Set Screen Saver

What the screen saver baseline Worklet does

This Automox Worklet™ enforces a screen saver configuration baseline on macOS endpoints. The Worklet identifies the logged-in console user, stages an approved image set under that user's Pictures/Backgrounds directory, and writes the screen saver settings into the com.apple.screensaver, com.apple.ScreenSaverPhotoChooser, and com.apple.ScreenSaver.iLifeSlideShows preference domains using the defaults command. The evaluation script always flags the endpoint as non-compliant, so remediation runs on every policy execution to guarantee the baseline stays in place.

The remediation script uses scutil to read State:/Users/ConsoleUser and resolves the active console account, then runs sudo -u <user> defaults -currentHost write against each preference key. Screen saver keys written include moduleDict (pointing at the iLifeSlideshows.appex module under /System/Library/Frameworks/ScreenSaver.framework/PlugIns), idleTime (default 600 seconds), showClock, PrefsVersion, CleanExit, and tokenRemovalAction. The photo chooser receives SelectedSource and SelectedFolderPath so the slideshow draws from the staged Backgrounds folder, and styleKey writes the slideshow style (default Classic).

The Worklet ships approved images as a zip uploaded to the policy (default file name backgrounds.zip, configurable via the zipName variable). On run, the script unzips into /tmp and runs rsync -a --delete into the user's Backgrounds directory to mirror the source set. It then applies chown to the console user, sets 755 permissions, and cleans up the /tmp staging and any macOS __MACOSX metadata folder. JPEG and PNG are both supported.

Why enforce a screen saver baseline on every Mac

The CIS macOS Benchmark control family 2.5 (Screen Lock) calls for the screen saver to start after no more than 1,200 seconds of inactivity. Companion settings for askForPassword and askForPasswordDelay engage the lock screen once the screen saver activates. Endpoints that ship with the OS defaults rarely match the policy you wrote down, and per-user System Settings changes drift the moment someone installs a new build or restores from Migration Assistant.

The com.apple.screensaver preference domain lives in the user's ByHost directory. A System Settings change in Lock Screen rewrites idleTime immediately, a new user account starts at the OS default of 1,200 seconds, and a Migration Assistant import from a personal Mac can bring a long idle window along with the rest of the profile. Because the evaluation script always returns non-compliant, each policy run writes the configured idleTime, module path, and slideshow source back to the correct values. Pair this Worklet with a companion policy that writes askForPassword=1 and a short askForPasswordDelay so the screen saver becomes a full lock screen rather than a decorative timeout.

How macOS screen saver enforcement works

1. Evaluation phase: The evaluation script exits with code 1 on every run, marking the endpoint as non-compliant unconditionally. This guarantees the remediation script runs at every policy execution and the baseline is always reapplied, regardless of the current preference state on the endpoint.

2. Remediation phase: The remediation script resolves the console user with scutil and creates Pictures/Backgrounds if missing. It unzips backgrounds.zip into /tmp, runs rsync -a --delete into the user directory, and applies chown and chmod 755. The script then iterates the screenArray and writes moduleDict, idleTime, showClock, PrefsVersion, CleanExit, and tokenRemovalAction to com.apple.screensaver. It iterates the photoArray to write SelectedSource and SelectedFolderPath to com.apple.ScreenSaverPhotoChooser, then writes styleKey to com.apple.ScreenSaver.iLifeSlideShows. The /tmp staging and __MACOSX metadata folder are removed at the end of the run.

Screen saver baseline requirements

• macOS 10.14 (Mojave) or later, validated through Catalina, Big Sur, and Monterey on Intel and Apple Silicon endpoints

• A zip archive of JPEG or PNG images attached to the policy; the default name is backgrounds.zip and can be overridden via the zipName variable in remediation.sh

• An active console user at execution time; the script relies on scutil show State:/Users/ConsoleUser to resolve the account and runs defaults via sudo -u <consoleUser> -currentHost

• The idleTime variable in remediation.sh, set in seconds (default 600); for CIS macOS Benchmark 2.5.1 alignment set idleTime to 1200 or less

• The slideShow variable in remediation.sh, written to styleKey under com.apple.ScreenSaver.iLifeSlideShows (default Classic; other valid values include KenBurns, ScrapBook, and Origami)

• Root execution context for the Automox agent so the script can write to user-level defaults via sudo -u and apply ownership on the Backgrounds directory

• A companion policy that writes askForPassword=1 and a short askForPasswordDelay to com.apple.screensaver if you need full CIS 2.5 lock screen compliance, since this Worklet covers the screen saver activation half of the control family

Expected screen saver state after enforcement

After a successful run, /Users/<consoleUser>/Pictures/Backgrounds contains the approved image set owned by the console user with 0755 permissions, and the screen saver activates after the configured idleTime. The iLifeSlideshows module renders the staged folder using the selected styleKey, and System Settings → Screen Saver shows Photos as the source with the Backgrounds folder selected. The /tmp working directory and __MACOSX metadata folder are removed at the end of the run, so no staging files persist on the endpoint.

Verify by running defaults -currentHost read com.apple.screensaver idleTime as the console user and confirming the returned integer matches the configured value. Run defaults -currentHost read com.apple.ScreenSaverPhotoChooser SelectedFolderPath to confirm the image source resolves to the Backgrounds directory, and defaults -currentHost read com.apple.ScreenSaver.iLifeSlideShows styleKey to confirm the slideshow style. Because the evaluation script always returns non-compliant, each subsequent policy run rewrites the preferences - so if a user changes the screen saver source through System Settings, the next scheduled run restores the baseline automatically.