Information
A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
Rationale:
Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.
Impact:
If the screensaver is not set users may leave the computer available for an unauthorized person to access information.
Solution
Perform the following to set the screen saver to activate in 20 minutes of less:
Graphical Method:
Open System Preferences
Select Desktop & Screen Saver
Select Screen Saver
Select on option for Start after that is 20 minutes of less (1200)
Terminal Method:
Run the following command to verify that the idle time of the screen saver to 20 minutes of less (1200)
$ sudo -u <username> defaults -currentHost write com.apple.screensaver idleTime -int <value 1200>
example:
$ sudo defaults -currentHost write com.apple.screensaver idleTime -int 600
If there are multiple users out of compliance with the prescribed setting, run this command for each user to set their idle time:
$ sudo -u <username> defaults -currentHost write com.apple.screensaver idleTime -int <value 1200>
example:
$ sudo -u seconduser defaults -currentHost write com.apple.screensaver idleTime -int 600
$ sudo -u seconduser defaults -currentHost read com.apple.screensaver idleTime
600
Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (120) minutes to avoid any issues.