Enforce Screen Locking

Use the Enforce screen locking group policy to control the screen lock enforcement and the timee out value for all users logging on to a computer or for individual users. Select the Computer Configuration > Delinea Settings > Linux Settings > Enforce screen locking group policy to configure computer-based screen locking. Select the User Configuration > Delinea Settings > Linux Settings > Enforce screen locking group policy to configure user-based screen locking.

Both Enforce screen locking group policies are defined in the centrify_unix_settings.xml administrative template. The mechanism used to control screen locking is specific to Linux-based computers, however, so the policies are listed under the Linux Settings category.

The most common way to handle screen locking on Linux computers is through the xscreensaver program. Although the xscreensaver program has a default configuration file, this centralized configuration file is automatically overridden if users have a local .xscreensaver file in their home directory. To enforce a centralized screen locking policy, this group policy creates a directory in the user’s home directory that is owned by root and places a file that is also owned by root in this directory, so that the file cannot be removed by the user. When the xscreensaver program tests to see if there is a regular file in the user’s home directory and does not find it, it uses the system configuration file.

If the user home directory is NFS-mounted, with the root-squash option set, this policy will not work as intended because the group policy (running as root) cannot create the un-deletable $HOME/.xscreensaver directory. As a workaround, the user may manually create the .xscreensaver directory with a umask of 0700 in the user home directory on the NFS server to prevent the user from changing .xscreensaver.

If you select Enabled for this group policy as a computer configuration policy, you can make the policy the default screen locking behavior for all users of the computer and set the default number of minutes to wait before locking the screen, but users are free to override the default.

To enforce this policy for individual users, you should enable the screen locking policy as a user configuration policy. However, enabling the user configuration screen locking group policy prevents users from changing their screen locking parameters.