > Control Panel > Desktop
      • Remember that "%" is your SID
         
    • Right click on the Desktop name and select New > DWORD (32-bit) Value
      • Type the registry key name e.g. ScreenSaverIsSecure and hit enter
      • Double click this new key to open a window and enter the desired value
         
    • Repeat for all registry keys that are not present or set to a passing value.

       
  • After configuring the keys, you can start a Sync for the Secureframe Agent. The newly configured device should now pass the check: 
  •  
    • On the Asset Inventory page, the screen lock check for the device is updated when the device has checked in with the correct configuration AND the Secureframe Agent integration has been synced. 
      Screenshot_2023-02-28_at_11.11.34_AM.png


Mac:

You will need to create a device profile with askForPassword set to true and loginWindowIdleTime <= 900.

Linux:

The Secureframe Agent does not pull Screen Lock information due to the data being different depending on the flavor of linux being used.

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.