Hello,

Please bear with me as I'm new to KACE and mac scripting (2.5 days so far).

I'm trying to accomplish the following:

1. enable screensaver to start with a delay of 15 minutes
2. enable password on wake

I've written the scripts to do this:

1. defaults -currentHost write com.apple.screensaver idleTime 900
2.  
osascript -e 'tell application System Events to set require password to wake of security preferences to true'

I have been successful to get this to run on my mac without any issues. i've tested by disabling and then running the script and it works well.

I tried pushing this out to the second mac, and it runs successfuly according to KACE 1000 appliance, but doesn't actually change the settings in the mac.

I spent some time trying to make that work by testing some more, then found if I run the scripts manually on the Mac, then run the KACE script, its successful.

Kind of defeats the purpose if I have to run around to the 125 macs we have to push this script out. 

Does anyone have thoughts that might drive me in the right direction? Below is the order of the scripts running for me:

Verify

  1. Launch “” with params “”System Events“”/usr/bin\osascript-e 'tell application  to set require password to wake of security preferences to true'
  2. Launch “/usr/bin\defaults” with params “-currentHost write com.apple.screensaver idleTime 900”.

On Success

  1. Log “” to “”.I think this workedactivity
  2. Launch “/usr/bin\osascript” with params “-e 'tell application ”System Events“ to get the properties of security preferences'”.
  3. Launch “/usr/bin\defaults” with params “-currentHost read com.apple.screensaver”.
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

2

Don't know if this will help or not. I've found that using online shell scripts work a lot better when working with the macs. I found this on the 'net but can't remember its source and give credit to that person. Maybe it will help?

#!/bin/sh
# HARDCODED VALUES ARE SET HERE
startTime="900"
password="1"
passwordDelay="Immediately"
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER AND, IF SO, ASSIGN
if [ "$4" != "" ] && [ "$startTime" == "" ];then
startTime=$4
fi
if [ "$5" != "" ] && [ "$password" == "" ];then
password=$5
fi
if [ "$6" != "" ] && [ "$passwordDelay" == "" ];then
passwordDelay=$6
fi
##########
# Get the Universally Unique Identifier (UUID)
#
# Check if hardware is PPC or early Intel
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
LEOUUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
# Check if hardware is new Intel
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
LEOUUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi
#
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
loggedInUserHome=`dscl . -read /Users/$loggedInUser | grep NFSHomeDirectory: | cut -c 19- | head -n 1`
# Sets time of screen saver to come on.
/usr/bin/defaults write "$loggedInUserHome"/Library/Preferences/ByHost/com.apple.screensaver."$LEOUUID" idleTime -int "$startTime"
#
# Sets screen saver to require password (not always needed)
/usr/bin/defaults write "$loggedInUserHome"/Library/Preferences/ByHost/com.apple.screensaver."$LEOUUID" askForPassword -int "$password"
#
# Sets screen saver to require password (not always needed)
/usr/bin/defaults write "$loggedInUserHome"/Library/Preferences/ByHost/com.apple.screensaver."$LEOUUID" "Require Password" -bool TRUE
#
#Correctng Permissions for /Users/loggedInUser/Library/Preferences/ByHost/com.apple.screensaver.UUID
chmod 777 "$loggedInUserHome"/Library/Preferences/ByHost/com.apple.screensaver."$LEOUUID".plist
#
# Sets screen saver to require password
/usr/bin/defaults write "$loggedInUserHome"/Library/Preferences/com.apple.screensaver askForPassword -int "$password"
#
# Sets screen saver password delay
/usr/bin/defaults write "$loggedInUserHome"/Library/Preferences/com.apple.screensaver askForPasswordDelay -int "$passwordDelay"
#
# Correct Permissions for /Library/Preferences/com.apple.screensaver
chmod 777 "$loggedInUserHome"/Library/Preferences/com.apple.screensaver.plist
#
echo "Set Screen Saver for user:" "$loggedInUser"". With home folder located:" "$loggedInUserHome".

Answered 09/25/2012 by: thefishyfew
Blue Belt

  • hello Fishyfew,

    thanks for this script.

    oddly, that does something. I've found that this script runs successfully

    Running: /var/kace/SMMP/scripts/187/script.sh 2>&1

    Set Screen Saver for user: damien.vince. With home folder located: /Users/damien.vince.

    Activity Log
    2012-09-25 16:41:04: Alert not enabled, moving to next phase....
    2012-09-25 16:41:16: Sending script script.sh to client....
    2012-09-25 16:41:26: Script sent
    2012-09-25 16:41:26: Executing script....
    2012-09-25 16:41:51: Script executed

    it changes the check box in the security and privacy window to Require password for sleep and screen saver, though it doesn't actually require the password after the screensaver comes on?

    thoughts?
  • hmmmm, seems as though it gets enabled after a reboot. I'm continuing to test.
  • Might be the OS itself. I don't have to reboot. Runs great on OS X.5.8 which I'm running tests on now because that's my lowest denominator. I will check OS X.6 shortly and work my way up.
  • Yes, everything from KACE perspective supposedly works flawlessly for 10.6 and lower, but not 10.7+. The script you gave me earlier works well on 10.7 but requires the reboot.

    I just got myself a Mac built with 10.6.8 i'm going to be testing your script and some others. Our problem is that more than 30% of 200 machines are 10.7 so if you hadn't provided that script, the KACE system for making setting changes on a mac might have been pointless.
Please log in to comment

Answers

1

Ok, doing some more testing this afternoon:

I have created a new script with the following:

Run as online shell script
Run as all logged in users

osascript -e 'tell application "finder" to display dialog "Programming in AppleScript is fun."'

osascript -e 'tell application "System Events" to set require password to wake of security preferences to false' 

So with this script, I can get it to launch the Dialog box, but won't change the require password. Note that I'm trying this now on any Mac, whether it worked before or not, and it does not work.

I have been watching the Console screen as the script runs, and I have the following that I think is relevant:

12-09-20 1:15:37.955 PM com.apple.launchd: System: This API can only be used by a process running within an Aqua session.

12-09-20 1:15:37.955 PM osascript: spawn_via_launchd() failed, errno=5 label=[0x0-0x7a07a0].com.apple.systemevents path=/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events flags=0

any thoughts? 

Answered 09/20/2012 by: DamienVince
Senior White Belt

  • is this leopard?
  • I believe its Lion... version 10.7.4 is what it says.
  • try osascript -e 'tell application "System Events" -e tell security preferences to set require password to wake to false'
  • Not successful.

    Output Log
    Running: /var/kace/SMMP/scripts/186/script.sh 2>&1

    29:80: execution error: Finder got an error: AppleEvent timed out. (-1712)

    36:40: syntax error: Expected end of line but found “tellâ€. (-2741)

    40:48: execution error: An error of type -10810 has occurred. (-10810)

    Activity Log
    2012-09-20 23:04:22: Alert not enabled, moving to next phase....
    2012-09-20 23:04:23: Sending script script.sh to client....
    2012-09-20 23:04:25: Script sent
    2012-09-20 23:04:25: Executing script....
    2012-09-20 23:06:35: Error 256 received while executing script
  • with lion try escaping the quotes
    osascript -e 'tell application \"System Events\" to set require password to wake of security preferences to false'
  • SMal.tmcc thanks for the help (I am greatful for everyone that is looking at this)

    not successful again

    Running: /var/kace/SMMP/scripts/186/script.sh 2>&1

    29:80: execution error: Finder got an error: AppleEvent timed out. (-1712)

    17:18: syntax error: Expected expression, property or key form, etc. but found unknown token. (-2741)

    40:48: execution error: An error of type -10810 has occurred. (-10810)

    Activity Log
    2012-09-20 23:16:26: Alert not enabled, moving to next phase....
    2012-09-20 23:16:30: Sending script script.sh to client....
    2012-09-20 23:16:34: Script sent
    2012-09-20 23:16:34: Executing script....
    2012-09-20 23:18:45: Error 256 received while executing script
  • doing more research into this error "This API can only be used by a process running within an Aqua session." seems to be a common problem with 10.7 and security changes.
  • I figured it was something like that, do you think there is a solution to the problem? I can't find much on the exact error or how to initiate an "Aqua session" from a shell script.
  • the little I found so far points to the "sandbox" security in this version, I will check with a friend who is a apple genius.
  • So it looks like this isn't possible according to Dell Support. I spoke with a tech support agent this morning, he's saying the new security in Lion and Mountain Lion are preventing these scripts from running. Dell has no plans to support this until Apple changes their security requirements. This is truely unfortunate as there are a lot of things this could be useful for in our environment.

    if anyone knows of another way to enforce password policies or pushing scripts out to Lion or Mountain Lion, I'd sure be appreciative of that conversation.
  • This is from an apple guru:

    He might need to enable "Remote Apple Events" in the Sharing preference panel.

    or, compile his applescript into a GUI application with Applescript Editor

    then it WILL be running in an Aqua session

    "Aqua" is the GUI, so essentially it's telling him he's not allowed to do that from the command line

    and "Remote Apple Events" is running Applescript over the network, so that might need to be enable for him to push applescript to the computer via KACE
  • Thanks for that.

    I've perfomed the enable "Remote Apple Events" and run getting the following error:

    Output Log
    Running: /var/kace/SMMP/scripts/186/script.sh 2>&1

    17:18: syntax error: Expected expression, property or key form, etc. but found unknown token. (-2741)

    40:48: execution error: An error of type -10810 has occurred. (-10810)

    Activity Log
    2012-09-24 17:50:55: Alert not enabled, moving to next phase....
    2012-09-24 17:51:08: Sending script script.sh to client....
    2012-09-24 17:51:20: Script sent
    2012-09-24 17:51:20: Executing script....
    2012-09-24 17:52:10: Error 256 received while executing script

    I'm researching the GUI application now.
  • have you reverted back to your original script?
  • i have tried that yes.
  • can you see /var/kace/SMMP/scripts/186/script.sh is still there and list it
  • was reading and looks like a format error and found a couple of blurbs about trying this again.....
    try escaping the quotes
    osascript -e 'tell application \"System Events\" to set require password to wake of security preferences to false'
  • http://hintsforums.macworld.com/archive/index.php/t-22711.html
  • So I've done the following:

    put the \"System Events\" in the script.
    I've enabled the "remote apple events"

    and I get the following on the error:
    Output Log
    Running: /var/kace/SMMP/scripts/186/script.sh 2>&1

    17:18: syntax error: Expected expression, property or key form, etc. but found unknown token. (-2741)

    40:48: execution error: An error of type -10810 has occurred. (-10810)

    Activity Log
    2012-09-24 21:54:11: Alert not enabled, moving to next phase....
    2012-09-24 21:54:21: Sending script script.sh to client....
    2012-09-24 21:54:44: Script sent
    2012-09-24 21:54:44: Executing script....
    2012-09-24 21:55:07: Error 256 received while executing script
  • and yes the script.sh file is there

    Damiens-MacBook-Pro:186 damien.vince$ pwd
    /var/kace/SMMP/scripts/186
    Damiens-MacBook-Pro:186 damien.vince$ sudo cat script.sh
    osascript -e 'tell application \"System Events\" to set require password to wake of security preferences to false'
    defaults -currentHost write com.apple.screensaver askForPasswordDelay -int 1000
    osascript -e 'tell application "ScreenSaverEngine" to activate'
  • lets try just doing the top half of the script only and see if it goes (osascript -e 'tell application "System Events" to set require password to wake of security preferences to false')

    I think the second part needs different verbage like (defaults write com.apple.screensaver askForPasswordDelay -int 1000)
    • tell application "System Events"
      set ss to screen saver "Random"
      start ss
      end tell
  • Doesn't look like it. so only one line now in my script

    osascript -e 'tell application \"System Events\" to set require password to wake of security preferences to true'


    Running: /var/kace/SMMP/scripts/186/script.sh 2>&1

    17:18: syntax error: Expected expression, property or key form, etc. but found unknown token. (-2741)

    Activity Log
    2012-09-25 14:47:53: Alert not enabled, moving to next phase....
    2012-09-25 14:48:07: Sending script script.sh to client....
    2012-09-25 14:48:32: Script sent
    2012-09-25 14:48:32: Executing script....
    2012-09-25 14:48:55: Error 256 received while executing script
    2012-09-25 14:48:55: Uploading scripts/186/test.sh to K1000....
    2012-09-25 14:49:07: Error 99 received while uploading test.sh from client
  • The syntax error is coming from \"System Events\". Take out the slashes and it works great. Even in OS X.8.
  • that script does not work great in the KACE environment, 10.7+ generates errors with or without the slashes.
Please log in to comment
1
Hi all,
I am resurrecting this old thread because I believe  figured out the solution.
In my case I have a 5 second delay before the password is required, and start SS after 5 minutes.
The trick is that you need to run the defaults command as the user

Here is the Online Shell Script I am using in K1000:

localUsers=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
hwUUID=$(/usr/sbin/system_profiler SPHardwareDataType 2>/dev/null | grep "Hardware UUID" 2>/dev/null | cut -c22-57 2>/dev/null)
echo "$localUsers" | while read userName; do
    sudo -u $userName defaults write /Users/$userName/Library/Preferences/com.apple.screensaver  askForPassword -int 1 2>/dev/null 
    sudo -u $userName defaults write /Users/$userName/Library/Preferences/com.apple.screensaver  askForPasswordDelay -float 5 2>/dev/null 
    sudo -u $userName defaults write /Users/$userName/Library/Preferences/ByHost/com.apple.screensaver.$hwUUID.plist idleTime -int 300 2>/dev/null
    sudo -u $userName defaults write /Users/$userName/Library/Preferences/ByHost/com.apple.screensaver idleTime -int 300 2>/dev/null
killall cfprefsd
done

Without the sudo -u $userName part at the beginning of each line, the files were getting updated but System Preferences wouldn't reflect the change until after you restarted. When sudoing as the local user, it is reflected in System Prefs immediately, and more importantly, it is enforced immediately.

Edit: had to fix the formatting in my code above.

For an offline script, just take the same code above, add #!/bin/sh to the top, save it as "macscreensaver.sh" and make it a dependency. In the tasks, set Verify to always fail, and Remediation to:

Launch “$(KACE_DEPENDENCY_DIR)\macscreensaver.sh” with params “”

One thing to make sure of is that you are using the right kind of whitespace characters for your platform. I had a lot of problems getting this script to work as an offline KScript, because I had originally composed it in the web browser on my PC. When I copied and pasted the text into a .sh file and tried to run it on my Mac directly, I got syntax errors due to the different kind of CRLF characters at the end of each line.

New Edit 11/16/2016:

So Apple decided to make things easier for people in macOS 10.12 Sierra -- you no longer need the $hwUUID part to mess with ByHost preferences. Since I want this script to work on both Sierra and earlier versions, I just added the line to the bottom above done.

I also added 'killall cfprefsd' just to be sure that it will pickup the new versions of the files and not the cached ones.

Answered 06/22/2016 by: Matt Bot
White Belt

  • This content is currently hidden from public view.
    Reason: Removed by member request
    For more information, visit our FAQ's.
Please log in to comment
0

try taking the dot from in front of ./usr out

launch "/usr/bin\osascript" with params "-e 'tell application  to set require password to wake of security preferences to true'"

Answered 09/20/2012 by: SMal.tmcc
Red Belt

  • Sorry, that might have been a copy and paste problem, or something else, that period isn't there in KACE. Either I recreated the script and it existed at one time, but it doesn't exist there now.

    I'm guessing this might be an authentication problem? All mac's are on the Domain, all users are administrators on their own machine, but i can't get this to run. Even in the logging, it isn't outputting the On Success read and get information.
  • It occurred to me to post the log file here for the mac that it doesn't work on:

    Log for Damien offline test on Dev4's Mac Pro[ Show All ]
    Started: 2012/09/20 11:24:55
    Finished: 2012/09/20 11:24:55
    Elapsed Time: 0 second
    Status: 1
    Status Log
    Kbot xml /var/kace/SMMP/kbots_cache/182-1348161891_expanded.xml, Validation Success
    Kbot xml /var/kace/SMMP/kbots_cache/182-1348161891_expanded.xml, Validation Success
    Kbot xml /var/kace/SMMP/kbots_cache/182-1348161891_expanded.xml, Validation Success
    Kbot xml /var/kace/SMMP/kbots_cache/182-1348161891_expanded.xml, Validation Success
    Activity Log
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to set require password to wake of security preferences to true' -e 'end tell'
    Running kbot: krunkbot.exe 182 1348161892
    Validating kbot xml
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to set require password to wake of security preferences to true' -e 'end tell'
    Launching program: /usr/bin defaults false -currentHost write com.apple.screensaver idleTime 900
    Running kbot: krunkbot.exe 182 1348161892
    Validating kbot xml
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to set require password to wake of security preferences to true' -e 'end tell'
    Launching program: /usr/bin defaults false -currentHost write com.apple.screensaver idleTime 900
    I think this worked
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to get the properties of security preferences'
    Running kbot: krunkbot.exe 182 1348161892
    Validating kbot xml
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to set require password to wake of security preferences to true' -e 'end tell'
    Launching program: /usr/bin defaults false -currentHost write com.apple.screensaver idleTime 900
    I think this worked
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to get the properties of security preferences'
    Launching program: /usr/bin defaults false -currentHost read com.apple.screensaver
    Running kbot: krunkbot.exe 182 1348161892
    Validating kbot xml
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to set require password to wake of security preferences to true' -e 'end tell'
    Launching program: /usr/bin defaults false -currentHost write com.apple.screensaver idleTime 900
    I think this worked
    Launching program: /usr/bin osascript false -e 'tell application "System Events" to get the properties of security preferences'
    Launching program: /usr/bin defaults false -currentHost read com.apple.screensaver
    Debug Log
    Kbot Config Info - Start
    id=182 name=Damien offline test version=1348161891 type=policy
    execute disconnected=false logged_off=true
    execute events
    Kbot Config Info - Finish
    Kbot Config Info - Start
    id=182 name=Damien offline test version=1348161891 type=policy
    execute disconnected=false logged_off=true
    execute events
    Kbot Config Info - Finish
    Kbot Config Info - Start
    id=182 name=Damien offline test version=1348161891 type=policy
    execute disconnected=false logged_off=true
    execute events
    Kbot Config Info - Finish
    Kbot Config Info - Start
    id=182 name=Damien offline test version=1348161891 type=policy
    execute disconnected=false logged_off=true
    execute events
    Kbot Config Info - Finish
    Kbot Config Info - Start
    id=182 name=Damien offline test version=1348161891 type=policy
    execute disconnected=false logged_off=true
    execute events
    Kbot Config Info - Finish
Please log in to comment
0

When you ran it on your machine did it require sudo?

How do you have the script configured?  Is it an online script or offline?  If online, what user option are you running this under?

Also, it looks like you have a pretty old version of the agent if it still has SMMP.  I don't think that has anything to do with the problem, just thought i would mention it.

Answered 09/20/2012 by: jknox
Red Belt

  • it is configured as an offline script, I have tried it as an online scripts as well.

    it did not require sudo

    So as an online user, I've tried all 4 options, including a user who has domain macadmin privileges.
Please log in to comment
0

So moving on to another potential fix. KAce techsupport called me yesterday and sent me some of their ideas over night. Some aren't relevant, because as Steve said above, the sandbox thing looks to be the problem. Dell has also confirmed this as they've mentioned a new security feature in OS X 10.7+ that includes the .lockfile... so one suggestion was to try the following shell command:

could you please also try the shell command below:

 

do shell script "/System/Library/CoreServices/'Menu Extras'/User.menu/Contents/Resources/CGSession -suspend"

I can't seem to get this to run

I have the line in the script as follows:

/System/Library/CoreServices/'Menu Extras'/User.menu/Contents/Resources/CGSession -suspend

and get the output:

Running: /var/kace/SMMP/scripts/186/script.sh  2>&1

17:18: syntax error: Expected expression, property or key form, etc. but found unknown token. (-2741)

Activity Log

2012-09-25 16:36:24: Alert not enabled, moving to next phase....
2012-09-25 16:36:38: Sending script script.sh to client....
2012-09-25 16:36:51: Script sent
2012-09-25 16:36:51: Executing script.... 

2012-09-25 16:37:18: Error 256 received while executing script 

Answered 09/25/2012 by: DamienVince
Senior White Belt

  • This content is currently hidden from public view.
    Reason: Removed by user request
    For more information, visit our FAQ's.
  • If you're using an online shell script, you shouldn't need the "do shell script" in front of the whole statement. Try taking those 3 words out and running it then.
  • Just something to keep in mind: I ran into this while trying to create a dialog box that I thought would keep the script from running until it received user input. The dialog box stayed on the screen but after about 2 minutes, the script jumped to the next line and continued to run.

    So, if you get this error "29:80: execution error: Finder got an error: AppleEvent timed out. (-1712)", its generally because System Events won't wait any longer and will continue with the rest of the script. You have to define how long for it to delay before continuing or giving up.
  • try
    /System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend
    http://superuser.com/questions/44433/create-a-keyboard-shortcut-for-fast-user-switching-in-mac-os-x
  • Running that CGSession -suspend command doesn't work in 10.7+ pushed from a KACE 1000 unit
  • Really hate to revive a thread that's been dead for four months, but were you ever able to find a method to get around the sandboxing and require the password via KACE? I'm trying to do the same thing for several hundred Macs.
Please log in to comment
Answer this question or Comment on this question for clarity