Help your users have successful presentations with a Self Service policy which temporarily extends screensaver password timeouts, computer sleep options and automatic policy executions, then automatically restores approved security settings after a configurable duration
- Genesis
- Overview
- Setup and Configuration
- Automatic Policy Execution Scope
- End Notes
Some time ago, one of our C-level leaders — who wisely prefers macOS — was presenting to a group of other C-level leaders (most of whom use a different operating system).
The PDF-only presentation was going well and a particular page sparked a discussion; a discussion which lasted more than 15 minutes.
We all know what happens when a MacBook Air running on battery power sits idle for more than 15 minutes (especially a MacBook Air which has a battery-saving Configuration Profile installed):
- Put the display to sleep after: 15 minutes
- Require password immediately after sleep or screen saver begins
As the discussion concluded and our C-level leader woke up his Mac to resume his PDF-only presentation, his Mac greeted with a login prompt, a login prompt which required multiple attempts to complete, all while projecting in front of the group of other C-level leaders.
Thus was Presentation Mode born.
Presentation Mode leverages the Jamf Pro API to switch between one of two Configuration Profiles:
- Security & Privacy: Security-approved settings for screensaver password timeouts, computer sleep options, etc.
- Presentation Mode: Security-approved relaxed settings for screensaver password timeouts, computer sleep options, etc.
Using lessons learned from Your Internal Beta Test Program: Opt-in / Opt-out via Self Service, a Presentation Mode 2 Pop-up Menu Extension Attribute includes two options:
- Disabled
- Enabled
Two Smart Groups — Presentation Mode 2: Enabled and Presentation Mode 2: Disabled — are used to scope the Configuration Profiles
- Security & Privacy is scoped to Presentation Mode 2: Disabled
- Presentation Mode is scoped to Presentation Mode 2: Enabled
A LaunchDaemon created just-in-time executes a Jamf Pro policy via a Custom Event after a configurable duration to disable Presentation Mode and restore standard security-approved settings.
Create a Jamf Pro Standard Account …
- Username:
apiPresentationMode2 - Access Level:
Full Access - Privilege Set:
Custom
… with the following privileges:
| Jamf Pro Server Objects | Create | Read | Update | Delete |
|---|---|---|---|---|
| Computer Extension Attributes | √ | √ | ||
| Computers | √ | √ | ||
| User Extension Attributes | √ | √ | ||
| Users | √ | √ |
Create the Presentation Mode 2 Extension Attribute with the following settings:
- Data Type:
String - Input Type:
Pop-up Menu- Pop-up Menu Choice:
Disabled - Pop-up Menu Choice:
Enabled
- Pop-up Menu Choice:
Create two Smart Groups using the following criteria:
Presentation Mode 2: Disabled
Presentation Mode 2isDisabledorPresentation Mode 2is{blank}
Presentation Mode 2: Enabled
Presentation Mode 2isEnabled
Security & Privacy: Security-approved settings for screensaver password timeouts, computer sleep options, etc., scoped to Presentation Mode 2: Disabled.
- Restrictions
- Login Window
- Security and Privacy
- Energy Saver
Presentation Mode: Security-approved relaxed settings for screensaver password timeouts, computer sleep options, etc., scoped to Presentation Mode 2: Enabled. (Most frequently created from a clone of the Security & Privacy Configuration Profile.)
- Restrictions
- Login Window
- Security and Privacy
- Energy Saver
Customize the plistDomain variable and add the following Parameter Labels to the Delayed Policy Trigger Create.bash script:
- Parameter 4:
Unique Daemon Label - Parameter 5:
Jamf Pro policy trigger name - Parameter 6:
Interval (in minutes)
Customize the plistDomain variable and add the following Parameter Label to the Delayed Policy Trigger Disable.bash script:
- Parameter 4:
Unique Daemon Label
Add the following Parameter Label to the Display Message JAMF binary.bash script:
- Parameter 4:
Text of end-user message
Generate Encrypted Script Parameters for the encrypted API account password and update the following variables in the Extension Attribute Update.sh script:
apiURLSaltPassphrase
I add the following snippet to the bottom of EncryptedStrings_Bash.sh so the values will be output to Terminal when called via: ./EncryptedStrings_Bash.sh 'Purple Monkey Dishwasher'
# Output to Terminal
args=("$@")
password="${args[0]}"
GenerateEncryptedString "${password}"
Add the following Parameter Labels to the Extension Attribute Update.sh script:
- Parameter 4:
API Username (Read / Write) - Parameter 5:
API Encrypted Password (Read / Write) - Parameter 6:
EA Name (i.e., "Presentation Mode 2") - Parameter 7:
EA Value (i.e., "Enabled" or "None")
The following provides an overview of both policies:
- General
- Display Name:
Presentation Mode Enable (2.0.0) - Execution Frequency:
Ongoing - Trigger:
Self Service
- Display Name:
- Scripts
- Delayed Policy Trigger Create
- Unique Daemon Label:
presentationMode2 - Jamf Pro policy trigger name:
presentationMode2 - Interval (in minutes):
75
- Unique Daemon Label:
- Delayed Policy Trigger Create
- Scripts
- Extension Attribute Update
- API Username (Read / Write):
apiPresentationMode2 - API Encrypted Password (Read / Write): See Encrypted Script Parameters
- EA Name (i.e., "Presentation Mode 2"):
Presentation Mode 2 - EA Value (i.e., "Enabled" or "None"):
Enabled
- API Username (Read / Write):
- Extension Attribute Update
- Scripts
- Display Message: JAMF binary
- Text of end-user message:
Presentation Mode has been enabled for 75 minutes; screen saver idle time has been set to two hours.
- Text of end-user message:
- Display Message: JAMF binary
- Targets:
All Managed Clients - Limitations:
None - Exclusions:
Presentation Mode 2: Enabled
- Make the policy available in Self Service:
Enabled - Self Service Display Name:
Presentation Mode (2.0.0) - Description:
Click Enable to temporarily set the screensaver idle time to two hours. After 75 minutes, Presentation Mode will be automatically disabled and the screensaver settings will be restored to IT Security standards.
- General
- Display Name:
Presentation Mode Disable (2.0.0) - Trigger
- Custom:
presentationMode2
- Custom:
- Execution Frequency:
Ongoing
- Display Name:
- Scripts
- Delayed Policy Trigger Disable
- Unique Daemon Label:
presentationMode2
- Unique Daemon Label:
- Delayed Policy Trigger Disable
- Scripts
- Extension Attribute Update
- API Username (Read / Write):
apiPresentationMode2 - API Encrypted Password (Read / Write): See Encrypted Script Parameters
- EA Name (i.e., "Presentation Mode 2"):
Presentation Mode 2 - EA Value (i.e., "Enabled" or "None"):
Disabled
- API Username (Read / Write):
- Extension Attribute Update
- Scripts
- Display Message: JAMF binary
- Text of end-user message:
Presentation Mode has ended. The screensaver timeout is again set to the IT standards. If additional time is required, please return to the Workforce App Store and re-enable Presentation Mode.
- Text of end-user message:
- Display Message: JAMF binary
- Targets:
Presentation Mode 2: Enabled
- Complete Message:
Presentation Mode has been disabled.
Add the Presentation Mode 2: Enabled Smart Group as an Exclusion for automatic Patch Policies and any Ongoing, Recurring Check-in Policies which could interrupt users' presentations (i.e., operating system update policies, etc.)
