[Matt OS X]

I need your help to unlock 10.9 Mavericks Screen Saver Authentication. In previous versions of Mac OS X, it was possible to enter the name of any local administrator account credentials and bypass the screen saver, regardless of who was currently logged into the console. Great for IT depot's that maintain a local master admin account. Example: An IT staff member could do maintenance/troubleshooting at an end user's Mac, even if the person had left the Mac workstation locked with a screen saver at lunchtime (i.e.; the end user was not required to physically unlock the screen saver)


Does anyone know if this behavior can be changed/reverted? Is this behavior stored in an XML plist or in /etc/authorization file?

I used to know how to do this with 10.7 Lion and 10.8 Mountain Lion but not this time with 10.9 Mavericks due of different files stored in /etc/

Here what I used to do with 10.7 and 10.8. Read below and please help me how can I work this with Mavericks.

Code:
cd /etc/pam.d
sudo cp screensaver screensaver.bak
sudo nano screensaver

Find the line:
Code:
account required pam_group.so no_warn group=admin,wheel fail_safe

and change it to:
Code:
account sufficient pam_group.so no_warn group=admin,wheel fail_safe

Save /etc/pam.d/screensaver and exit nano.

Then, we make a wholly unintuitive change to /etc/authorization:
Code:
cd /etc
sudo cp authorization authorization.bak
sudo nano authorization

Press control-w and search for "unlock the screensaver"

Change the line:
Code:
<string>The owner or any administrator can unlock the screensaver.</string>

to:
Code:
<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>

Save /etc/authorization and exit nano.

Reboot

[drbenru]

I haven't looked into it but I would not be surprised if they have changed it. If they did, I would suspect its most likely an incidental change, although I would love to find out it was actually on purpose.

You see your request although seemingly justified is bad for overall security, specially in an environment where user accountability might be an issue. For example in the medical records, where the doctor that orders/approves/requests a procedure or change to patient care is accountable for the consequences. This is the reason that Mac OS has no means to show you what the actual password of a user is, but will let you change it. Changing a password gets logged, and when you don't have access to a users original password you will be neither able to unlock their keychain nor set the password back to what it used to be without triggering a log entry.

Now I understand that in small environment this is neither necessary nor secure, since the only person with access or expertise into the logs is the admin, and he can alter or delete these files. But in an environment with auditing procedures and secured log servers this functionality makes things much better.

My suggestion to you and your admins is to have fast user switching enabled by default. This way when a computer is locked in the screen saver you can simply hit the switch user button and access the admin account that will let you maintain/upgrade/install almost anything necessary.


Good luck finding your answer, I hope my suggestion proves a little bit helpful.

Ruben.

[brianwells]

If you press option-return at the password prompt it should then prompt for an admin username and password.