Unattended Windows devices that are active with a user that is still logged in can create opportunities for unauthorized access to information and misuse of accounts. As an IT Admin, you can remotely apply a policy to lock one inactive device or your entire fleet of devices in your organization.
JumpCloud’s Lock Screen Policy automatically locks the screen and turns on the screen saver if a managed device is inactive for a specified period of time. The policy requires the user to enter the device password to unlock the screen. JumpCloud also provides a Lock Screen Policy for Linux and Mac devices.
The Lock Screen Policy can lock an inactive device only after mandatory OS processes have completed. There are other settings the user can specify to activate the screensaver with an interval of time that differs from your policy.
This is a device level policy that applies system-wide to the device and all of its users. You can bind this policy to individual devices or device groups. For policies that apply to a specific user's profile across devices, see Get Started: Policies and Learn More section of this article.
Considerations
- If you’re experiencing delays with the Lock Screen Policy, request that all users to log out and back in to all devices.
- When you apply the Lock Screen Policy to devices for the first time, all users are required to log out and back in before the policy takes effect.
- When you modify the Timeout value, all users are required to log out and back in before the policy changes take effect.
- When you uninstall the Lock Screen Policy, it immediately stops being enforced.
- If you uninstall and then reinstall the Lock Screen Policy, it’s immediately enforced. However, the Timeout value in the uninstalled policy is the one JumpCloud uses. To reset the old value to the value in the newly reinstalled policy, all users are required to log out and back in.
- The following settings affect screen locking and may conflict with this policy. The shortest setting is the one that takes effect first.
- JumpCloud Lock Screen Policy Timeout
- Screen Saver Settings
- Power and Sleep Settings
- Local Group Policy for Screen Saver Timeout
- Users must log out and back in to all devices where this policy was applied for it to take effect.
The Windows Lock Screen Policy alters the following registry key value using the timeout specified in JumpCloud:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Registry Keyword: inactivitytimeoutsecs
- Registry Data value: The timeout set in decimal value from the JumpCloud policy.
Creating the Policy
To create a Lock Screen policy for Windows devices, do the following:
Selecting the Policy Template
- Log in to the JumpCloud Admin portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Device Management > Policy Management. The Policy Management page is displayed.
- On the Policy Management page, click +Add New.
- Select Device Policy to assign the policy to devices and device groups. On the New Device Policy page:
- Select the Windows tab.
- Search and select the policy name and click Configure. The Details tab of the policy is displayed.
- On the Details tab, configure the required policy configuration settings.
- (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
- (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.
Configuring the Policy
- Under Settings, enter the number of seconds before the screensaver is launched and password is required in Timeout (seconds).
Applying the Policy
- (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy.
- Select the Device Groups tab. Select one or more device groups where you want to apply this policy to. For device groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
- Or, select the Devices tab. Select one or more devices where you want to apply this policy.
- Click Create Policy. A success message is displayed indicating the completion of policy creation.
Viewing Policy Status
- Select the Status tab.
- To see the last Result Log for a device where this policy is applied, click view.
- If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.