Screen Lock / Session Timeout
Here are step-by-step instructions to enable screen lock / session timeout for a device.
Windows:
There are two methods to enable Windows screen lock.
Method 1 (via Control Panel):
- Open Control Panel > Screen Saver, or hit the Windows key and search for Screen Saver.
- This should open a window similar to this screenshot:
- Set the Wait value to 15 minutes or fewer.
- Check the box next to On resume, display logon screen
- Click Apply to save the new settings.
Method 2 (via registry entries):
- The Secureframe Agent checks for the following registry settings to be enabled:
-
HKEY_USERS\%\Control Panel\Desktop\ScreenSaveActive
- The value should be 1
- Forces the screensaver to run after screen lock
-
HKEY_USERS\%\Control Panel\Desktop\ScreenSaverIsSecure
- The value should be 1
- This ensures that a password is required to login after screen lock
-
HKEY_USERS\%\Control Panel\Desktop\ScreenSaveTimeOut
- The value should be <= 900
- This is how many seconds of inactivity before screen lock (900 seconds = 15 minutes)
-
"%" represents your Security identifier or SID. It will look something like "S-#-#-#...-####" where # are numbers.
- If there are multiple SIDs that end with four digits, you can find your SID via PowerShell
- If there are multiple SIDs that end with four digits, you can find your SID via PowerShell
-
HKEY_USERS\%\Control Panel\Desktop\ScreenSaveActive
- There are multiple ways to set these registry keys. The following instructions use the Registry Editor:
- Click the Windows menu and type in Registry Editor, right click and Run as administrator
- On the left side, click on HKEY_USERS > % > Control Panel > Desktop
- Remember that "%" is your SID
- Remember that "%" is your SID
- Right click on the Desktop name and select New > DWORD (32-bit) Value
- Type the registry key name e.g. ScreenSaverIsSecure and hit enter
- Double click this new key to open a window and enter the desired value
- Repeat for all registry keys that are not present or set to a passing value.
- Click the Windows menu and type in Registry Editor, right click and Run as administrator
- After configuring the keys, you can start a Sync for the Secureframe Agent. The newly configured device should now pass the check:
-
- On the Asset Inventory page, the screen lock check for the device is updated when the device has checked in with the correct configuration AND the Secureframe Agent integration has been synced.
- On the Asset Inventory page, the screen lock check for the device is updated when the device has checked in with the correct configuration AND the Secureframe Agent integration has been synced.
Mac:
You will need to create a device profile with askForPassword set to true and loginWindowIdleTime <= 900.
- An MDM such as Kolide or Jamf Pro can create and enforce a password & screen lock policy.
-
If not using an MDM, you can install this profile we've created for everyone to use.
- Click the above link to download the profile.
- Double click the downloaded profile.
- Open "System Settings" and go to "Profiles".
- Double click the profile to review and install it.
- You can use the resources below to create your own device profile.
- Profile resources:
- More information on configuration for Apple devices
-
More information on payload for configuring screen lock
This video shows how to install the password & screen lock profile for your device.
Linux:
The Secureframe Agent does not pull Screen Lock information due to the data being different depending on the flavor of linux being used.
Related to
Comments
0 comments
Article is closed for comments.