Security vulnerability bug with com.apple.screensaver payload on macOS 10.13

Originator:clburlison
Number:rdar://35474480 Date Originated:10-Nov-2017 02:05 PM
Status:Open Resolved:
Product:macOS + SDK Product Version:10.13.1 17B48
Classification:Security Reproducible:Always
 
Summary:
This is a duplicate of radar #35474203

macOS 10.13 does not honor mobileconfig profiles using the new com.apple.screensaver PayloadType referenced at https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW60


Steps to Reproduce:
-New install 10.13.1 (17B48)
-Create new user manually named 'test' through SetupAssistant
-SysPref (System Preferences) > Desktop & Screen Saver > Screen Saver, change "Start after:" to 1 minute (from the default of 20)
-Install com.apple.screensaver payload .mobileconfig for 10.13 devices which configures askForPassword key value to <true/>
-Wait 1 minute so that screen saver engages
-Wait 6 more min to ensure screen lock
-Wake screen and confirm that password prompt is present
-Unlock screen
-SysPref > Profiles, uninstall profile
-SysPref > Security & Privacy > General, use lock in corner to auth/unlock settings
-Uncheck "Require password" and click "Turn off screen lock" in dialog
-Close SysPref
-Re-install com.apple.screensaver mobile config
-Re-open SysPref > Security & Privacy > General and confirm that "Require password" is grayed out / not configurable
-Close SysPref
-Wait 1 min so screen saver engages
-Wait 6 more min to ensure screen lock

Expected Results:
Should be prompted for user password when moving mouse / trackpad / waking screen

Actual Results:
No password prompt, desktop is available. Computer is unsecured. We have no ability to remotely enforce the lock state of our devices.

Version:
10.13.1 17B48

Notes:
Deleting the user's Local Items keychain while they're not logged in, causing them to generate a new one on login, appears to resolve the issue. This is not an acceptable workaround.

Sample minimal mobileconfig profile is attached.

Number of devices affected: 1800+

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!