I think what it tripping this all up is even without using the API call to enable / disable remote desktop, you ARD code will still change the button behaviour in Jamf Pro.
eg. Will say that it's been enabled but you are still seeing the blank screen. You want your script to first enable via API, then make ARD setting changes after this and it should work.
At a guess I think your script needs to have a variable set for the machine uuid, i couldn't see that in your examples and is required to pull the jamf pro id from API like you have added.
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')
Hello. I'm just getting back into this. Man... Work just get in the way. I finally had a chance to do more testing.
@Bol wrote:
I think what it tripping this all up is even without using the API call to enable / disable remote desktop, you ARD code will still change the button behaviour in Jamf Pro.
Yeah... Actually you're right. I tested this out on a couple of machines with just the original code I had below. As mentioned it works, but it goes blank when I initiate an ARD session.
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
#replace [user1],[user2] with your local account
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agentSo in Jamf Pro, I went into a computer's Management tab and clicked Disable Remote Desktop button, refresh my screen, then do it again, a few times (which I thought was quirky) until I get the Enable Remote Desktop button. Once I got that, I was able to ARD into the workstation as normal.
More testing...
I was trying to figure out why the API call was failing. It's still not resolved. I still kept on getting errors. I tried what you said, with my limited experience in any API calls.
@Bol wrote:
You want your script to first enable via API, then make ARD setting changes after this and it should work.
So tried to place it on two Policies to "first enable via API" then my ARD script: Failed.
I even added all in one Policy: no go.
#!/bin/sh
# required to pull the jamf pro id from API
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')
# API
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
@Bol wrote:
My workflow is roughly;
Generate Token
Get Jamf Computer ID
Set Apple Remote Desktop via API
Set Apple Remote Desktop via Kickstart
Expire Token
Wow! That's a lot. I'll have to dig into this further.
@Bol wrote:
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
To be continued...
@kwoodard wrote:
Any update on this? I would love to create a profile or policy that I can scope my computers to to get this turned on.
You can use this if basic authentication is still enabled;
/usr/bin/curl -Ssu "${jamfpro_user}:${jamfpro_password}" "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${computerID}" -X POST Otherwise, this command enable's remote desktop;
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Jamf - Creates a new computer command using command name and device IDs
@Bol do you recommend scripting it and running after enrollment or Files and Processes?
Hello all. I think I'm having the same issue. The behavior I'm experiencing is that I can ARD to the machines. It indicates that it's connected and on the client end it's "being observed." However, on my end the screen is completely blank. I found that the quick fix is to manually toggle the System Preferences/Sharing/Remote Management OFF and ON again. I had never had an issue until Monterey. Same issue? Any suggestions?
This is what I'm using.
(Special thanks to "RossMadness." Source Link: https://www.reddit.com/r/macsysadmin/comments/f2recc/apple_remote_desktop_and_jamf_pro/fhec8aj/)
==================
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
==================
I preload my system admin profiles (user1, user2, etc.] during the pre-stage enrollment.
@HappyTrails @Did you ever find a solution?
Hello Bol. First off, thanks for the quick response. I appreciate yours and everyone elses' feedback on this post. 'Still new to this. This has given me something else new to try.
"Although the blank screen can only be fixed by enabling Remote Desktop via MDM. Add into your script an API call to do this and it will work again." -So does this look about right?
==================
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
==================
My tests so far:
- So from what you did, I disabled remote desktop to my Test-1 machine in Jamf.
- I noticed immediately that it did in fact disable it when I checked my ARD console: I couldn't remote in.
- I also noticed that in Jamf on my Test-1 machine, after a refresh, there was no "Enable Remote Desktop."
- Afterwards following the steps you took, I created a Policy with the following script: unfortunately failed. Maybe I wasn't doing it right.
==========
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
=========
3. So I then I saw your reference to the Richard-Purves post on the API script and created another policy with the following script below.
==================
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
====================
- When I scoped this to my Test-1 machine, it ran and appeared to have been applied (the machine log indicated that it executed).
- However in Jamf Pro it indicated that it failed.
- BUT! Interesting enough though... My Test-1 machine in Jamf now shows that Enable Remote Desktop. I clicked it and it worked. Once I did that, it does not show “Disable Remote Desktop.”
- Is this a normal behavior?
- How can I disable it so I can test if the my script above will work?
@HappyTrails sometimes I have to press enable and disable twice, refresh the page, twice, and then it will show an updated status of Remote Desktop. However, the command seems to execute after the first attempt, even though the console does not reflect that. I figured this was due to cache or something related to the browser and the way Jamf communicates back to Management tab.
I get the workflow. It makes sense. I’m not a programmer (I use mostly the GUI, but I do have some smaller and less complex scripts for some things), so I’m banging my head on my desk trying to get the coding sorted out. I’m not seeing how to turn on Remote Management via the API and I don’t know how to integrate the token into it (and the kickstart) to make this work. Can you share your code?
Working on this also. If I find a solution I will post it. Similar reasons.
@HappyTrails sometimes I have to press enable and disable twice, refresh the page, twice, and then it will show an updated status of Remote Desktop. However, the command seems to execute after the first attempt, even though the console does not reflect that. I figured this was due to cache or something related to the browser and the way Jamf communicates back to Management tab.
Thanks. Good to know. 'Sounds like a normal behavior. So far this is just a work-around until we figure this out. This is definitely better than toggling Remote Management off/on locally on a machine.
Hello. I'm just getting back into this. Man... Work just get in the way. I finally had a chance to do more testing.
@Bol wrote:
I think what it tripping this all up is even without using the API call to enable / disable remote desktop, you ARD code will still change the button behaviour in Jamf Pro.
Yeah... Actually you're right. I tested this out on a couple of machines with just the original code I had below. As mentioned it works, but it goes blank when I initiate an ARD session.
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
#replace [user1],[user2] with your local account
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agentSo in Jamf Pro, I went into a computer's Management tab and clicked Disable Remote Desktop button, refresh my screen, then do it again, a few times (which I thought was quirky) until I get the Enable Remote Desktop button. Once I got that, I was able to ARD into the workstation as normal.
More testing...
I was trying to figure out why the API call was failing. It's still not resolved. I still kept on getting errors. I tried what you said, with my limited experience in any API calls.
@Bol wrote:
You want your script to first enable via API, then make ARD setting changes after this and it should work.
So tried to place it on two Policies to "first enable via API" then my ARD script: Failed.
I even added all in one Policy: no go.
#!/bin/sh
# required to pull the jamf pro id from API
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')
# API
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
@Bol wrote:
My workflow is roughly;
Generate Token
Get Jamf Computer ID
Set Apple Remote Desktop via API
Set Apple Remote Desktop via Kickstart
Expire Token
Wow! That's a lot. I'll have to dig into this further.
@Bol wrote:
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
To be continued...
@HappyTrails wrote:
Wow! That's a lot. I'll have to dig into this further.
:D It was a lot less originally, two lines with kickstart but then had to add api call, now bearer tokens! Nice sluething, it's all sounding very familiar to me again.
You pretty much have it but think you may of forgot to generate an auth token before making a call to the api. If you add that in, early in the script I believe it should work. Let me know if not!
This seems far more complex than it should be. I shouldn’t have to be a programmer to get something like this enabled. Should be a check box in a configuration profile. I’m so glad there are people that know how to do this kind of programming and willing to help. This one has me lost. Injecting a bearer token is just words to me.
I agree 100%. These little changes have big impacts on workflow. Speaking of @kwoodard and @HappyTrails, have you found a solution?
I agree 100%. These little changes have big impacts on workflow. Speaking of @kwoodard and @HappyTrails, have you found a solution?
I have not. I thought I had something, but it doesn’t work on Monterey.
Working on this also. If I find a solution I will post it. Similar reasons.
@kwoodard @rcole My head just can't get around the layout in this forum sometimes, sorry I missed your replies.
I generally step through any line of code I haven't written and my script had a few things specific to my environment that I wasn't sure if necessary anymore.
I will post my script today and just explain a couple of things you might need to consider. Hopefully it will get things working again for you.
This seems far more complex than it should be. I shouldn’t have to be a programmer to get something like this enabled. Should be a check box in a configuration profile. I’m so glad there are people that know how to do this kind of programming and willing to help. This one has me lost. Injecting a bearer token is just words to me.
This is a Jamf thing to remove security issues in the product and move to a more modern api I believe. Im new to it all too, can be overwhelming but the community is full of great minds / bloggers which helps me alot 
@HappyTrails wrote:
Wow! That's a lot. I'll have to dig into this further.
:D It was a lot less originally, two lines with kickstart but then had to add api call, now bearer tokens! Nice sluething, it's all sounding very familiar to me again.
You pretty much have it but think you may of forgot to generate an auth token before making a call to the api. If you add that in, early in the script I believe it should work. Let me know if not!
Thanks for having a look.
@Bol wrote:
... generate an auth token before making a call to the api.
How do I do that? Did I miss it? What line sample was that? -I'll have to give it a shot.
I have not. I thought I had something, but it doesn’t work on Monterey.
Likewise, I have not. I thought I had it, but Bol has been giving me some things to try. I've been slacking, due to work getting in the way. 😓
-But discovered how I can poke at it remotely to wake it up again by Disable Remote Desktop when I need to, as mentioned above.
To review, here's my current workflow...
1st - a policy to create local admin accounts during my pre-stage enrollment
2nd - my ARD script
Script: Special thanks to "RossMadness." Source Link: https://www.reddit.com/r/macsysadmin/comments/f2recc/apple_remote_desktop_and_jamf_pro/fhec8aj/
==================
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users suser1],]user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
==================
3rd - workaround, as mentioned above as needed:
In Jamf Pro, I went into a computer's Management tab and clicked Disable Remote Desktop button, refresh my screen, then do it again, a few times (which I thought was quirky) until I get the Enable Remote Desktop button. Once I got that, I was able to ARD into the workstation as normal.
@kwoodard @rcole My head just can't get around the layout in this forum sometimes, sorry I missed your replies.
I generally step through any line of code I haven't written and my script had a few things specific to my environment that I wasn't sure if necessary anymore.
I will post my script today and just explain a couple of things you might need to consider. Hopefully it will get things working again for you.
@Bol Would love to see your script and any other policies/PPPC that you are using.
Likewise, I have not. I thought I had it, but Bol has been giving me some things to try. I've been slacking, due to work getting in the way. 😓
-But discovered how I can poke at it remotely to wake it up again by Disable Remote Desktop when I need to, as mentioned above.
To review, here's my current workflow...
1st - a policy to create local admin accounts during my pre-stage enrollment
2nd - my ARD script
Script: Special thanks to "RossMadness." Source Link: https://www.reddit.com/r/macsysadmin/comments/f2recc/apple_remote_desktop_and_jamf_pro/fhec8aj/
==================
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
==================
3rd - workaround, as mentioned above as needed:
In Jamf Pro, I went into a computer's Management tab and clicked Disable Remote Desktop button, refresh my screen, then do it again, a few times (which I thought was quirky) until I get the Enable Remote Desktop button. Once I got that, I was able to ARD into the workstation as normal.
I figured out a simple way to enable Remote Management using a script and a custom trigger that seems to work now.
Create a script like this:
#!/bin/sh #Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra: //System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yesSystem/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers exit 0 |
... attach it to a policy, use a custom trigger, run that in Terminal or set it to run itself after enrollment. I'm testing it now, seems to work.
Step #3 seems like the only other way to Enable Remote Desktop for now as well as messing with the API.
I figured out a simple way to enable Remote Management using a script and a custom trigger that seems to work now.
Create a script like this:
#!/bin/sh #Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra: //System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yesSystem/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers exit 0 |
... attach it to a policy, use a custom trigger, run that in Terminal or set it to run itself after enrollment. I'm testing it now, seems to work.
Step #3 seems like the only other way to Enable Remote Desktop for now as well as messing with the API.
That’s what I have been using. Even with a PPPC profile, black screen on Monterey. I have resorted to keeping the PPPC and manually checking the Remote Management box and selecting all the options on each machine. Not ideal, but it’s working for now.
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
Will this work on Intel Macs as well?
That’s what I have been using. Even with a PPPC profile, black screen on Monterey. I have resorted to keeping the PPPC and manually checking the Remote Management box and selecting all the options on each machine. Not ideal, but it’s working for now.
Same here.
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
Thank you. I'll have to give it a shot. To be continued...
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
This is fantastic and very intriguing @junjishimazaki. Thanks, for sharing this. I've found that my script above works as well on Monterey. Give it a try, it's more simple and doesn't require auth tokens. I'm still testing it, However, this is awesome!
This is fantastic and very intriguing @junjishimazaki. Thanks, for sharing this. I've found that my script above works as well on Monterey. Give it a try, it's more simple and doesn't require auth tokens. I'm still testing it, However, this is awesome!
I tried using the kickstart on the M1 and it didn't work which is why I ended up using curl to send the command to enable remote desktop. Then I use kickstart to allow the users.
I am still having issues... I have tried the script provided by @junjishimazaki and although it appears to send successfully and I have a PPPC in place, I am getting the following error in ARD...
connectionFailed
serverUnableToReadScreenMessage
Any ideas?
