Skip to main content

Don't know if this script is suitable for anyone other than us, but since I spent the morning writing it, I figured I'd share. Feel free to modify and offer suggestions to it. Basically what it does is set up the correct groups on the local machine to allow the Remote Management sharing service to handle directory-based authentication, fill the groups with a directory user name and reset all of your other options for use with ARD.

We still use ARD here as a classroom control device but it's nice to still be able to use it as a tool in my toolbox, though I am relying on it less and less by the day.

#!/bin/sh

# This script will uninstall all existing ARD settings, create the four groups needed to
# allow access by a directory services user, enable a given directory services user for
# ARD access and re-set all existing local settings to our organization's liking. Feel
# free to tweak as needed

# MORE REFERENCE INFORMATION ABOUT POTENTIAL VARIABLE VALUES CONTAINED HERE
# For DIRECTORYSERVICESUSERNAME, you would use the shortname of an AD user, but should work with other services as well. 
# For RIGHTSLEVELFORDSUSER, valid values are ard_admin, ard_interact, ard_manage or ard_reports. Consult "http://afp548.com/2005/08/12/apple-remote-desktop-directory-based-authentication" for more information.
# For LEGACYVNCPASSWORD, I am very open to anyone finding a way to avoid a clear-text password. If you must use this password in clear-text, do not distribute your finally-compiled script to anyone at the very least. If you don't use the legacy vnc password for any reason, comment out line 65-66 of the script.
# For EXISTINGMANAGEMENTUSER1 and EXISTINGMANAGEMENTUSER2, we have two local users on all our Mac workstations used for various purposes. If you don't want to use them, comment out lines 55 and 56 of this script.

# DECLARE THE ACTUAL VARIABLES HERE
DIRECTORYSERVICESUSERNAME=""
RIGHTSLEVELFORDSUSER=""
LEGACYVNCPASSWORD=""
EXISTINGMANAGEMENTUSER1=""
EXISTINGMANAGEMENTUSER2=""

# Uninstall all existing ARD settings and prefs
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -uninstall -settings -prefs
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -restart -agent -console

# Create all four required groups on the local Mac to allow ARD access using Directory Services.
dscl . -create /Groups/ard_admin
dscl . -create /Groups/ard_admin PrimaryGroupID "530"
dscl . -create /Groups/ard_admin Password "*"
dscl . -create /Groups/ard_admin RealName "ard_admin"
dscl . -create /Groups/ard_admin GroupMembers ""
dscl . -create /Groups/ard_admin GroupMembership ""
dscl . -create /Groups/ard_interact
dscl . -create /Groups/ard_interact PrimaryGroupID "531"
dscl . -create /Groups/ard_interact Password "*"
dscl . -create /Groups/ard_interact RealName "ard_interact"
dscl . -create /Groups/ard_interact GroupMembers ""
dscl . -create /Groups/ard_interact GroupMembership ""
dscl . -create /Groups/ard_manage
dscl . -create /Groups/ard_manage PrimaryGroupID "532"
dscl . -create /Groups/ard_manage Password "*"
dscl . -create /Groups/ard_manage RealName "ard_manage"
dscl . -create /Groups/ard_manage GroupMembers ""
dscl . -create /Groups/ard_manage GroupMembership ""
dscl . -create /Groups/ard_reports
dscl . -create /Groups/ard_reports PrimaryGroupID "533"
dscl . -create /Groups/ard_reports Password "*"
dscl . -create /Groups/ard_reports RealName "ard_reports"
dscl . -create /Groups/ard_reports GroupMembers ""
dscl . -create /Groups/ard_reports GroupMembership ""

# Add the AD Username to have VPN access to the group using the variable defined.
dseditgroup -o edit -a $DIRECTORYSERVICESUSERNAME -t user $RIGHTSLEVELFORDSUSER

# Enable ARD service and set privileges for our local users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -activate -configure -access -on -privs -all -users $EXISTINGMANAGEMENTUSER1 -restart -agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -access -on -users $EXISTINGMANAGEMENTUSER2 -privs -ControlObserve -TextMessages -RestartShutDown -ShowObserve -OpenQuitApps -GenerateReports -restart -agent

# Restrict ARD service access to specific users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -allowAccessFor -specifiedUsers

# Enable ARD directory authentication options
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setdirlogins -dirlogins yes

# Set other Misc ARD Options
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setvnclegacy -vnclegacy yes
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setvncpw -vncpw $LEGACYVNCPASSWORD
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setmenuextra -menuextra yes

# Restart ARDAgent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -restart -agent -console

exit 0

DELETE POST

Thanks so much for this script! It works perfectly for network user ard authentication.

However, I am trying to modify it to include domain groups but I am not having any success. I tried adding "<domain><group>" to the DIRECTORYSERVICESUSERNAME variable and I am not able to authenticate.

I tried only entering the group name without the domain, to no avail. And I also tried changing 'user' to 'group' on line 54.

I found at least two resources that describe this the exact same way but I still cannot get it to work. Any ideas? Thanks.

https://applemanagers.unt.edu/docs/sop/configure-ard-clients-ad-authentication
http://mattsmacblog.wordpress.com/tag/admin/

So I'm not sure what I did differently but I was finally able to get the AD groups working by using the AD group name for the DIRECTORYSERVICEUSERNAME varialbe and changing 'user' to 'group' on line 54.

The only issue that remains is that I am not noticing a discernable difference between the different levels of ARD permission groups. No matter which ARD group I add the AD group to, it seems to provide the same rights and permissions as the ard_manage group should. Right now, this isn't much of a concern though since I am using a tweaked version of the script for each AD group that needs access (teacher -> students, IT -> everyone).

In case it helps anyone, here is my version of the above script with those tweaks I mentioned:

#!/bin/sh

# This script will uninstall all existing ARD settings, create the four groups needed to
# allow access by a directory services user, enable a given directory services user for
# ARD access and re-set all existing local settings to our organization's liking. Feel
# free to tweak as needed

# MORE REFERENCE INFORMATION ABOUT POTENTIAL VARIABLE VALUES CONTAINED HERE
# For DIRECTORYSERVICESUSERNAME, you would use the shortname of an AD user, but should work with other services as well. 
# For RIGHTSLEVELFORDSUSER, valid values are ard_admin, ard_interact, ard_manage or ard_reports. Consult "http://afp548.com/2005/08/12/apple-remote-desktop-directory-based-authentication" for more information.
# For LEGACYVNCPASSWORD, I am very open to anyone finding a way to avoid a clear-text password. If you must use this password in clear-text, do not distribute your finally-compiled script to anyone at the very least. If you don't use the legacy vnc password for any reason, comment out line 65-66 of the script.
# For EXISTINGMANAGEMENTUSER1 and EXISTINGMANAGEMENTUSER2, we have two local users on all our Mac workstations used for various purposes. If you don't want to use them, comment out lines 55 and 56 of this script.

# DECLARE THE ACTUAL VARIABLES HERE
DIRECTORYSERVICESUSERNAME1="IT"
RIGHTSLEVELFORDSUSER1="ard_admin"
DIRECTORYSERVICESUSERNAME2="Teachers"
RIGHTSLEVELFORDSUSER2="ard_interact"
# LEGACYVNCPASSWORD=""
EXISTINGMANAGEMENTUSER1="admin"
# EXISTINGMANAGEMENTUSER2=""

# Uninstall all existing ARD settings and prefs
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -uninstall -settings -prefs
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -restart -agent -console

# Create all four required groups on the local Mac to allow ARD access using Directory Services.
dscl . -create /Groups/ard_admin
dscl . -create /Groups/ard_admin PrimaryGroupID "530"
dscl . -create /Groups/ard_admin Password "*"
dscl . -create /Groups/ard_admin RealName "ard_admin"
dscl . -create /Groups/ard_admin GroupMembers ""
dscl . -create /Groups/ard_admin GroupMembership ""
dscl . -create /Groups/ard_interact
dscl . -create /Groups/ard_interact PrimaryGroupID "531"
dscl . -create /Groups/ard_interact Password "*"
dscl . -create /Groups/ard_interact RealName "ard_interact"
dscl . -create /Groups/ard_interact GroupMembers ""
dscl . -create /Groups/ard_interact GroupMembership ""
dscl . -create /Groups/ard_manage
dscl . -create /Groups/ard_manage PrimaryGroupID "532"
dscl . -create /Groups/ard_manage Password "*"
dscl . -create /Groups/ard_manage RealName "ard_manage"
dscl . -create /Groups/ard_manage GroupMembers ""
dscl . -create /Groups/ard_manage GroupMembership ""
dscl . -create /Groups/ard_reports
dscl . -create /Groups/ard_reports PrimaryGroupID "533"
dscl . -create /Groups/ard_reports Password "*"
dscl . -create /Groups/ard_reports RealName "ard_reports"
dscl . -create /Groups/ard_reports GroupMembers ""
dscl . -create /Groups/ard_reports GroupMembership ""

# Add the AD Username to have VPN access to the group using the variable defined.
dseditgroup -o edit -a $DIRECTORYSERVICESUSERNAME1 -t group $RIGHTSLEVELFORDSUSER1
dseditgroup -o edit -a $DIRECTORYSERVICESUSERNAME2 -t group $RIGHTSLEVELFORDSUSER2

# Enable ARD service and set privileges for our local users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -activate -configure -access -on -privs -all -users $EXISTINGMANAGEMENTUSER1 -restart -agent
# /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -access -on -users $EXISTINGMANAGEMENTUSER2 -privs -ControlObserve -TextMessages -RestartShutDown -OpenQuitApps -GenerateReports -restart -agent
#  ^removed -ShowObserve 

# Restrict ARD service access to specific users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -allowAccessFor -specifiedUsers

# Enable ARD directory authentication options
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setdirlogins -dirlogins yes

# Set other Misc ARD Options
# /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setvnclegacy -vnclegacy yes
# /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setvncpw -vncpw $LEGACYVNCPASSWORD
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -configure -clientopts -setmenuextra -menuextra no

# Restart ARDAgent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -quiet -restart -agent -console

exit 0

Thanks rcastorani.
Your mod'd script is exactly what I was looking for.
I have now granted ARD access to a specific Active Directory security group in addition to our local admin account thanks to this script.
I've been looking for a solution to this for months.

Terms & ConditionsCookie settingsAccessibility statement