MacOS
View all Worklets
MacOSmacOS

Disable Screen Saver Hot Corners

Disable macOS screen saver hot corners that let users bypass automatic screen lock with a cursor flick

Worklet Details

What the macOS hot corner disabler does

This Automox Worklet™ disables the four screen saver hot corners on macOS endpoints whenever they are configured to suspend the screen saver. macOS hot corners are user-level shortcuts stored in the Dock preferences. Each corner of the display maps to an action by writing a small integer to the wvous-tl-corner, wvous-tr-corner, wvous-bl-corner, or wvous-br-corner key inside com.apple.dock. The value 6 corresponds to the "Disable Screen Saver" action, which is the specific setting this Worklet targets.

The Worklet inspects every corner under the active console user, identifies any corner set to 6, writes the corner back to 0 with defaults write, and runs killall Dock so the change applies immediately. Corners configured for legitimate actions such as Mission Control, Launchpad, or Notes are left alone. Only the hot corner action that defeats the screen lock is removed, so user productivity shortcuts survive remediation.

Because evaluation reads the live com.apple.dock preferences on every Automox policy run, the Worklet keeps catching the same setting if a user re-enables it through System Settings. Remediation only rewrites corners currently set to value 6 and leaves every other corner untouched, so repeat runs are idempotent.

Why disable the screen lock bypass on Mac endpoints

A screen saver that engages on idle is one of the cheapest physical-security controls in a Mac environment, and a hot corner pinned to "Disable Screen Saver" silently removes it. A user who parks the cursor in that corner before walking away keeps the desktop unlocked indefinitely. The control mapped to CIS macOS Benchmark 2.x (Screen Saver) and the equivalent NIST 800-53 AC-11 (Session Lock) requirement is bypassed at the user-preference layer, with no audit trail beyond the Dock plist itself. PCI-DSS 8.2.8 and HIPAA 164.312(a)(2)(iii) both expect automatic locking after a defined idle period, and a hot corner set to value 6 quietly invalidates that expectation on the host.

A single user enabling "Disable Screen Saver" on a corner is invisible to MDM screen-saver profiles, which control timeout but not the wvous-*-corner override. This Worklet asserts the screen lock baseline continuously, so the next evaluation catches a corner reset to action 6 before an unattended Mac in a shared workspace is left unlocked.

How macOS hot corner remediation works

  1. Evaluation phase: The Worklet resolves the active console user with scutil show State:/Users/ConsoleUser, filtered to exclude loginwindow. It then iterates the four corner keys (wvous-tl-corner, wvous-bl-corner, wvous-tr-corner, wvous-br-corner) under com.apple.dock, running sudo -u <consoleUser> defaults read com.apple.dock <key> and stripping the output to digits. The first corner that returns 6 (the "Disable Screen Saver" action) causes the script to print "Hot corner is enabled on this endpoint. Exiting for remediation." and exit 1, which queues remediation.

  2. Remediation phase: Remediation walks the same four corner keys. For each corner still set to 6, it runs sudo -u <consoleUser> defaults write com.apple.dock <key> -int 0 to reset that corner to "no action," then runs killall Dock to restart the Dock process so the new preferences load without a logout or reboot. The loop continues through the remaining corners, and the script exits once every offending corner is rewritten. The next evaluation reports compliance.

Hot corner remediation requirements

  • macOS Big Sur (11), Monterey (12), or later, validated on both Apple Silicon (M-series) and Intel hardware

  • An interactive console user logged in at the time of the policy run; the script reads and writes preferences under that user's Dock domain using sudo -u

  • Automox agent installed with default privileges; root is required so sudo -u can target the console user's preferences

  • No modifier-key hot corner setup that the user wants to preserve at corner value 6; the Worklet rewrites any corner mapped to "Disable Screen Saver" regardless of the wvous-*-modifier flag

  • Network access is not required; the Worklet operates entirely on local preference files at /Users/<user>/Library/Preferences/com.apple.dock.plist

Expected hot corner state after remediation

After the remediation script finishes, every corner that was set to value 6 reads back as 0. Run defaults read com.apple.dock wvous-tl-corner (and the other three corners) from a Terminal session under the console user, and each command should print 0 or report the key as not set. The system-wide screen saver timeout configured in System Settings then governs lock behavior consistently, regardless of cursor position. Corners mapped to non-screen-saver actions (Mission Control = 2, Application Windows = 3, Desktop = 4, Notification Center = 12, Launchpad = 11, Quick Note = 14, Lock Screen = 13, Sleep Display = 10) are untouched.

For audit evidence, capture the Automox activity log for the policy and pair it with a defaults read com.apple.dock output. CIS macOS Benchmark auditors typically accept the policy run identifier plus a compliant evaluation result as proof that control 2.x (Screen Saver) remains in force. If a user re-enables "Disable Screen Saver" on a corner through System Settings, the next Automox evaluation reads action 6 in the affected wvous-*-corner key and remediation rewrites the corner to 0 within the same policy run.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets