The macosxhints Forums - How do I modify 10.9 Mavericks Screen Saver Authentication

The macosxhints Forums (http://hintsforums.macworld.com/index.php)

- OS Xperiences (http://hintsforums.macworld.com/forumdisplay.php?f=17)

- - How do I modify 10.9 Mavericks Screen Saver Authentication (http://hintsforums.macworld.com/showthread.php?t=169927)

How do I modify 10.9 Mavericks Screen Saver Authentication

I need your help to unlock 10.9 Mavericks Screen Saver Authentication. In previous versions of Mac OS X, it was possible to enter the name of any local administrator account credentials and bypass the screen saver, regardless of who was currently logged into the console. Great for IT depot's that maintain a local master admin account. Example: An IT staff member could do maintenance/troubleshooting at an end user's Mac, even if the person had left the Mac workstation locked with a screen saver at lunchtime (i.e.; the end user was not required to physically unlock the screen saver)

Does anyone know if this behavior can be changed/reverted? Is this behavior stored in an XML plist or in /etc/authorization file?

I used to know how to do this with 10.7 Lion and 10.8 Mountain Lion but not this time with 10.9 Mavericks due of different files stored in /etc/

Here what I used to do with 10.7 and 10.8. Read below and please help me how can I work this with Mavericks.

Code:
cd /etc/pam.d
sudo cp screensaver screensaver.bak
sudo nano screensaver

Find the line:
Code:
account required pam_group.so no_warn group=admin,wheel fail_safe

and change it to:
Code:
account sufficient pam_group.so no_warn group=admin,wheel fail_safe

Save /etc/pam.d/screensaver and exit nano.

Then, we make a wholly unintuitive change to /etc/authorization:
Code:
cd /etc
sudo cp authorization authorization.bak
sudo nano authorization

Press control-w and search for "unlock the screensaver"

Change the line:
Code:
<string>The owner or any administrator can unlock the screensaver.</string>

to:
Code:
<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>

Save /etc/authorization and exit nano.

Reboot

/etc/authorization is depreciated in Mavericks

you should use the security command
http://www.afp548.com/2013/10/22/mod...tion-database/

Agentx, thank you for the link.

Im not sure where to start or how to modify the screen saver with security command lines? Could you please assist me here if you know how?

Thanks in advance!

From MacEnt List which you join to find out info !

Basic Flow to change items in auth.db
1) Use `security authorizationdb read <some-right> > /path/to/tmp.plist to get a plist representing the right definition
2) Modify the right using whatever plist modification tools/techniques you'd like
3) Use `security authorizationdb write <some-right> < /path/to/edited.plist` to write the modified right back into the auth DB.

DETAIL

Looking at the examples you provided, we'll start with your first entry for system.preferences:

##set the rights
## allow everyone access to system preferences itself
sudo $PB -c "set rights:system.preferences:group powerusers" "/etc/authorization"

In OS X Mavericks, you would use a workflow similar to the following:

security authorizationdb read system.preferences > /tmp/system.preferences.plist
/usr/libexec/PlistBuddy -c "set group powerusers" /tmp/system.preferences.plist
sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist

Then, for the system.restart options, your previous method was:

##restart, changing from "evaluate-mechanisms" to "user"
sudo $PB -c "add rights:system.restart:class string user" "/etc/authorization"
sudo $PB -c "set rights:system.restart:class user" "/etc/authorization"
sudo $PB -c "add rights:system.restart:allow-root bool true" "/etc/authorization"
sudo $PB -c "set rights:system.restart:allow-root true" "/etc/authorization"
sudo $PB -c "add rights:system.restart:group string everyone" "/etc/authorization"
sudo $PB -c "set rights:system.restart:group everyone" "/etc/authorization"
sudo $PB -c "add rights:system.restart:shared bool false" "/etc/authorization"
sudo $PB -c "set rights:system.restart:shared false" "/etc/authorization"
sudo $PB -c "delete rights:system.restart:mechanisms" "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.restart > /tmp/system.restart.plist
/usr/libexec/PlistBuddy -c "set class user" /tmp/system.restart.plist
/usr/libexec/PlistBuddy -c "add allow-root bool YES" /tmp/system.restart.plist
/usr/libexec/PlistBuddy -c "add group string everyone" /tmp/system.restart.plist
/usr/libexec/PlistBuddy -c "set shared bool NO" /tmp/system.restart.plist
/usr/libexec/PlistBuddy -c "delete mechanisms array" /tmp/system.restart.plist
sudo security authorizationdb write system.restart < /tmp/system.restart.plist

For system.shutdown, your previous method was:

##shutdown, changing from "evaluate-mechanisms" to "user"
sudo $PB -c "add rights:system.shutdown:class string user" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:class user" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:allow-root bool true" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:allow-root true" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:group string everyone" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:group everyone" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:shared bool false" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:shared false" "/etc/authorization"
sudo $PB -c "delete rights:system.shutdown:mechanisms" "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.shutdown > /tmp/system.shutdown.plist
/usr/libexec/PlistBuddy -c "set class user" /tmp/system.shutdown.plist
/usr/libexec/PlistBuddy -c "add allow-root bool YES" /tmp/system.shutdown.plist
/usr/libexec/PlistBuddy -c "add group string everyone" /tmp/system.shutdown.plist
/usr/libexec/PlistBuddy -c "set shared bool NO" /tmp/system.shutdown.plist
/usr/libexec/PlistBuddy -c "delete mechanisms array" /tmp/system.shutdown.plist
sudo security authorizationdb write system.shutdown < /tmp/system.shutdown.plist

For adjusting the Time Zone, your previous method was:

##timezone, need to add on 10.5 and later, everyone
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone dict" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:class string allow" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:class allow" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:comment string Timezones" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:comment Timezones" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:shared bool true" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:shared true" "/etc/authorization"

In OS X Mavericks, you'll create the Plist from scratch and import the settings to the database:

/usr/libexec/PlistBuddy -c "add class string allow" /tmp/system.preferences.dateandtime.changetimezone.plist
/usr/libexec/PlistBuddy -c "add comment string Timezones" /tmp/system.preferences.dateandtime.changetimezone.plist
/usr/libexec/PlistBuddy -c "add shared bool YES" /tmp/system.preferences.dateandtime.changetimezone.plist
sudo security authorizationdb write system.preferences.dateandtime.changetimezone < /tmp/system.preferences.dateandtime.changetimezone.plist

For print.operator, your previous method was:

## print operator, everyone
sudo $PB -c "set rights:system.print.operator:group everyone" "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.print.operator > /tmp/print.operator.plist
/usr/libexec/PlistBuddy -c "set group everyone" /tmp/print.operator.plist
sudo security authorizationdb write system.print.operator < /tmp/print.operator.plist

For system.preferences.printing, your previous method was:

## printer prefpane, powerusers. requires additional right
sudo $PB -c "set rights:system.preferences.printing:group powerusers" "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.preferences.printing > /tmp/system.preferences.printing.plist
/usr/libexec/PlistBuddy -c "set group powerusers" /tmp/system.preferences.printing.plist
sudo security authorizationdb write system.preferences.printing < /tmp/system.preferences.printing.plist

Your workflow for editing lpadmin group membership should be unchanged in OS X Mavericks:

## add group 'powerusers' to 'lpadmin' group
sudo dseditgroup -o edit -a powerusers -t group lpadmin

For system.preferences.softwareupdate, your previous method was:

## software update, everyone, requires additional right
sudo $PB -c "set rights:system.preferences.softwareupdate:group everyone" "/etc/authorization"
sudo $PB -c 'Set :rights:system.install.apple-software:rule allow' "/etc/authorization"
sudo $PB -c 'set rights:com.apple.SoftwareUpdate.scan:rule allow' "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.preferences.softwareupdate > /tmp/system.preferences.softwareupdate.plist
/usr/libexec/PlistBuddy -c "set group everyone" /tmp/system.preferences.softwareupdate.plist
sudo security authorizationdb write system.preferences.softwareupdate < /tmp/system.preferences.softwareupdate.plist

security authorizationdb read system.install.apple-software > /tmp/system.install.apple-software.plist
/usr/libexec/PlistBuddy -c "set rule:0 allow" /tmp/system.install.apple-software.plist
sudo security authorization write system.install.apple-software < /tmp/system.install.apple-software.plist

security authorizationdb read com.apple.SoftwareUpdate.scan > /tmp/com.apple.SoftwareUpdate.scan.plist
/usr/libexec/PlistBuddy -c "set rule:0 allow" /tmp/com.apple.SoftwareUpdate.scan.plist
sudo security authorizationdb write com.apple.SoftwareUpdate.scan < /tmp/com.apple.SoftwareUpdate.scan.plist

For system.preferences.network, your previous method was:

## network preferences, powerusers, requires additional right
sudo $PB -c "set rights:system.preferences.network:group powerusers" "/etc/authorization"
sudo $PB -c 'set rights:system.services.systemconfiguration.network:rule allow' "/etc/authorization

In OS X Mavericks, you would use:

security authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist
/usr/libexec/PlistBuddy -c "set group powerusers" /tmp/system.preferences.network.plist
sudo security authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist

security authorizationdb read system.services.systemconfiguration.network > /tmp/system.services.systemconfiguration.network.plist
/usr/libexec/PlistBuddy -c "set group powerusers" /tmp/system.services.systemconfiguration.network.plist
sudo security authorizationdb write system.services.systemconfiguration.network < /tmp/system.services.systemconfiguration.network.plist

For system.preferences.energysaver, your previous method was:

## energy saver, powerusers
sudo $PB -c "set rights:system.preferences.energysaver:group powerusers" "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.preferences.energysaver > /tmp/system.preferences.energysaver.plist
/usr/libexec/PlistBuddy -c "set group powerusers" /tmp/system.preferences.energysaver.plist
sudo security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plist

For system.preferences.timemachine, your previous method was:

## time machine, powerusers
sudo $PB -c "set rights:system.preferences.timemachine:group powerusers" "/etc/authorization"

In OS X Mavericks, you would use:

security authorizationdb read system.preferences.timemachine > /tmp/system.preferences.timemachine.plist
/usr/libexec/PlistBuddy -c "set group powerusers" /tmp/system.preferences.timemachine.plist
sudo security authorizationdb write system.preferences.timemachine < /tmp/system.preferences.timemachine.plist

We leverage the "powerusers" group which is something between Standard and Admin.
90% of our users are PowerUsers effectively !

agentx, wow what a long one. I'm not sure where to start? :)

Is it possible for you to narrow it down to screen saver authentication modification only?

Thanks in advance.

security authorizationdb read system.login.screensaver

Code:

***-mbp:~ ****$ security authorizationdb read system.login.screensaver

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

        <key>class</key>

        <string>rule</string>

        <key>comment</key>

        <string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>

        <key>created</key>

        <real>403187414.28984201</real>

        <key>modified</key>

        <real>403187414.28984201</real>

        <key>rule</key>

        <array>

                <string>use-login-window-ui</string>

        </array>

        <key>version</key>

        <integer>1</integer>

</dict>

</plist>

YES (0)

Is the one and not detailed above
You want admins only ?

Yes, I want the standard users able to unlock the screensaver whenever they are back in front of their mac and local admin able to unlock the screensaver with local admin credentials as well. Hope this is clear? Just the same concept what I posted above earlier what I did with Lion OS and Mountain Lion OS. Thanks again

agentx,

sorry to sound newbie here but i'm struggling to make this work with all of sources you provided.

I was able to locate this info below in /System/Library/Security/authorization.plist

{ class = rule;
comment = "(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.";
rule = "authenticate-session-owner-or-admin";
}

I'm not sure what should I do? I just want the screen saver authentication looks like this:

http://img198.imageshack.us/img198/3941/ofuk.jpg

Not this:

http://imageshack.us/scaled/large/28/yoze.png

Thanks!

Sorry i was getting mixed up ;-)
You do not need to do anything since Mountain Lion as they fixed this.
They set default rights for console user and admin to be able to unlock screen.
In fact i have a feeling they might have fixed Lion as well but i don't use it.

When you come to a screen that is locked by a user just
hit option + Return and the login window will change to allow you to enter an admin username/pass.

No more monkeying around with pam.d/screensaver etc.

That didn't work on Mavericks? I tried by pressing "option" key and hit "return" key and nothing worked?

Works on every machine i have running 10.8.5/10.9.

Have these machines had a pam.d hack done on them ?

And also just to check option = alt ;-)

Could this be some change in how AD authentication is used in MavX? - and needs some difference to allow for screen saver locking?

Thats a good point but I have both OD/AD environments as well as just local users ie. no directory. We always allow in AD plugin "admin" by AD Domain and Enterprise Admins.

Quote:

Originally Posted by agentx (Post 724262)

When you come to a screen that is locked by a user just
hit option + Return and the login window will change to allow you to enter an admin username/pass.

That doesn't work for me either. Pressing <alt><Return> does exactly nothing.
Not even shaky wrong password.

Quote:

Originally Posted by agentx (Post 724310)

You using AD ?

No. Just bog-standard Mac.

Well what can i say it works on 100s of machine i have. I use it almost every day !

Ah ha! Here's the Apple Support article. It only works if the account logged in is a non-admin.
So one admin can't unlock another.

http://support.apple.com/kb/HT5145

Details of how to let other admins unlock other admins are also in the link. (In short: don't change the line from required to sufficient; comment out the whole line!)

Yes, The iMacs I'm working here all are joined by Active Directory.

Are you trying to unlock the Macs using an AD Domain admin or a Local Admin account on each machine. All machines should have a local Admin account deployed for correctness in Deployments using AD.

I think overall you should not be monkeying around with pam.d anymore ;-)
its all auth.db now ;-)

It worked for me when I logged in another account on a mac.. Works like a charm! Thanks again, agentx for all of your help!

Good i am glad i got that one resolved...i was getting confused !

help with Mavericks

Fairly new to apple and newer to Mavericks on my new apple air, first time here and could not see where to place a question but only how to ask...problem is I can't get rid of the reading list...if I go to the top tool bar and click on the right icon the reading list will leave but a new panel with messages appears on the right...click again and the reading list comes back...in ML I could just click on the reading list glasses and it would go away. Have gone to preferences and unchecked messages but does not have any effect ... can you give me a hint what to do.