2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled

Information

A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop-down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.

Rationale:

Setting an inactivity interval for the screen saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.

Impact:

If the screen saver is not set, users may leave the computer available for an unauthorized person to access information.

Solution

Graphical Method:
Perform the following steps to set the screen saver to activate in 20 minutes or less:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Select on option for Start after that is 20 minutes or less (<=1200)

Terminal Method:
Run the following command to set individual users to an idle time of the screen saver is set to 20 minutes or less (<=1200):

$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value <=1200>

example:

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.screensaver idleTime

600

Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (1200) minutes to avoid any issues.
Profile Method:

The PayloadType string is com.apple.screensaver

The key to include is idleTime

The key must be set to <integer><<=1200></integer>

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

See Also

https://workbench.cisecurity.org/files/4176