What process is running when a Mac's desktop is locked?

Question

What process is running when a Mac's desktop is locked?

In our environment (10.5.8 and 10.6.8 only) we have a security procedure to start a screen saver after 20 minutes of desktop inactivity and require a password to unlock the desktop via MCX. Our energy saver preferences, baked into our disk images, set the display to sleep after 45 minutes and security preferences to require a password immediately on wake.

A lot of maintanance tasks and installs/upgrades that require restarts are run after hours via Casper policy so as to not interrupt the end users workflow. In order to preserve any unsaved work that a user might have open, I do not force a restart but have the OS prompt for logout which will be canceled by any unsaved documents or running processes - since a logged in user will cause Casper to just sit and wait for them to OK the restart, regardless of the existence of unsaved work. However a locked desktop will block the logout prompt and cause Casper to sit and wait for the user to OK a restart anyway, which is counterintuitive to my goals, so I need a failsafe way to detect a locked screen and unlock it first so the logout prompt isn't blocked.

Essentially the workflow I am trying to accomplish is this:

1. Casper runs a script to unlock a locked screen

2. Casper installs packages, runs scripts, etc

3. Casper logs the user out gracefully via the OS

I know to search for the ScreenSaverEngine process via applescript to find if the computer has the screen saver running and then to use system events to unlock the desktop, but once the display goes to sleep after 45 minutes, the screenSaverEngine process is no longer running so the detection script I'm using will fail even though the desktop is actually locked since it's only looking for a screen saver.

What process takes over that requires the screen to be unlocked once the display goes to sleep? This is the code I have so far.

#!/bin/sh

## Applescript to check for system idle time and simulate user input to unlock the Mac, and bash to determine if the Mac is simply at the login screen. Applescript will fail if no user is logged in, so use bash first to determine if anyone is logged into the console. If so, use the osascript below, if not, exit.

loggedInUser=`who | grep console`

if ["$loggedInUser" == "" ]; then

exit

else

## The following is a multi-line Applescript to verify system idle time and unlock the screen if necessary, called from the shell via osascript. It reads all text between the <<ENDDetectUnlock and ENDDetectUnlock entries into osascript and executes them as Applescript commands.

osascript<<ENDDetectUnlock

set unlockAfter to 1202 -- The desktop is set to lock after 20 minutes of inactivity, however if the mouse is moved or keyboard pressed immediately after the screen saver starts, the Mac will NOT prompt for a password, so set the locked desktop check to 20 minutes and 2 seconds (1202 seconds)

tell application "System Events" to set screenSaverActive to (exists process "ScreenSaverEngine") -- the user may have their screen saver start before the system is idle for 20 minutes which will also lock the computer, so we need to check for this as well, since the system may not be idle for ~20.033 minutes yet

set idleTime to do shell script "echo $((`ioreg -c IOHIDSystem | sed -e '/HIDIdleTime/ !{ d' -e 't' -e '}' -e 's/.* = //g' -e 'q'` / 1000000000))" -- get the system idle time in seconds

if ((idleTime as integer) ≥ unlockAfter) or screenSaverActive then

tell application "System Events" -- if the system is idle for ~20.033 minutes or more OR the screen saver is active, unlock the screen by simulating the user pressing the space bar and unlocking the screen with their password (except we do it as the admin)

keystroke space

delay 1

keystroke tab

delay 1

keystroke "admin"

delay 1

keystroke tab

delay 1

keystroke "password"

delay 1

keystroke return

end tell

end if

ENDDetectUnlock

fi

My fallback is an asumption that since we are running these procedures after hours, ANY idle time will result in a locked screen, BUT since I am inputting text, my fear is that if the computer is idle less than 20 minutes, a user is logged in and has work open (even if it's saved), the text will then be written to whatever document is open, then work will be unsaved, Casper will wait, etc etc. Not to mention the fact that an administrative password will be written on their screen for them to copy, save, whatever.

TIA for any suggestions offered!

Andrew

Posted on Jan 6, 2012 7:25 AM

Reply

Answer 1

Jan 6, 2012 7:55 AM in response to Andrew Caldwell

A bit more info. In most cases, for a computer that has been idle for less than 20 minutes it can be safely assumed that the desktop is unlocked. However, there are cases where a screen locks, a user moves the mouse or presses a key and does not unlock the computer, then the ScreenSaverEngine stops running but the desktop is still locked AND the idle time is reset to 0 minutes. If the script runs during this period it will ail to detect the locked desktop and unlock it.

This is also the case if the display goes to sleep after being idle for 45 minutes and the computer is awakened but is not unlocked (Idle time is reset to zero but the computer is still locked). These are the two cases I am concerned with.

Reply

Answer 2

twtwtw

Level 5

4,948 points

Jan 6, 2012 9:23 AM in response to Andrew Caldwell

TMI. 😝 Plus, I think you may be overthinking.

This applescript will check if the screen saver is running:

tell application "System Events"

tell screen saver preferences

if running then

-- go to handler to unlock screen

end if

end tell

No need to mess with idle times.

Reply

Answer 3

Jan 6, 2012 12:29 PM in response to twtwtw

Sorry, I'm never sure how much information is enough, so I tend to over explain. Anyway, the reason I am concerned about Idle times is because after 45 minutes, the screen saver task is killed and then the computer is just asleep and locked, which is why I'm checking idle time greater than 20 minutes OR the screen saver process. This will handle about 95% of all the clients, but I'm concerned about the 5% that will have an idle time of less than 20 minutes, no screen saver, and a locked desktop.

Reply

Answer 4

twtwtw

Level 5

4,948 points

Jan 6, 2012 1:18 PM in response to Andrew Caldwell

No problem. 'Too much' is better then 'too litte', though we all prefer it be Goldilocksed, naturally...

Well, my advice to you is to work with the system rather than against it. there's an old hint from somewhere that you can wake a sleeping display by using system events to simulate a keystroke:

tell application "System Events" to key code 59 -- key code 59 is the control key

so my advice would be to stop trying to determine whether the display is awake and just send it a key-click (which will wake it if it's sleeping) and then proceed knowing the screen is awake.

However, a thought occured to me: if you just need to run some maintenance stuff, then why do you need to unlock the desktop at all? Your script should run perfectly fine without the display involved, so just send the logout command. if the user has unsaved files they will get a message in the morning that 'shurdown was canceled by...', but that's not the end of the world. or you could have the script save their files for them (though that's a but riskier)

Reply

Answer 5

Jan 7, 2012 9:30 AM in response to twtwtw

The same thought occurred to me, except I started seeing "failure" logs in JAMF the morning after we run maintenance policies. All of these failures were due to the Mac not restarting, which isn't really a failure - more of an inconvenience - since the second part of the policy (removing eTrust antivirus and restarting is part 1, installing SEP 12.1 and restarting is part 2) runs immediately on restart no matter what time of the day it is.

In some cases the macs did not restart because the user had unsaved work or something else that would cancel logout. In this case, Casper prompts the user to restart and waits until the OK button is clicked, then counts down 1 minute and restarts. In the other case, nothing would have prevented logout yet the computer still did not logout and then restart, leading me to believe that the reason the Mac did not log out was a locked desktop, and since I am telling System Events to simulate a gui log out, this would be blocked by a locked desktop.

The problem basically stems from the following two issues: 1. I am not to force a logout or restart when a console user is logged in and 2. Casper will not automatically log a console user out on it's own OR restart the computer if a console user is logged in - and then I have to rely on the end user to follow on screen instructions since the Casper restart prompt can be moved to the side and effectively ignored.

-------------

When no restarts are required for the various policies we run, this is not an issue. And anyway, I originally just wanted to know what process is running when a desktop is asleep and locked, but no screen saver is active...

Reply

Answer 6

twtwtw

Level 5

4,948 points

Jan 7, 2012 11:45 AM in response to Andrew Caldwell

Well, to your last question, when the display is asleep you're probably dealing with the security daemon - I think that would be the process watching for user input and throwing up the password dialog. But the security daemon's always going to be running regardless, so I'm not sure if that's helpful in any way.

Reply

Answer 7

Linc Davis

Level 10

209,739 points

Jan 7, 2012 1:07 PM in response to Andrew Caldwell

If you want to do maintenance, uninstall the worse-than-useless "anti-virus" crapware once and for all. That's maintenance.

Reply

Answer 8

Jan 7, 2012 2:17 PM in response to twtwtw

I was thinking securityd, but yeah that's always running... I guess I can assume that since these maintenance scripts and installs are running late enough at night that if the computer is idle, it will probably have been idle for well over 20 minutes. Like I said, about 5% of cases will involve the "screen locked but no screen saver is running and idle for less than 20 minutes" scenario, and just deal with those accordingly. Casper will perform the tasks of unlocking and logging out/restarting as expected on the vast majority of the macs. I guess it's my perfectionism getting in the way again...

Reply