Create a Mac Lock Screen Policy

Unattended macOS devices that are active with a user that is still logged in can create opportunities for unauthorized access to information and misuse of accounts. As an IT Admin, you can remotely apply a policy to lock one inactive device or your entire fleet of devices in your organization.

JumpCloud’s Lock Screen Policy automatically locks the screen and turns on the screen saver if a managed device is inactive for a specified period of time. The policy requires the user to enter the device password to unlock the screen. JumpCloud also provides a Lock Screen Policy for Linux and Windows devices.

The Lock Screen Policy can lock an inactive device only after mandatory OS processes have completed. There are other settings the user can specify to activate the screensaver with an interval of time that differs from your policy.

Considerations

  • If you’re experiencing delays with the Lock Screen Policy, request that all users to log out and back in to all devices. 
  • When you apply the Lock Screen Policy to devices for the first time, all users are required to log out and back in before the policy takes effect.
  • When you modify the Timeout value, all users are required to log out and back in before the policy changes take effect.
  • When you uninstall the Lock Screen Policy, it immediately stops being enforced.
  • If you uninstall and then reinstall the Lock Screen Policy, it’s immediately enforced. However, the Timeout value in the uninstalled policy is the one JumpCloud uses. To reset the old value to the value in the newly reinstalled policy, all users are required to log out and back in.
  • Many settings affect screen locking, including the following:
    • JumpCloud Lock Screen Policy Timeout
    • Screen Saver Settings
    • Power and Sleep Settings

The shortest setting is the one that takes effect first.

Creating a Lock Screen Policy for MacOS

When you apply the Lock Screen Policy to a macOS device, the policy applies to all users on a device, regardless of whether JumpCloud manages the user account. You also have the option to enforce the policy only for JumpCloud managed users.

After you apply a Lock Screen Policy to a device, the policy is in effect. However, due to the other ways that a screensaver can be activated for a macOS device, the exact time that the screen locks can vary. A timeout can be set in a macOS device in Apple's System Preferences by selecting Energy Saver and then configuring the Turn Display Off setting. This setting only turns off the display. Other hardware components remain on and processes continue to run.

Warning:

If a video playback is currently in progress in a desktop app, such as QuickTime Player, both the Turn Display Off setting and the JumpCloud Lock Screen policy are overridden and the display doesn't go to sleep.

Although there are other ways to lock a macOS screen, such as Sleep Mode and Lock Screen, these events aren’t triggered by a timeout setting. In these cases, a user can lock a screen immediately by pressing the Touch Bar, selecting a command in Apple Menu, or closing the device.

When a user logs in to a device where you applied a JumpCloud Lock Screen Policy, the screen locks when the shortest screen timeout setting expires. If the Turn Display Off setting is shorter than the JumpCloud Lock Screen Policy, this setting locks the screen.

To create a macOS Lock Screen Policy:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to DEVICE MANAGEMENT > Policy Management.
  3. In the All tab, click (+).
  4. On the New Policy panel, select the Mac tab.
  5. Locate the Lock Screen Policy and click configure.
  6. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
  7. (Optional) In the Policy Notes field, enter details like when you created the policy, where you tested it, and where you deployed it.
  8. Under Settings, enter the number in seconds in Timeout before a screensaver is launched and a password is required.
  9. (Optional) Select the Device Groups tab and select one or more device groups that will use this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  10. (Optional) Select the Devices tab and select one or more devices that will use this policy.
  11. Click save.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case