Screen Saver unlock and "/etc/cacloginconfig.plist"
| Originator: | tom.burgin | ||
| Number: | rdar://19177988 | Date Originated: | 08-Dec-2014 01:48 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.9 - 10.10 |
| Classification: | Reproducible: | Yes |
Summary: If "/etc/cacloginconfig.plist" exists in 10.9 +, the screensaver unlock screen will be controlled by SecurityAgent (old style). Admins, when they successfully authenticate, will be allowed to take over the user's session. Even if "system.login.screensaver" in AuthDB is set to "use-login-window-ui", this will be overridden by the existence of "/etc/cacloginconfig.plist". We will still be presented with the SecurityAgent style login window. "/etc/cacloginconfig.plist" is required to map the "NT Principal Name" name burned on our SmartCard to the "userPrincipalName" in AD. In other words: "/etc/cacloginconfig.plist" is required for PIV login on OS X and because of this, our screensaver unlock screen will aways be using the SecurityAgent style window. Is there a way to leave the ScreenSaver unlock screen alone when using the "/etc/cacloginconfig.plist". Steps to Reproduce: Install OS X 10.9.x or 10.10.x Create "/etc/cacloginconfig.plist". Even just a "touch /etc/cacloginconfig.plist" will cause ScreenSaver unlock screen to use SecurityAgent. Expected Results: Actual Results: Version: OS X 10.9.5 or OS X 10.10.1 Notes: Configuration: Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!