The intent of this repo is to share the recommended changes to the Drata team so they can review them and update their documentation/ processes if they'd like. Please note, I'll be focusing on the latest OS as I don't have older macOS versions to test against.
Drata - Jamf Configuration URL
Current code:
#!/bin/sh
askForPassword=$(sysadminctl -screenLock status 2>&1 | awk '{split($0,a,"]"); print a[2]}' | xargs)
user=$( ls -la /dev/console | cut -d " " -f 4 )
idle_time=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime)
if [[ ! -z "$askForPassword" && $idle_time -le 900 ]]; then
echo "<result> $askForPassword </result>"
else
echo "<result>Disabled</result>"
fiReommended replacement:
#!/bin/bash
sysadminctl_output=$(sysadminctl -screenLock status 2>&1)
password_delay=$(echo "$sysadminctl_output" | awk '{split($0,a,"] "); print a[2]}')
last_str=$(echo "$sysadminctl_output" | awk '{print $NF}')
screen_saver_start=$(defaults read /Library/Managed\ Preferences/com.apple.screensaver idleTime 2> /dev/null)
if [[ -z $screen_saver_start ]]; then
user=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
screen_saver_start=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime 2>/dev/null || echo 0)
fi
if [[ $screen_saver_start -gt 0 && $screen_saver_start -lt 900 ]]; then
case $last_str in
"off") result="Disabled" ;;
"seconds"|"immediate") result="$password_delay" ;;
*) result="Error - Contact Drata Support" ;;
esac
else
result="Disabled"
fi
echo "<result>$result</result>"Changes:
- I've removed the leading space from the output.
- I've adjusted the output so if screenLock is set to off (Never), it shows Disabled.
- I've added an Error as the output for when the binary changes.
- I built in the script that the screensaver setting can be read whether it's in Managed Preferences or the User's path.
- I've adjusted the user detection so it uses the user logged in rather than the owner of /dev/console.
Note, the current description in the documentation is not quite correct:
This attribute displays the current Screen Saver Lock time. The value to be verified is the time before the password is required to unlock the machine, as specified in System Preferences -> Security & Privacy -> General. Example: 'screenLock delay is 60 seconds' verifies that a password will be required after the machine is idle for 1 minute.
If the screenLock delay is 60 seconds, it would actually require a password after 60 seconds + the idleTime has passed. For example, if the idleTime is set to 10 minutes (600 seconds) and the screenLock delay is set to 60 seconds, the password would actually be required 11 minutes after idle or 660 seconds.
Recommend to change this so it is no longer an extension attribute. Instead, get the value from the computer record via the API at ['computer']['security']['firewall_enabled'].
Current code:
#!/bin/bash
automaticInstallUserPreference="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2> /dev/null)"
automaticInstallMdmPreference="$(/usr/bin/defaults read /Library/Managed\ Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2> /dev/null)"
if [[ $automaticInstallMdmPreference == 1 || $automaticInstallUserPreference == 1 ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fiRecommended Replacement: I have none, this is great!