βοΈπͺπ»πCP - Security - Screen Lock Timer - Disable
What this policy is for πβ
This is the counter-policy to βοΈπͺπ»CP - Security - Screen Lock Timer.
While that one automatically locks screens after inactivity (because, you know, security), this one says:
"Okay, fine. But only for specific users who have a really good reason."
Why? Because in real-world scenarios, sometimes you need exceptions:
- Presentation devices β Screens that display dashboards, metrics, or live data 24/7
- Demo accounts β Sales or training accounts where auto-lock would interrupt workflows
- Specific use cases β Where the user environment is already physically secured (e.g., locked server rooms, controlled access areas)
This policy disables the auto-lock timer β but only for those assigned to the π‘οΈπͺπ»ππGroup - Screen Lock Timer Disabled
π οΈ Configuration Settingsβ
| Setting | Value | Why |
|---|---|---|
| Device Password Enabled | Enabled | Still requires a password when manually locked or on startup |
| Max Inactivity Time Device Lock | 0 | Disables automatic screen lock (0 = never auto-lock) |
Yes, we're setting it to 0. Yes, that's the thing we warned against in the main policy.
But here's the difference: This is intentional, documented, and assigned to a specific group with a clear business justification.
Not chaos. Controlled exceptions.
π‘ SuperVision Tipsβ
π― Use the Same Dynamic Tag Systemβ
Just like the main policy, you can use SuperVision's Golden Master to make this dynamic:
- Click the tag button next to the lock timer field in SuperVision
- Set the default value to
0(disabled) - If a customer wants a different "no auto-lock" behavior, you can override it
Though let's be honest: if you're disabling auto-lock, you're probably setting it to 0. But flexibility is still nice.
β οΈ This is an Exception, Not the Ruleβ
This policy should be used sparingly.
It's for:
- Dashboard displays in secure areas
- Demo or training devices with no sensitive data
- Presentation systems where auto-lock would disrupt operations
It's not for:
- "Bob doesn't like locking his screen"
- "The CEO said it's annoying"
- "Can we just turn it off for everyone?"
If someone asks for this without a solid justification, the answer is: No.
And then you point them to the main policy and walk away like Tony Stark after dropping a one-liner.
π₯ Group Assignmentsβ
β Included groups:β
β Excluded groups:β
- None explicitly. Everyone else simply doesn't receive this policy β and remains protected by βοΈπͺπ»CP - Security - Screen Lock Timer
π Governance Checkβ
If you enable this policy without understanding why a device needs it, you're basically handing Loki the Tesseract and hoping for the best.
Always combine this with:
- A written justification from the customer (email, ticket, carrier pigeon β we don't care, just document it)
- Internal documentation of why this exception exists
- Regular review of who's in the group (because "temporary" exceptions have a habit of becoming permanent)
π¦ΈββοΈ The "With Great Power" Reminderβ
Remember what Uncle Ben said? "With great power comes great responsibility."
This policy gives you the power to disable a core security control.
Use it wisely. Use it rarely. And always β always β with justification.
Because the moment you start handing out exceptions like candy, you're no longer managing security. You're managing chaos.
And chaos is Loki's job. Not yours.
Final Thoughts π§β
Exception policies exist for a reason: real-world flexibility.
Not every device fits the same mold. Not every use case is standard.
But exceptions should be:
- Documented β
- Justified β
- Reviewed regularly β
- Assigned to a specific group β
Do this right, and you're a security hero. Do this wrong, and you're the reason the next audit fails.
Standardize like a pro. Configure with intent. And remember: exceptions are fine β as long as you can explain them to an auditor.