Hi All,
I’ve come across a strange issue stopping me rolling out M1 MacBook Pros to our users to replace older Intel machines.
I’m unable to use ARD to screen share onto an M1 Mac in these scenarios:
Filevault on and Firewall on
Filevault on and Firewall off
Works if Filevault is off and Firewall on or Filevault is on and Firewall is off.
I’ve tested a MacBook Pro 14inch and 16inch M1 running Monterey 12.0 through to 12.2 with the same result.
If I test an Intel Mac with the same Filevault/Firewall on, ARD works no problem.
Not sure if I’ve missed something daft on these M1 machines or a bug in Monterey on Apple silicon.
Cheers,
Robert.
Hi kwoodward, I don't use a config profile. I only use the script and it works for me on M1/Intel macs.
On the off-chance that the eardm2 function proves helpful:
https://snelson.us/2022/05/bz-please/
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
Do you mind if I implement some of your API calls into a script in a public repo and add you to the file header as a contributor?
Do you mind if I implement some of your API calls into a script in a public repo and add you to the file header as a contributor?
I don't mind. Go ahead
I don't mind. Go ahead
Thanks! I'll publish my variant of the script once I get some testing done on it.
Thanks! I'll publish my variant of the script once I get some testing done on it.
Sounds good and thank you.
Hi kwoodward, I don't use a config profile. I only use the script and it works for me on M1/Intel macs.
I still can’t get my Intel based Macs working. Your script works perfectly on M1 macs.
I still can’t get my Intel based Macs working. Your script works perfectly on M1 macs.
I don't understand this should work on either one. All it does is send the command. It works fine for me on Intel and on M1. When you run it, do you get any error messages?
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
Do you happen to know the minimum API permissions needed to perform these functions?
I don't understand this should work on either one. All it does is send the command. It works fine for me on Intel and on M1. When you run it, do you get any error messages?
I get the following error when I try to connect via Apple Remote Desktop or the built in VNC…
connectionFailed
serverUnableToReadScreenMessage
This is my script to enable ARD/screen sharing on Monterey/M1
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
Thank you very much for this. This resolved the ARD screenshare error on the Intel/Monterey devices we have. Will also use this for the M1/Monterey.
I get the following error when I try to connect via Apple Remote Desktop or the built in VNC…
connectionFailed
serverUnableToReadScreenMessage
But, what error message do you get when you run the policy from Jamf?
But, what error message do you get when you run the policy from Jamf?
I don't get any error in Jamf. As far as Jamf thinks, it installed correctly. In use, I get that popup message from any computer trying to connect to any Intel Mac, using ARD. It's perplexing to be sure.
I don't get any error in Jamf. As far as Jamf thinks, it installed correctly. In use, I get that popup message from any computer trying to connect to any Intel Mac, using ARD. It's perplexing to be sure.
Have you tried running the script locally on the mac?
Have you tried running the script locally on the mac?
I have, I get the same error when trying to connect from a different Mac using ARD. Again, only affecting the Intel Mac's.
I have, I get the same error when trying to connect from a different Mac using ARD. Again, only affecting the Intel Mac's.
Do you have any Config profiles deployed that would affect this?
Do you have any Config profiles deployed that would affect this?
Nope, sure don't.
Do you have any Config profiles deployed that would affect this?
Is the kickstart PPPC no longer required if you use the API to enable?
FWIW this applies to a mix of T2s and Apple Silicon for us.
Is the kickstart PPPC no longer required if you use the API to enable?
FWIW this applies to a mix of T2s and Apple Silicon for us.
My script doesn't require the kickstart PPPC since the script handles it anyway.
Nope, sure don't.
Trully bizarre. Do you have the firewall enabled on the mac?
Trully bizarre. Do you have the firewall enabled on the mac?
Nope, this is affecting every Intel Mac on macOS 12...unless I had manually flipped on Remote Management.
My script doesn't require the kickstart PPPC since the script handles it anyway.
Hello all. I'm just now finally getting back on this. Here's an update...
- Enable Remote Desktop from the Jamf Pro Computer Management:
- So far, the workaround of manually Enable Remote Desktop from the Jamf Pro Computer Management works except for one thing, that's all it is. I can remote to the workstation, however I can initiate a restart, a reboot, etc. from ARD tools. After investigating, I found that the options for the Enable Remote Desktop from the Jamf Pro Computer Management is just an "Observe" and "Control" only. -Plus for "All Users", not for the "Only these users."
- Junjishimazaki's Script Test: Failed Unable to Connect
- I removed an Intel machine and an M1, both with Monterey from my ARD script.
- I disabled Remote Desktop from the Jamf Pro Computer Management for each workstation.
- I created another policy with your script and scoped it out.
- It looked promising. It enabled it, however when I try to establish an ARD session, I get this on both machines:
Thoughts?
- I noticed that your script allowed "All users" with all options.
- "
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
" - I tried to do this below to specify a user that is created during enrollment... Unfortunately it didn't work.
- "
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers -users [user1,user2]
"
Any suggestions?
Hello all. I'm just now finally getting back on this. Here's an update...
- Enable Remote Desktop from the Jamf Pro Computer Management:
- So far, the workaround of manually Enable Remote Desktop from the Jamf Pro Computer Management works except for one thing, that's all it is. I can remote to the workstation, however I can initiate a restart, a reboot, etc. from ARD tools. After investigating, I found that the options for the Enable Remote Desktop from the Jamf Pro Computer Management is just an "Observe" and "Control" only. -Plus for "All Users", not for the "Only these users."
- Junjishimazaki's Script Test: Failed Unable to Connect
- I removed an Intel machine and an M1, both with Monterey from my ARD script.
- I disabled Remote Desktop from the Jamf Pro Computer Management for each workstation.
- I created another policy with your script and scoped it out.
- It looked promising. It enabled it, however when I try to establish an ARD session, I get this on both machines:
Thoughts?
- I noticed that your script allowed "All users" with all options.
- "
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
" - I tried to do this below to specify a user that is created during enrollment... Unfortunately it didn't work.
- "
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers -users [user1,user2]
"
Any suggestions?
See here in Apple's old docs;
Try setting up like this;
$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users "$localUserName" -privs "$privs" -clientopts -setmenuextra -menuextra no -restart -agent -console -menu
See here in Apple's old docs;
Try setting up like this;
$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users "$localUserName" -privs "$privs" -clientopts -setmenuextra -menuextra no -restart -agent -console -menu
Yeah Bol. The first two line above is exactly on my original script. Now I'm just updating that to fit in Junjishimazaki's script. Thanks for the $kickstart lines. I'll give it a shot.
Oh... This is for all local user accounts. Yes?
-users "$localUserName"
So for specific users, should it look like this?
-users "USER1" "USER2"
Or without quotes?
-users USER1,USER2
Anyone know where the settings for Remote Management reside? I think that on the computers where I am seeing this weird error in ARD, something in the remote computer is completely messed up and toggling the check-box for Remote Management isn't enough to clear out the issue. I would like to avoid reinstalling the OS if possible.
