diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
index 09c307ef..4bc86567 100644
--- a/dom0/sd-clean-all.sls
+++ b/dom0/sd-clean-all.sls
@@ -1,6 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
+{% import_json "sd/config.json" as d %}
+
 set-fedora-as-default-dispvm:
   cmd.run:
     - name: qvm-check fedora-30-dvm && qubes-prefs default_dispvm fedora-30-dvm || qubes-prefs default_dispvm ''
@@ -29,9 +31,11 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
-sd-cleanup-crontab:
+sd-cleanup-etc-changes:
   file.replace:
-    - name: /etc/crontab
+    - names:
+      - /etc/crontab
+      - /etc/systemd/logind.conf
     - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
     - flags:
       - MULTILINE
@@ -39,6 +43,12 @@ sd-cleanup-crontab:
     - repl: ''
     - backup: no
 
+{% if d.environment == "prod" or d.environment == "staging" %}
+apply-systemd-changes:
+  cmd.run:
+    - name: sudo systemctl restart systemd-logind
+{% endif %}
+
 sd-cleanup-sys-firewall:
   cmd.run:
     - names:
diff --git a/dom0/sd-dom0-systemd.sls b/dom0/sd-dom0-systemd.sls
new file mode 100644
index 00000000..849f7752
--- /dev/null
+++ b/dom0/sd-dom0-systemd.sls
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+##
+# Updates to systemd configuration in dom0
+##
+
+{% import_json "sd/config.json" as d %}
+{% if d.environment == "prod" or d.environment == "staging" %}
+# Power off instead of suspend on lid close, for security reasons, but only in
+# prod and staging, to avoid interfering with developer workflows
+dom0-poweroff:
+  file.blockreplace:
+    - name: /etc/systemd/logind.conf
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        HandleLidSwitch=poweroff
+
+apply-systemd-changes:
+  cmd.run:
+    - name: sudo systemctl restart systemd-logind
+{% endif %}
diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
index e4d73589..55aefbf9 100644
--- a/dom0/sd-workstation.top
+++ b/dom0/sd-workstation.top
@@ -6,6 +6,7 @@ base:
     - sd-sys-vms
     - sd-dom0-files
     - sd-dom0-crontab
+    - sd-dom0-systemd
     - sd-workstation-template
     - sd-upgrade-templates
     - sd-dom0-qvm-rpc