How to List Screenlock Status Across All Macs
Using Kolide, you can easily view and query Mac Screenlock Status across your fleet.
Introduction
MacOS has a security feature which allows your device to lock and require a password after a period of inactivity. It consists of several interrelated toggles from separate preference panes which together determine when an idle Mac will require a password:
- Security & Privacy > General Tab
- Energy Saver
- Desktop & Screensaver
This inventory captures all of these controls to give a big-picture view of the screenlock settings on a device. The configuration of a safe screenlock policy helps prevent unauthorized access to your device if it is left unattended.
To learn more about screenlock security on a Mac please refer to the official Apple Support documentation: Require a password after waking your Mac
What Mac Screenlock Status Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Screenlock Status from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Screenlock Status Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| device_user_id | Foreign Key |
The Device User associated with the entry |
|
| display_sleep_idle_ac | Bigint |
The amount of time in seconds the device must be idle while connected to power before the screen turns off Special Values:
|
|
| display_sleep_idle_battery | Bigint |
The amount of time in seconds the device must be idle while running on battery power before the screen turns off Special Values:
|
|
| managed_screensaver_idle | Bigint |
The amount of time in seconds the device must be idle
before it activates the screensaver based on a managed
preference set by an administrator. This value takes precedence
over Special Values:
|
|
| minimum_effective_idle | Bigint |
The amount of time in seconds the device must be idle before it either sleeps or activates the screensaver. The value here is the "worst case" scenario. For example,
if a device is on A/C power your device takes Special Values:
|
|
| screenlock_enabled | Boolean |
|
|
| screenlock_grace_period | Bigint |
The amount of time in seconds the device can be asleep or the screensaver is visible before a password is required to unlock it. Special Values:
|
|
| user_screensaver_idle | Bigint |
The amount of time in seconds the device must be idle
before it activates the screensaver based on the user's
preferences. The Special Values:
|
|
| username | Text |
The username of the user account in which the screenlock settings are associated. |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT device_name, screenlock_enabled FROM mac_screenlock_configs;| device_name | screenlock_enabled |
|---|---|
| balthazar | false |
| Ashleys-MacBook-Pro-2 | true |
| siegfried | true |
| Jacks-MacBook-Pro | false |
| daves-imac | true |
SELECT
device_name,
minimum_effective_idle,
screenlock_enabled,
username,
-- Screenlock settings are stored in seconds (10 * 60 = 600)
CASE WHEN minimum_effective_idle > 600
THEN TRUE
ELSE FALSE
END AS idle_exceeds_threshold
FROM mac_screenlock_configs
ORDER BY minimum_effective_idle DESC| username | device_name | screenlock_enabled | idle_exceeds_threshold | minimum_effective_idle |
|---|---|---|---|---|
| dave | Daves-MacBook-Pro | true | true | 3600 |
| jackson | jackson-mbp- | true | true | 1200 |
| titus | maximus | true | true | 1200 |
| fernando | Fernandos-MacBook-Air | true | true | 1200 |
| balthazar | balthazar | true | false | 600 |
| junebug | Forrests-iMac-Pro | true | false | 600 |
Why Should I Collect Mac Screenlock Status?
Understanding the state and verifying the desired configuration of screenlock is a critical compliance requirement for many IT & Security teams.
A device with an insecure screenlock configuration is at higher risk of unauthorized access and compromise.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
No additional personally identifiable data is collected or transmitted as part of this inventory.
When you use Kolide to list Mac Screenlock Status data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
