So, I was complaining earlier about what looked like a severe oversight on Apple’s part about a simple, trivial enterprise change that needed to be made.

Happy to say that the problem has been identified, tested, and resolved. I sure enjoyed spending the day poking around in the deep, dark, seedy underbelly of OS X…

Read this first as it has background on the problem.

The solution?

Don’t edit the “Screen Saver ByHost” object (com.apple.screensaver.ByHost).  Instead, you’ll edit the “Screen Saver Loginwindow” object (com.apple.screensaver).

I now have these three items under “Always”:

• Login Window Idle Time, integer, 300
• Login Window Screen Saver Module Path, string, /System/Library/Screen Saver/Flurry.saver
• Require Password, integer, 1

To wit:

How to force users to enter a password managed OS X 10.6 after screen saver or sleep.

Sure, enough, after logging out and back in on that machine, I get this in the user’s view of System Preferences:

Yes, indeed. That’s what we want. “Require password… after sleep or screen saver begins” is checked as it should be and the user is not allowed to change it.

What kept throwing me — and I dismissed because of association — was that all other attributes said, “Login Window…” So, I kept thinking “Oh, the main login window. That’s not what I want.” When, instead, I should have been thinking, “All login windows.” When they say “login window”, consider that the act of unlocking a computer after sleep or screen saver is, in fact, through a login window.

I’ve heard there are some other people out there who’ve run into the same kind of thing on their 10.6 managed networks. If so, I hope this resolves the problem for you.

—

Next on the To Do list: figure out how to prevent the user from changing the screen saver idle time from the value we set.