Hello,

For Intune i’m trying to make a custom compliance policy that marks a device noncompliant when it does not have automatic screen locking <= 5 minutes enabled.

I know technically only Ubuntu 20.04 and 22.04 with GNOME are supported but for my initial testing phase i threw in a Kubuntu 22.04 as well (because I preffer working in KDE and it would be great if I could get my work device compliant with kubuntu instead of having to resort to ubuntu gnome)

The last hurdle is to write a custom compliance script for screen locking

on Gnome this is fairly easy:

Find desktop

echo $XDG_CURRENT_DESKTOP
echo $DESKTOP_SESSION

GNOME

gsettings get org.gnome.desktop.screensaver lock-enabled
gsettings get org.gnome.desktop.screensaver lock-delay

for KDE ive been trying to find a similar bash command, i think qdbus is my best bet however I’ve found that the following commands do not accurately represent the settings in the GUI

qdbus org.freedesktop.ScreenSaver /ScreenSaver org.freedesktop.ScreenSaver.GetActive

qdbus org.freedesktop.ScreenSaver /ScreenSaver org.freedesktop.ScreenSaver.GetSessionIdleTime

Anyone know how to accurately check wether or not “lock screen automatically” is enabled and if it is what the lock time is set to?

tia

This isn’t probably the best way do do this, but here’s what I found:

First, re-apply current settings as the configuration file may have been altered manually

qdbus org.freedesktop.ScreenSaver /org/freedesktop/ScreenSaver org.kde.screensaver.configure

Delay before locking (locking is enabled if different than 0)

kreadconfig6 --file kscreenlockerrc --group 'Daemon' --key Timeout --default 5

Lock after resume from suspend should be enabled

kreadconfig6 --file kscreenlockerrc --group 'Daemon' --key LockOnResume --default true

Should require password after locking, plasma now allows unlocking without password

kreadconfig6 --file kscreenlockerrc --group 'Daemon' --key RequirePassword --default true

Delay before password required after locking

kreadconfig6 --file kscreenlockerrc --group 'Daemon' --key LockGrace --default 5

Found these keys after changing the Screen Locking settings while looking at ~/.config/ and then watching the changes on ~/.config/kscreenlockerrc

Related: command line - How do I programmatically disable the KDE screen locker? - Ask Ubuntu

Hey Luis,

Thank you for your response, I’m using Kubuntu 22.04 so i’m dealing with KDE 5 because intune officially only supports ubuntu 20.04 and 22.04.

But you did put me on the right track, thanks!

I also tested the KDE commands on a completely fresh install of kubuntu and it works wether the user has manually touched the settings or not (so wether or not there are any entries in ~/.config/kscreenlockerrc)

So now i have a custom compliance script that can evaluate wether a user has screen locking enabled and the delay time that wors for both gnome and kde5 and marks the device non-compliant in Intune if it does not pass criteria.

Here’s a snippet from the script i made:

# Check desktop environment (Gnome or KDE)
DESKTOP_ENVIRONMENT=$XDG_CURRENT_DESKTOP

# Define lock checking commands based on desktop environment
if [ "$DESKTOP_ENVIRONMENT" = "ubuntu:GNOME" ]; then
    LOCK_ENABLED_CMD="gsettings get org.gnome.desktop.screensaver lock-enabled"
    LOCK_DELAY_CMD="gsettings get org.gnome.desktop.screensaver lock-delay"
elif [ "$DESKTOP_ENVIRONMENT" = "KDE" ]; then
    LOCK_ENABLED_CMD="kreadconfig5 --file kscreenlockerrc --group Daemon --key Autolock"
    LOCK_DELAY_CMD="kreadconfig5 --file kscreenlockerrc --group Daemon --key Timeout"
else
    echo "$(date) | Error: Unsupported desktop environment: $DESKTOP_ENVIRONMENT" >> $LOG_FILE 2>&1
fi