Friday, January 18, 2013

Idle Logouts in Mac Labs


I've been playing with Real Studio recently and have been enjoying my learning experience. Justin Elliott has been giving me some extra help when I get stuck and we ended working on an app together for our labs.

Problem:
Users sometimes forget to log out, this can be a security risk. Using AppleScripts or safe commands to log users out doesn't always work as expected, think open Microsoft Word doc with changes. In order to force users to log out, we needed to develop an application to do so.

Solution:
The PSU Idle Logout.app was written in Real Studio to force machines to reboot when users hit a specified idle time. The time is specified in a plist and compared to the amount of time the USB HID devices (mouse and keyboard) have been idle. Here is the line of code used to get that time:
echo $((`ioreg -c IOHIDSystem | sed -e '/HIDIdleTime/ !{ d' -e 't' -e '}' -e 's/.* = //g' -e 'q'` / 1000000000))
If time reaches what has been specified as the idle limit, the computer will reboot by running a script. This solution requires that the /etc/sudoers file is modified so that standard users can reboot the machine with the script. See the GitHub repository for more information!

The Real Studio code and application are available on GitHub for modification and use. Please let me know if it helps you!

Update:
The repository has been moved into the CLC Mac Team organization in GitHub. Please use this link:
https://github.com/CLCMacTeam/IdleLogout

20 comments:

Unknown said...

Awesome! This is actually really useful.

Unknown said...

Awesome, this is actually exceedingly useful! Thanks Rusty!

Tariq Rashid said...

I need to disable these on Mac OS X 10.10.2 (Yosemite) But this is not working on that. It don't have these entries in object file.

Rusty Myers said...

Tariq, What is failing to work for you? We've been testing the Idle Logout.app on 10.10.2 for a while and it is working for us. Please try downloading one of the compiled copies of the Idle Logout.app for testing: https://github.com/CLCMacTeam/IdleLogout/blob/master/IdleLogout%20app/Idle-Logout.1.2.tar.bz2

N74JW said...

Application doesn't even run. When it is double-clicked, nothing happens. OS X 10.10.3, Mac Mini.

Rusty Myers said...

N74JW - Check the Activity Monitor.app for the IdleLogut.app process. The application has no interface when running, and should only show a window when the user has been idle longer than the configured setting.

Not seeing anything in the dock or any window appear when starting the application is the expected results when double-clicking the app. We actually start the app with a launch agent when a user logs in.

Hope that helps, let me know if you have any questions!

N74JW said...

Thanks for the quick response. How do you configure the app's settings if there is no interface? I need the Mac to logoff after fours hours of inactivity, no materr what is happening (Whether or not MS Word/Powerpoint, Firefox, Chrome are open.)

Rusty Myers said...

N74JW - Check out the GitHub page, there is a section on preferences: https://github.com/CLCMacTeam/IdleLogout

You'll need to configure the preferences to match your needs.

For example, to tell the app to log people out after 4 hours (14400 seconds), you'd want to set the ComputerIdleAfterNumSeconds key to 14400:
defaults write "/Library/CLMadmin/Config/edu.psu.its.clc.IdleLogoutSettings.plist" ComputerIdleAfterNumSeconds -string "14400"

To test, we set that value to something small, like 10 seconds. That way, we see the dialog and know it's working.

N74JW said...

How do you tie the app to a launch agent when a user logs in? This is great stuff! Thanks

Rusty Myers said...

N74JW - You can create a launch agent that starts the IdleLogout.app:

$ cat /Library/LaunchAgents/edu.psu.its.clc.idlelogout.plist





Label
edu.psu.clc.idlelogout
ProgramArguments

open
/Library/CLMshared/Startup Items/Idle Logout.app

RunAtLoad




Documentation:
https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

Rusty Myers said...

N74JW - Try this link for the launch agent plist: https://gist.github.com/rustymyers/72863aa8537f5a660c22

N74JW said...

I tried your XML file from GitHub, but it didn't work. When I went to run the application interactively, it threw an XML error. I copied the script verbatim, I just changed the directory where Idle Logout.app is located to /Applications

The error (which makes no sense to me)

"An exception of class XmlException was not handled. The application must shut down."

Exception message: msg:XML parser error 4: not well-formed (invalid token)
Exception Error Number: 2

OS X freezes after that and I have to reboot.

Rusty Myers said...

N74JW - That sounds like an issue with the preference file. I think I made a mistake telling you to use defaults, as it's probably creating a binary file that IdleLogout can't ready. Try converting using:
plutil -covert xml1 "/Library/CLMadmin/Config/edu.psu.its.clc.IdleLogoutSettings.plist"

Use only plain text XML for the preference for now.
I need to covert the preferences to CFPrefsD, but have not done it yet.

N74JW said...

Hooray! No error. I'm testing it out now (15min Idle time). Thanks

N74JW said...

It didn't work. I logged in as a regular user and opened Chrome and Powerpoint and let it sit. 20 minutes went by and it didn't log off. It should have at 15 minutes (900 secs). Is there a log file I can refer to see why nothing happened?

Thanks

Rusty Myers said...

The logs are here: /Users/Shared/IdleLogout

N74JW said...

There are several errors. First is: "ERROR! The file is not readable, or does not exist!" The second is "IdleLogout.Open: Warning! Failed to find the default key 'IgnoreGroup', using default of admin." The account logged in is using a profile that was customized from a user account that is an admin. Is that why it didn't run?

Thanks

Rusty Myers said...

Sounds like the preference file isn't there, or isn't plain text. Try recreating the preference at this exact location:
"/Library/CLMadmin/Config/edu.psu.its.clc.IdleLogoutSettings.plist"
You can use the example plist from the GitHub Project.

Bojan said...

What if we want to remove the whole interface and just have a simple script that automatically reboots after a set amount of time?
Like after 10 minutes of idle, reboot without any popups or anything?

Thanks

Rusty Myers said...

Bojan, you can use the ioreg command in a script to check the idle input time, then kill the loginwindow when it reaches your specified time. That would logout any user without any warning.