Following the instructions here and from NomadLogin , I figured out how to make a custom login screen. I would like to know how I can get a custom lock screen? This thread was never fully answered.
Thanks
Custom lock screen
This thread was never fully answered.
I’m not sure what you mean by that. My last post on that thread is a very clear answer. If you’d like that answer to change, I recommend that you file an enhancement request describing your specific requirements.
Just to set expectations here, the change I described in the first bullet of that post was a deliberate security hardening fix. An ER that simply says “Please undo that” is unlikely to get any traction.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Modern systems prevent third-party code, including authorisation plug-ins, from showing UI on top of the lock screen. The only way to present UI in that context is to build an authorisation plug-in based on SFAuthorizationPluginView.
This sentence seems contradictory. Are you saying that it's impossible to put a custom UI on top of the lock screen even with the authorization plugin-in based on SFAuthorizationPluginView?
This sentence seems contradictory.
Not really. Your UI can’t show up on top of the lock screen. When you create an SFAuthorizationPluginView subclass, that view is embedded within the lock screen.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I just created the SFAuthorizationPluginView subclass. Is it supposed to be installed in /System/Library/CoreServices/SecurityAgentPlugins/ or is it ok to be put in /Library/CoreServices/SecurityAgentPlugins/ ?
Here are the ideas and progress so far that I have tried with the lock screen with touch id. Using this sample code as a launching point for a POC, https://github.com/antoinebell/NameAndPassword. I modified it for looking into the touch id.
GitHub - antoinebell/NameAndPassword: Updated version of the NameAndPassword 'SFAuthorizationPluginView'. Updated version of the NameAndPassword 'SFAuthorizationPluginView'. - GitHub - antoinebell/NameAndPassword: Updated version of the NameAndPassword 'SFAuthorizationPluginView'. github.com
First of all, I found that this what I have to do in order to get a custom lock screen with that sample code.
system.login.screensaver // this changes it to the ugly pop up window
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>
<key>created</key>
<real>674211169.32046402</real>
<key>modified</key>
<real>674211169.32046402</real>
<key>rule</key>
<array>
<string>authenticate-session-owner-or-admin</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
authenticate: // this modifies the pop up window that also appears for authentication within the logged in state.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>674211169.32046402</real>
<key>mechanisms</key>
<array>
<string>NameAndPassword:invoke</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
</array>
<key>modified</key>
<real>702745507.12304997</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
system.login.console // changes the login window altogether
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>674211169.32046402</real>
<key>mechanisms</key>
<array>
<string>builtin:prelogin</string>
<string>builtin:policy-banner</string>
<string>NameAndPassword:invoke</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>PSSOAuthPlugin:login-auth</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>702745507.11596596</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>10</integer>
</dict>
</plist>
Then I modified the code and put in a button according to https://www.hackingwithswift.com/read/28/4/touch-to-activate-touch-id-face-id-and-localauthentication and found that "canEvaluatePolicy" was returning false when tried in the locked state.
Then I tried using PAM to use the touch id in lock screen according to this article:
https://apple.stackexchange.com/questions/259093/can-touch-id-on-mac-authenticate-sudo-in-terminal
I applied this concept by pasting
auth sufficient pam_tid.so
inside of /etc/pam.d/sudo at the top, but that didn't work.
I also tried modifying system.login.screensaver like this to get the regular GUI to show:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>
<key>created</key>
<real>674211169.32046402</real>
<key>modified</key>
<real>674211169.32046402</real>
<key>rule</key>
<array>
<string>NameAndPassword:invoke</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
But that didn't work either.
Any ideas or suggestions?
Thanks,
Authorisation plug-ins are hard, so there’s no way I can provide the level of support you need here on DevForums. I recommend that you open a DTS tech support incident so that I can allocate more time to your issue.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"