2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPassword

Information

Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use.

Rationale:

Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.

Impact:

Without a screenlock in place anyone with physical access to the computer would be logged in and able to use the active user's session.

Solution

Graphical Method:
Perform the following steps to enable a password for unlock after a screen saver begins or after sleep:

Open System Preferences

Select Security & Privacy

Select General

Set Require password after or screensaver begins with a time of immediately or 5 seconds

Terminal Method:
Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps:

$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password>

or

$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password>

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.screensaver

The key to include is askForPassword

The key must be set to <true/>

The key to also include is askForPasswordDelay

The key must be set to <integer><0,5></integer>

See Also

https://workbench.cisecurity.org/files/4180