and this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>created</key> <real>619370235.93105304</real> <key>mechanisms</key> <array> <string>builtin:authenticate</string> <string>CustomAuthorizationPlugin:invoke</string> <string>builtin:reset-password,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> </array> <key>modified</key> <real>619370235.93105304</real> <key>shared</key> <true/> <key>tries</key> <integer>10000</integer> <key>version</key> <integer>0</integer> </dict> </plist> I've tried multiple different file entries for both 'authenticate' and 'system.login.screensaver' entries of authDB but nothing worked. Meanwhile I've figured out why authdb was reset for @mattklepp writing GMIAuthPlugin. authenticate-session-owner-or-admin overwrites the whole plist file and does not keep the mechanism part we want. There is some error in his plist file. My own file has almost same entries but am able to write them to authDB and they remain at there. Also I heard that Knock to Unlock app uses login agent to control the lock screen. So, perhaps the only option I have is to develop a separate login agent to handle lock screen along with my existing Authorization Plugin for logout and reboot cases. Any way to get my existing plugin displayed at lockscreen also? __ let domain = "hotmail.com" let temp = "1_1" let mail = "rehan\(temp)@\(domain)"

@ pradeepfromsymc Using SFAuthorizationPluginView also helps me display the UX and invoke my app I have written an authorization plugin using SFAuthorizationPluginView and it does get invoked at the lock screen but it doesn't display the UI at all. I get an alert box saying "You must enter your password to continue" with OK and Cancel buttons. If I just set rule (method below) to "authenticate-session-owner-or-admin" in system.login.screensaver while not adding mechanism of my Authorization Plugin in 'authenticate' then I get editable username and password fields and I can login with native macOS credentials. @eskimo >> use-login-window-ui If you remove that then you fall back to a legacy code path that is compatible with third-party authorisation plug-ins I've tried to invoke my Authorization Plugin at lock screen by doing this. But, it displays only a black screen if I write my mechanism in the "authenticate" entry of authdb. It displays username and password fields (NOT a feature of my auth plugin) if "authenticate" entry of authdb is not changed. I've tried this: sudo security authorizationdb write system.login.screensaver < myfile.plist The file is: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allow-root</key> <false/> <key>authenticate-user</key> <true/> <key>class</key> <string>rule</string> <key>comment</key> <string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string> <key>created</key> <real>619370235.93105304</real> <key>modified</key> <real>619370235.93105304</real> <key>rule</key> <array> <string>authenticate-session-owner-or-admin</string> </array> <key>session-owner</key> <true/> <key>version</key> <integer>1</integer> </dict> </plist> I've used this file also: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> &#9;&#9;&#9;&#9;<key>allow-root</key> &#9;&#9;&#9;&#9;<false/> &#9;&#9;&#9;&#9;<key>authenticate-user</key> &#9;&#9;&#9;&#9;<true/> &#9;&#9;&#9;&#9;<key>class</key> &#9;&#9;&#9;&#9;<string>user</string> &#9;&#9;&#9;&#9;<key>created</key> &#9;&#9;&#9;&#9;<real>592759977.27845001</real> &#9;&#9;&#9;&#9;<key>group</key> &#9;&#9;&#9;&#9;<string>admin</string> &#9;&#9;&#9;&#9;<key>mechanisms</key> &#9;&#9;&#9;&#9;<array> &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;<string>CustomAuthorizationPlugin:invoke</string> &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;<string>builtin:authenticate,privileged</string> &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;<string>builtin:auto-login,privileged</string> &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;<string>builtin:forward-login,privileged</string> &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;<string>PKINITMechanism:auth,privileged</string> </array> <key>rule</key> <array> <string>authenticate-session-owner-or-admin</string> </array> &#9;&#9;&#9;&#9;<key>modified</key> &#9;&#9;&#9;&#9;<real>601410763.90900505</real> &#9;&#9;&#9;&#9;<key>session-owner</key> &#9;&#9;&#9;&#9;<true/> &#9;&#9;&#9;&#9;<key>shared</key> &#9;&#9;&#9;&#9;<false/> &#9;&#9;&#9;&#9;<key>timeout</key> &#9;&#9;&#9;&#9;<integer>2147483647</integer> &#9;&#9;&#9;&#9;<key>tries</key> &#9;&#9;&#9;&#9;<integer>10000</integer>&#9;&#9;&#9; <key>modified</key> <real>498674468.80855602</real> <key>version</key> <integer>0</integer> </dict> </plist> I've changed authenticate entry of authDB using: sudo security authorizationdb write authenticate < myfile.plist My file for it is: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allow-root</key> <false/> <key>authenticate-user</key> <true/> <key>class</key> <string>user</string> <key>created</key> <real>619370235.93105304</real> <key>group</key> <string>admin</string> <key>mechanisms</key> <array> <string>CustomAuthorizationPlugin:invoke</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> </array> <key>modified</key> <real>619370235.93105304</real> <key>session-owner</key> <true/> <key>shared</key> <false/> <key>timeout</key> <integer>2147483647</integer> <key>tries</key> <integer>10000</integer> <key>version</key> <integer>0</integer> </dict> </plist> I've even tried this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allow-root</key> <false/> <key>authenticate-user</key> <true/> <key>class</key> <string>user</string> <key>created</key> <real>619370235.93105304</real> <key>group</key> <string>admin</string> <key>mechanisms</key> <array> <string>CustomAuthorizationPlugin:invoke</string> </array> <key>modified</key> <real>619370235.93105304</real> <key>session-owner</key> <true/> <key>shared</key> <false/> <key>timeout</key> <integer>2147483647</integer> <key>tries</key> <integer>10000</integer> <key>version</key> <integer>0</integer> </dict> </plist> __ let domain = "hotmail.com" let temp = "1_1" let mail = "rehan\(temp)@\(domain)"