βοΈπͺπ»CP - Security - Screen Lock Timer
What this policy is about πβ
Picture this:
Sarah from Marketing at Customer X walks away from her desk to grab coffee. She leaves her screen unlocked.
Two minutes later, her entire department receives a Teams message:
"Hi everyone! I'm bringing cake for the whole office tomorrow! π"
She didn't write that message. But she's definitely bringing cake now.
Or worse: someone flips her screen upside down (Ctrl+Alt+Down Arrow, the classic). Changes her desktop background to Nicolas Cage. Everywhere. Sets her Teams status to "Actually loves Excel pivot tables."
This policy is your friendly neighborhood Spider-Man.
It automatically locks the screen after a set period of inactivity β because "with great power comes great responsibility," and apparently Sarah can't be trusted with hers.
Why this matters πβ
People forget to lock their screens. It's just human nature.
And when they do, you get:
- Security risks β Anyone can access sensitive data, emails, files, the works
- Office pranks β Harmless... until someone accidentally sends that "cake email" to the CEO (true story)
- Compliance violations β GDPR doesn't care if it was "just for a minute"
- Data leaks β Clean desk policies exist because Bob from Sales keeps leaving quarterly reports on his screen
With automatic screen lock:
- Devices lock themselves after X minutes of inactivity
- No reliance on users remembering to hit Windows+L
- Protection 24/7, even when people are distracted by cat videos
- One less thing keeping you up at night
Because if Batman taught us anything, it's that prevention is better than cleanup.
π οΈ Configuration Settingsβ
Simple, effective, and configurable per customer. Like a good cup of coffee: consistent, but you can adjust to taste.
| Setting | Value | Why |
|---|---|---|
| Device Password Enabled | Enabled | Requires a password to unlock the device (because leaving doors unlocked went out of style in, like, the Stone Age) |
| Max Inactivity Time Device Lock | 5 | Automatically locks the screen after 5 minutes of inactivity (the Goldilocks zone: not too fast, not too slow) |
π‘ SuperVision Tipsβ
π― Making This Field Dynamic with SuperVision Tagsβ
Here's where SuperVision channels its inner Tony Stark.
Normally, this field only accepts numbers β you can't just type in text or special characters. But with SuperVision's Golden Master, you can turn numeric fields into dynamic variables using tags.
How it works:
- In the Golden Master blueprint in SuperVision, click the tag button next to the lock timer field
- SuperVision converts that numeric field into a tag variable (basically giving you superpowers)
- Set a default value (e.g.,
5minutes) that applies to all customers - Override per customer if they want something different
This means:
- Customer A gets 5 minutes (the sensible default)
- Customer B wants 10 minutes because they have very long coffee breaks? Override it.
- Customer C wants 2 minutes because they work with state secrets? Override it.
- One policy. Multiple configurations. Zero manual editing.
It's like having the Infinity Gauntlet, but for MSP configurations. (And with way fewer ethical dilemmas.)
β οΈ What About Setting It to 0?β
Technically, you can set it to 0 (which means "never lock automatically").
But should you?
Let me answer that with a question: Would you leave the Batcave unlocked?
Setting it to 0 means devices will never auto-lock. Ever. That's like handing Loki the Tesseract and saying "I'm sure it'll be fine."
Sure, some users might prefer it. But:
- Security policies exist for a reason (and that reason is usually "someone did something stupid")
- Compliance frameworks require auto-lock (looking at you, ISO 27001)
- One unlocked screen can compromise your entire network faster than Thanos can snap
Stick to a reasonable timer. 5 minutes is the sweet spot between security and "not annoying your users so much they revolt."
Think of it like Doctor Strange looking at 14 million possible futures: in only one does setting it to 0 work out. And in that future, everyone remembers to lock their screens.
Spoiler alert: We don't live in that future.
π₯ Group Assignmentsβ
β Included groups:β
All Devices
β Excluded groups:β
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - IoT
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - Kiosk
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - W365 Boot
- π‘οΈπͺπ»ππβοΈGroup - Screen Lock Timer Disabled
Why? Kiosk and IoT devices have their own special missions (like digital signage showing cat memes 24/7). They don't need auto-lock timers. W365 Boot devices handle their own session management like the independent warriors they are.
The "Screen Lock Timer Disabled" group is for specific devices that need auto-lock disabled β see the Allow Policy for when (and why) to use it.
π The Office Prank Prevention Act of 2024β
Let's be real: this policy is as much about preventing office chaos as it is about security.
Classic pranks we've seen:
- The "free cake for everyone" email (RIP departmental budgets)
- Screen rotation to 180Β° (Ctrl+Alt+Down β the devil's shortcut)
- Desktop background changed to Nicolas Cage collages (why is it always Nicolas Cage?)
- Teams status changed to "Do not disturb β napping" during business hours
- Email signature replaced with "Sent from my carrier pigeon"
While these might seem harmless...
- Sending "I'm buying lunch for the office" to 500 people is not harmless to your wallet
- Flipping someone's screen during a client presentation is a resume-generating event
- Changing the CFO's background to Shrek memes is... career limiting
This policy saves:
- Embarrassment β
- Cake budgets β
- IT tickets titled "HELP MY SCREEN IS UPSIDE DOWN" β
- Actual security incidents β
- Your sanity β
Everyone wins. Except the office pranksters. (Sorry, not sorry.)
Final Thoughts π§β
Auto-lock timers are one of those policies that seem small but have massive impact.
They protect against:
- Forgetfulness β
- Pranks β
- Security breaches β
- Compliance violations β
- Nicolas Cage desktop backgrounds β
And with SuperVision's Golden Master tag system, you can turn number-only fields into dynamic variables β configure it once, customize it per customer, no policy duplication needed.
So set your timer. Enforce it everywhere.
And the next time someone walks away from their desk without locking their screen? The policy's got it covered.
Because in the words of Uncle Ben: "With great power comes great responsibility." And in the words of IT pros everywhere: "Just lock your damn screen."
Standardize like a pro. Configure with intent. And remember: Windows+L is faster than explaining to HR why you promised cake to 500 people.