macOS - Security - Enforce Lock Screen on Inactivity

What the macOS lock screen inactivity enforcer does

This Automox Worklet™ enforces automatic lock screen activation on macOS endpoints after a specified period of user inactivity. The Worklet creates an idle timer service that continuously monitors user activity and triggers the screensaver when idle time exceeds the configured threshold.

The Worklet deploys two components to each endpoint: a bash script that measures idle time using macOS system calls and a launch daemon that runs this script at regular intervals. The default inactivity timeout is 900 seconds (15 minutes), but you can adjust this parameter to match your organization's security policies.

idletimer.axtask.plist", "/Library/LaunchDaemons/com.idletimer.axtask.plist;", "/Library/Application".

Why enforce inactivity-based lock screens on macOS

Unattended endpoints pose a significant security risk. Users who step away from their desks without locking their screens expose sensitive data, email accounts, and applications to potential unauthorized access. Automated lock screen enforcement eliminates this human factor and maintains consistent protection across your fleet.

This Worklet helps you meet regulatory compliance requirements such as HIPAA, PCI-DSS, and SOC 2, which mandate automatic session termination after idle periods. By automating this enforcement, you reduce your organization's exposure to data breaches while improving security hygiene across all endpoints.

How macOS inactivity-based lock enforcement works

1. Evaluation phase: The Worklet checks if the idle timer service exists and whether the configured inactivity timeout matches the desired value. It verifies both the idle_timer.sh script in /Library/Application Support/Automox/ and the launch daemon configuration in /Library/LaunchDaemons/. If any component is missing or misconfigured, the Worklet flags the endpoint for remediation.

2. Remediation phase: The Worklet creates the idle timer bash script that uses ioreg to measure idle time and launches the screensaver when the threshold is exceeded. It then creates the com.idletimer.axtask.plist launch daemon configuration file that runs the idle timer script at regular intervals (default 120 seconds). The launch daemon is loaded and scheduled to start immediately, verifying the idle timer service remains active across restarts.

macOS inactivity lock requirements

• macOS 10.12 (Sierra) or later

• Endpoint must support the ioreg command for idle time monitoring

• Write access to /Library/Application Support/Automox/ and /Library/LaunchDaemons/ directories

• Root or administrator privileges to load launch daemons

• Customize the desired_logout_seconds variable to override the default 900-second timeout

Expected macOS screen lock behavior

After the Worklet runs successfully, each macOS endpoint will automatically activate the screensaver and lock the screen whenever a user is inactive for the configured duration. The idle timer service remains active across user sessions and system restarts, providing continuous protection even after reboots. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Users will see the screensaver engage after the idle period elapses. Upon returning, they must enter their credentials to unlock the screen and regain access. This automatic behavior eliminates the need for users to manually enable screen locking and verifies that no endpoint remains unattended and unprotected.

How to validate enforce lock screen on inactivity changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enforce lock screen on inactivity.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as function, cat, open, then rerun evaluation for compliance.