× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

How to Enforce Clear Screen Policy on Mac OS X with Centrify

How to Enforce Clear Screen Policy on Mac OS X with Centrify

By Centrify Advisor II ‎08-31-2016 01:38 PM

What is a clear screen policy?

Various security standards require the computer screen to be locked or logged off after a period of inactivity. This policy helps to prevent unauthorized users from viewing or accessing sensitive data such as patient information, and credit card numbers.

 

Surveys and studies have shown a significant number of cyberattacks involved malicious insiders. Leaving computers unattended while going for a short break or meeting can expose your computer to malware installation, data deletion, modification or theft by an insider.

 

How do I enforce through Centrify?

In Group Policy Manager, create or edit a group policy object and add one of the following settings. 

 

Option 1: Automatically log out after a period of inactivity

1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Log out after number of minutes of inactivity

2. Set the time to log out.

Once enabled, this group policy takes effect at next user logon.

 

Logoutinactive.png

 

 

Option 2: Require a password to wake the Mac from sleep or screensaver

1. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to wake this computer from sleep or screen saver 

Requirepasswordfromsleep.png

2. Set the time to require a password after the Mac goes to sleep or screen saver begins.

Enable and configure: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Desktop Settings > Set computer idle time for Starting screen saver

Screensavertime.png

3. Since this is a User Configuration, you may need to also apply the following group policy setting:

Computer Configuration > Policies > Administrative Tempaltes > System > Group Policy > Configure User Group Policy loopback processing mode

Loopback.png

 Set the Mode to Merge.

 LoopbackMerge.png

Once enabled, this group policy takes effect at next user logon.

 

What time interval do I use?

Each security standard defines a different time of inactivity before locking the screen.

HIPAA: 10 minutes. 2 to 3 minutes for high-traffic areas. 

PCI-DSS v3 (8.1.8): 15 minutes

Center for Internet Security OS X 10.11 Benchmark (2.3.1): 20 minutes

ISO/IEC 27002: 10 minutes

Other standards 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel