π‘οΈπͺπ»ππβοΈGroup - Screen Lock Timer Disabled
What this group does πβ
Being in this group means one thing:
"This device is special enough that auto-lock would break its purpose."
That's right. While the default policy βοΈπͺπ»CP - Security - Screen Lock Timer says "lock after 5 minutes of inactivity", this group β combined with the βοΈπͺπ»πCP - Security - Screen Lock Timer - Disable policy β says:
π¦Έ "Okay, fine. But only for devices with a really good reason."
π οΈ Group Configurationβ
| Setting | Value |
|---|---|
| Group name | π‘οΈπͺπ»ππGroup - Screen Lock Timer Disabled |
| Group description | Devices in this group are explicitly excluded from automatic screen lock policies. This is for dashboard displays, demo devices, or other specific use cases where auto-lock would disrupt operations. Membership requires documented justification. |
| Group type | Security |
| Membership type | Assigned (Device Group) |
π‘ SuperVision Tipβ
This group is manually assigned β and it should stay that way.
SuperVision supports device management across tenants, so you can assign this group consistently via:
- Clear naming standards (
π‘οΈ,π,π) - Device-based assignments
- Documentation of why each device is in this group
But remember: exceptions should be rare.
βοΈ Always document why a device is in this group. Future-you (and auditors) will thank you.
π― Purposeβ
Used as an exception mechanism for devices like:
- Dashboard displays β Showing real-time metrics, KPIs, or monitoring data 24/7 π
- Demo/presentation devices β Where auto-lock would interrupt sales demos or training sessions π€
- Shared kiosks in secure areas β Already physically secured, no need for auto-lock π’
- Digital signage β Displaying information continuously without user interaction πΊ
This group is for devices that need the exception β not just devices where users want it.
β οΈ Governance mattersβ
If you add a device to this group:
- You should know exactly why it needs this exception
- The customer should approve it (preferably in writing)
- You should document the business justification
- You should review membership regularly (at least quarterly)
If you can't justify why a device is in this group during an audit... it probably shouldn't be there.
Warning signs that you're doing it wrong:
- "Bob's laptop because he doesn't like auto-lock" β
- "The CEO's device because they said so" β
- "Everyone in the sales department" β
Valid reasons:
- "Reception desk display showing visitor management system" β
- "Conference room presentation device with no corporate data" β
- "NOC monitoring screen in locked server room" β
π¦ΈββοΈ The Spider-Man Ruleβ
Remember: "With great power comes great responsibility."
Disabling auto-lock is a security control exception. Use it like a scalpel, not a sledgehammer.
If you start adding too many devices to this group, you're not managing exceptions. You're creating a security hole big enough for Thanos to walk through.
And nobody wants that.
π Related Policiesβ
- βοΈπͺπ»CP - Security - Screen Lock Timer
- βοΈπͺπ»πCP - Security - Screen Lock Timer - Disable
π·οΈ With great exceptions comes great documentation requirements.
Pro tip: If you're adding more than 5% of your devices to this group, you're probably doing it wrong. Step back and ask: "Am I solving a real problem, or am I just avoiding angry users?"
Because compliance violations are way more painful than angry users.