Yeah Bol. The first two line above is exactly on my original script. Now I'm just updating that to fit in Junjishimazaki's script. Thanks for the $kickstart lines. I'll give it a shot.
Oh... This is for all local user accounts. Yes?
-users "$localUserName"
So for specific users, should it look like this?
-users "USER1" "USER2"
Or without quotes?
-users USER1,USER2
Didn't work. Here's everything combined:
#!/bin/bash
jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$authToken\\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users "$localUserName" -privs "$privs" -clientopts -setmenuextra -menuextra no -restart -agent -console -menu
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0
Anyone know where the settings for Remote Management reside? I think that on the computers where I am seeing this weird error in ARD, something in the remote computer is completely messed up and toggling the check-box for Remote Management isn't enough to clear out the issue. I would like to avoid reinstalling the OS if possible.
Somewhere on the computer besides in the Apple System Preferences / Sharing in Service column?
What's the weird ARD error?
Somewhere on the computer besides in the Apple System Preferences / Sharing in Service column?
What's the weird ARD error?
I get the following error when I try to connect via Apple Remote Desktop or the built in VNC… This occurs on both M1 and Intel machines.
connectionFailed
serverUnableToReadScreenMessage
I am looking for the actual (I assume) plist file that stores all this info on Remote Desktop settings. I think I have a bunch of computers where this file is somehow locked and I cannot reset it at all. My only recourse lately is to reinstall the OS...and even then, it hasn't always worked. In those cases, I have to do a wipe and install.
I get the following error when I try to connect via Apple Remote Desktop or the built in VNC… This occurs on both M1 and Intel machines.
connectionFailed
serverUnableToReadScreenMessage
I am looking for the actual (I assume) plist file that stores all this info on Remote Desktop settings. I think I have a bunch of computers where this file is somehow locked and I cannot reset it at all. My only recourse lately is to reinstall the OS...and even then, it hasn't always worked. In those cases, I have to do a wipe and install.
Yep. You'll either have to use the Management console for now or try @dan-snelson's solution listed above in his post.
On the off-chance that the eardm2 function proves helpful:
https://snelson.us/2022/05/bz-please/
I’m running out of ideas, so I’m hoping I can figure out your script to make this work. I just did a quick check to see how many computers I can actually reach to a usable state…it’s about 60%.
Will your script work on older operating systems? I’m trying to get everything onto Monterey, but I have a ton of off site folks who just can’t figure out how to push a button.
Yeah Bol. The first two line above is exactly on my original script. Now I'm just updating that to fit in Junjishimazaki's script. Thanks for the $kickstart lines. I'll give it a shot.
Oh... This is for all local user accounts. Yes?
-users "$localUserName"
So for specific users, should it look like this?
-users "USER1" "USER2"
Or without quotes?
-users USER1,USER2
Yes sorry, replace with your local users, I am using a script variable so I can enter the username on the policy page.
Im sorry if it’s been said but are you all scoping these two settings by config profiles also?
I haven’t gone back to see if one or both is still required but I know, at some point of testing, they were both needed to allow ARD to work again in latest macOS builds.
Yes sorry, replace with your local users, I am using a script variable so I can enter the username on the policy page.
Im sorry if it’s been said but are you all scoping these two settings by config profiles also?
I haven’t gone back to see if one or both is still required but I know, at some point of testing, they were both needed to allow ARD to work again in latest macOS builds.
I get the same results using a PPPC or without. Strange error, or a black screen.
I get the following error when I try to connect via Apple Remote Desktop or the built in VNC… This occurs on both M1 and Intel machines.
connectionFailed
serverUnableToReadScreenMessage
I am looking for the actual (I assume) plist file that stores all this info on Remote Desktop settings. I think I have a bunch of computers where this file is somehow locked and I cannot reset it at all. My only recourse lately is to reinstall the OS...and even then, it hasn't always worked. In those cases, I have to do a wipe and install.
~/Library/Containers/com.apple.RemoteDesktop/Data/Library/Preferences
Same error for me as well on Intel machines running Monterey. Prior to Monterey, my original script is just fine.
@rcole: Thanks for mentioning @dan-snelson's post. At a quick glance, it too looks promising. I'll have to give that a shot as well.
Yes sorry, replace with your local users, I am using a script variable so I can enter the username on the policy page.
Im sorry if it’s been said but are you all scoping these two settings by config profiles also?
I haven’t gone back to see if one or both is still required but I know, at some point of testing, they were both needed to allow ARD to work again in latest macOS builds.
Thanks for the screenshot. I had missed the PPPC in these posts. Maybe that's what I'm missing. I never had to use it before. I'll give it a shot.
So how did the scrip look above?
So for specific users, should it look like this?
-users "USER1" "USER2"
Or without quotes?
-users USER1,USER2
I get the same results using a PPPC or without. Strange error, or a black screen.
😣
Hmmm... 🤔 🤔
~/Library/Containers/com.apple.RemoteDesktop/Data/Library/Preferences
Same error for me as well on Intel machines running Monterey. Prior to Monterey, my original script is just fine.
@rcole: Thanks for mentioning @dan-snelson's post. At a quick glance, it too looks promising. I'll have to give that a shot as well.
That’s where the individual user preferences are. I’m looking for the system level presences are hiding. I appreciate the path though, I have 4 computers I regularly use and it would be nice to copy all my lists, groups, and scripts to the other machines.
@HappyTrails @kwoodard
I went back and test, I believe only the PPPC profile was required for ARD. I couldn't find all the docs but from what I understand;
- Kickstart to setup privileges & users
- MDM / API to enable remote desktop
- Config profile to allow interaction of remote management via kickstart
Here's what I'm using in a policy triggered on startup, it will get applied soon after enrolment and can connect straight after. Please test before copy / pasting in your environment as I know there's some overkill elements to what I'm doing.
There was a lot of testing at the time and once it was all solid, i didn't get the chance to go back through and see what wasn't required. Also I removed the config profile and it did indeed break the workflow, so for me it was still a required step.
You can replace $4 / $5 with your own values, I enter these on the policy the script it added too.
#!/bin/bash
# B0L ARD Screen Share / Remote Desktop via Jamf Pro API
# - Added bearer token support as Classic API due for retirement
# - Added print of access group (to see who can ARD)
# - Removed hard code of Jamf Pro URL for plist preference
# - Overkill add Jamf Pro into groups / SSH / ScreenShare
# Note: -ShowObserve has no effect as of macOS 12.3
# https://ss64.com/osx/kickstart.html
error=0
jamfbin=$(/usr/bin/which jamf)
jamfpro_server_address=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url); jamfpro_server_address=${jamfpro_server_address%%/}
encodedCredentials="$4"
localUserName="$5"
group=com.apple.access_screensharing
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
# Old one Liner
# $kickstart -activate -configure -access -on -users user -privs -all -clientopts -setmenuextra -menuextra no -restart -agent -menu
GenerateAuthToken () {
authToken=$( /usr/bin/curl "${jamfpro_server_address}/uapi/auth/tokens" \\
--silent \\
--request POST \\
--header "Authorization: Basic $encodedCredentials" )
token=$( /usr/bin/awk -F \\" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs )
}
ExpireAuthToken () {
/usr/bin/curl "${jamfpro_server_address}/uapi/auth/invalidateToken" \\
--silent \\
--request POST \\
--header "Authorization: Bearer $token"
}
GetJamfProComputerID () {
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
}
SetJamfProConfig () {
/usr/sbin/dseditgroup -o edit -a "$localUserName" -t user admin
/usr/sbin/dseditgroup -o edit -a "$localUserName" -t user com.apple.access_ssh
/usr/sbin/dseditgroup -o edit -a "$localUserName" -t user com.apple.access_screensharing
/usr/sbin/systemsetup -f -setremotelogin on
$jamfbin startSSH
}
SetAppleRemoteDesktopViaAPI () {
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
}
SetAppleRemoteDesktopViaKickstart () {
# https://support.apple.com/en-au/HT201710
/usr/bin/defaults write /Library/Preferences/com.apple.RemoteManagement allowInsecureDH -bool TRUE
$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users $localUserName -privs $privs -clientopts -setmenuextra -menuextra no -setwbem -wbem yes -restart -agent -console -menu
}
GetGroupMembership () {
echo "Screen sharing ACL members:";
for i in $(dscl . list /users); do [[ $(id -nG "$i" | grep $group) ]] && echo "$i"". "; done
# $kickstart -computerinfo -1 "$text"
}
GenerateAuthToken
GetJamfProComputerID
SetAppleRemoteDesktopViaAPI
SetJamfProConfig
SetAppleRemoteDesktopViaKickstart
GetGroupMembership
ExpireAuthToken
exit $error
ps. How do we format code script for bash!?
Also, thanks to all the community bloggers and their amazing ideas that i've taken snippets of code from!
@Bol do you recommend scripting it and running after enrollment or Files and Processes?
@rcole wrote:
@Bol do you recommend scripting it and running after enrollment or Files and Processes?
Sorry I missed this, yes I script and run on startup, once per month.
After enrollment reboot allows this policy to be run second to bootstrap escrow. Previously I ran kickstart in Files and Processes but theres too many lines now to keep in there for me!
@HappyTrails @kwoodard
I went back and test, I believe only the PPPC profile was required for ARD. I couldn't find all the docs but from what I understand;
- Kickstart to setup privileges & users
- MDM / API to enable remote desktop
- Config profile to allow interaction of remote management via kickstart
Here's what I'm using in a policy triggered on startup, it will get applied soon after enrolment and can connect straight after. Please test before copy / pasting in your environment as I know there's some overkill elements to what I'm doing.
There was a lot of testing at the time and once it was all solid, i didn't get the chance to go back through and see what wasn't required. Also I removed the config profile and it did indeed break the workflow, so for me it was still a required step.
You can replace $4 / $5 with your own values, I enter these on the policy the script it added too.
#!/bin/bash
# B0L ARD Screen Share / Remote Desktop via Jamf Pro API
# - Added bearer token support as Classic API due for retirement
# - Added print of access group (to see who can ARD)
# - Removed hard code of Jamf Pro URL for plist preference
# - Overkill add Jamf Pro into groups / SSH / ScreenShare
# Note: -ShowObserve has no effect as of macOS 12.3
# https://ss64.com/osx/kickstart.html
error=0
jamfbin=$(/usr/bin/which jamf)
jamfpro_server_address=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url); jamfpro_server_address=${jamfpro_server_address%%/}
encodedCredentials="$4"
localUserName="$5"
group=com.apple.access_screensharing
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
# Old one Liner
# $kickstart -activate -configure -access -on -users user -privs -all -clientopts -setmenuextra -menuextra no -restart -agent -menu
GenerateAuthToken () {
authToken=$( /usr/bin/curl "${jamfpro_server_address}/uapi/auth/tokens" \\
--silent \\
--request POST \\
--header "Authorization: Basic $encodedCredentials" )
token=$( /usr/bin/awk -F \\" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs )
}
ExpireAuthToken () {
/usr/bin/curl "${jamfpro_server_address}/uapi/auth/invalidateToken" \\
--silent \\
--request POST \\
--header "Authorization: Bearer $token"
}
GetJamfProComputerID () {
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
}
SetJamfProConfig () {
/usr/sbin/dseditgroup -o edit -a "$localUserName" -t user admin
/usr/sbin/dseditgroup -o edit -a "$localUserName" -t user com.apple.access_ssh
/usr/sbin/dseditgroup -o edit -a "$localUserName" -t user com.apple.access_screensharing
/usr/sbin/systemsetup -f -setremotelogin on
$jamfbin startSSH
}
SetAppleRemoteDesktopViaAPI () {
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
}
SetAppleRemoteDesktopViaKickstart () {
# https://support.apple.com/en-au/HT201710
/usr/bin/defaults write /Library/Preferences/com.apple.RemoteManagement allowInsecureDH -bool TRUE
$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users $localUserName -privs $privs -clientopts -setmenuextra -menuextra no -setwbem -wbem yes -restart -agent -console -menu
}
GetGroupMembership () {
echo "Screen sharing ACL members:";
for i in $(dscl . list /users); do [[ $(id -nG "$i" | grep $group) ]] && echo "$i"". "; done
# $kickstart -computerinfo -1 "$text"
}
GenerateAuthToken
GetJamfProComputerID
SetAppleRemoteDesktopViaAPI
SetJamfProConfig
SetAppleRemoteDesktopViaKickstart
GetGroupMembership
ExpireAuthToken
exit $error
ps. How do we format code script for bash!?
@Bol I think I have done something wrong... When I use your code, modifying it for my needs, when I attempt to screen share with a remote machine using this script, I get a pop-up window that states that "Authentication failed to (computer name)"... Here is the output from when I run the script... When I am connecting to the remote computer, I am using one of the user/pass combo's that is showing up in the Screen Sharing ACL list.
Checking for policies triggered by "recurring check-in" for user "(my ID)"...
Executing Policy DEP - Enable Remote Management All
Running script ARC-RemoteManagment-Enable_All...
Script exit code: 0
Script result: execution error: Error: TypeError: undefined is not an object (evaluating 'JSON.parse(`{
"httpStatus" : 401,
"errors" : [ ]
}`).results[0]') (-2700)
<html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>setremotelogin: remote login is already On.
/Library/Application Support/JAMF/tmp/ARC-RemoteManagment-Enable_All: line 51: startSSH: command not found
Starting...
Stopped ARD Agent.
Removed ARD System Preferences.
Removed ARD Agent Preferences.
Removed Remote Management System Preferences.
Removed remote control privileges for all users.
Done.
Starting...
Setting allow all users to YES.
Done.
Starting...
Activated Remote Management.
Stopped ARD Agent.
basicadminuser: Set user remote control privileges.
basicadminuser: Set user remote access.
basicuser: Set user remote control privileges.
basicuser: Set user remote access.
jamf: Set user remote control privileges.
jamf: Set user remote access.
micro: Set user remote control privileges.
micro: Set user remote access.
Set the client options.
Started ARD Admin.
Restarted Menu Extra (System UI Server).
Done.
Screen sharing ACL members:
basicadminuser.
jamf.
micro.
root.
{
"httpStatus" : 401,
"errors" : [ ]
}
@
@Bol I think I have done something wrong... When I use your code, modifying it for my needs, when I attempt to screen share with a remote machine using this script, I get a pop-up window that states that "Authentication failed to (computer name)"... Here is the output from when I run the script... When I am connecting to the remote computer, I am using one of the user/pass combo's that is showing up in the Screen Sharing ACL list.
Checking for policies triggered by "recurring check-in" for user "(my ID)"...
Executing Policy DEP - Enable Remote Management All
Running script ARC-RemoteManagment-Enable_All...
Script exit code: 0
Script result: execution error: Error: TypeError: undefined is not an object (evaluating 'JSON.parse(`{
"httpStatus" : 401,
"errors" : [ ]
}`).results[0]') (-2700)
<html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>setremotelogin: remote login is already On.
/Library/Application Support/JAMF/tmp/ARC-RemoteManagment-Enable_All: line 51: startSSH: command not found
Starting...
Stopped ARD Agent.
Removed ARD System Preferences.
Removed ARD Agent Preferences.
Removed Remote Management System Preferences.
Removed remote control privileges for all users.
Done.
Starting...
Setting allow all users to YES.
Done.
Starting...
Activated Remote Management.
Stopped ARD Agent.
basicadminuser: Set user remote control privileges.
basicadminuser: Set user remote access.
basicuser: Set user remote control privileges.
basicuser: Set user remote access.
jamf: Set user remote control privileges.
jamf: Set user remote access.
micro: Set user remote control privileges.
micro: Set user remote access.
Set the client options.
Started ARD Admin.
Restarted Menu Extra (System UI Server).
Done.
Screen sharing ACL members:
basicadminuser.
jamf.
micro.
root.
{
"httpStatus" : 401,
"errors" : [ ]
}
@
@kwoodard It looks like it's gone wrong during the api remote desktop command which makes sense you are seeing that error when connecting.
Double check two things;
- Encoded credentials : Make sure they are a mix of your api username and password by running this in terminal (enter your own user pass)
printf "user:pass" | iconv -t ISO-8859-1 | base64 -i -
dXNlcjpwYXNz
- Check the api user privileges is ticked: Settings - System Settings - Jamf Pro User Accounts & Groups - User - Privileges - Jamf Pro Server Actions -
Send Computer Remote Desktop Command
Once we sort those two out I think it will start working for you.
@kwoodard It looks like it's gone wrong during the api remote desktop command which makes sense you are seeing that error when connecting.
Double check two things;
- Encoded credentials : Make sure they are a mix of your api username and password by running this in terminal (enter your own user pass)
printf "user:pass" | iconv -t ISO-8859-1 | base64 -i -
dXNlcjpwYXNz
- Check the api user privileges is ticked: Settings - System Settings - Jamf Pro User Accounts & Groups - User - Privileges - Jamf Pro Server Actions -
Send Computer Remote Desktop Command
Once we sort those two out I think it will start working for you.
I am getting an output that looks similar to the output your example generated. I also have the API user privileges set as shown (everything is checked in fact for the user).
I manually went into Remote Management and looked at the options...nothing is being set, so I think there is a discontinuity somewhere in the script beyond that http error...
I am getting an output that looks similar to the output your example generated. I also have the API user privileges set as shown (everything is checked in fact for the user).
I manually went into Remote Management and looked at the options...nothing is being set, so I think there is a discontinuity somewhere in the script beyond that http error...
@kwoodard
Ok well this is where we step through line by line, either the copied syntax will be wrong from what I posted or we will quickly find where things have gone wrong in the setup.
Start with copy pasting in your known values for;
encodedCredentials="somethingsoemthing!"
localUserName="username"
jamfpro_server_address="https://soemthing:8443"
machineUUID="findmeinjamfpro"
Then you can paste in the commands to be print on the screen to check their output. Once we know they are ok, re-run that command to store them inside the variable.
eg.
/usr/bin/curl "${jamfpro_server_address}/uapi/auth/tokens" \\
--silent \\
--request POST \\
--header "Authorization: Basic $encodedCredentials"
authToken=$( /usr/bin/curl "${jamfpro_server_address}/uapi/auth/tokens" \\
--silent \\
--request POST \\
--header "Authorization: Basic $encodedCredentials" )/usr/bin/awk -F \\" '{ print $4 }' <<< "$authToken" | /usr/bin/xargstoken=$( /usr/bin/awk -F \\" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs )
/usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token"
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
/usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id"
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
And then test the big boss;
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Let us know what you find.
@kwoodard
Ok well this is where we step through line by line, either the copied syntax will be wrong from what I posted or we will quickly find where things have gone wrong in the setup.
Start with copy pasting in your known values for;
encodedCredentials="somethingsoemthing!"
localUserName="username"
jamfpro_server_address="https://soemthing:8443"
machineUUID="findmeinjamfpro"
Then you can paste in the commands to be print on the screen to check their output. Once we know they are ok, re-run that command to store them inside the variable.
eg.
/usr/bin/curl "${jamfpro_server_address}/uapi/auth/tokens" \\
--silent \\
--request POST \\
--header "Authorization: Basic $encodedCredentials"
authToken=$( /usr/bin/curl "${jamfpro_server_address}/uapi/auth/tokens" \\
--silent \\
--request POST \\
--header "Authorization: Basic $encodedCredentials" )/usr/bin/awk -F \\" '{ print $4 }' <<< "$authToken" | /usr/bin/xargstoken=$( /usr/bin/awk -F \\" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs )
/usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token"
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
/usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id"
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
And then test the big boss;
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Let us know what you find.
I will try to give this a go today. I will report back with my findings. Thank you for your help!
As an aside, I did a new setup yesterday, leaving out the Remote Management command. I got everything setup and manually checked the boxes for RM. Once I updated the computer to 12.4 from 11.6...RM doesn't work again.
Were you able to resolve this? I'd like to enable FileVault but it turns on the firewall blocking all incoming connections. Only seeing this in M1 Macs on Monterey.
I will try to give this a go today. I will report back with my findings. Thank you for your help!
As an aside, I did a new setup yesterday, leaving out the Remote Management command. I got everything setup and manually checked the boxes for RM. Once I updated the computer to 12.4 from 11.6...RM doesn't work again.
Wanted to expand on my previous observation... I just provisioned a brand new computer, straight out of the box. Had some flavor of Big Sur on it. Did a full provisioning and setup (no Remote Management) then updated to Monterey 12.4 using the built in updater. Once finished, manually enabled Remote Management by checking the box, then checking all the options. Restarted the computer... When I tried to connect to the new machine (M1 MBP 13") I am getting the error I have seen a lot and listed above. Seems something is amiss here.
Wanted to expand on my previous observation... I just provisioned a brand new computer, straight out of the box. Had some flavor of Big Sur on it. Did a full provisioning and setup (no Remote Management) then updated to Monterey 12.4 using the built in updater. Once finished, manually enabled Remote Management by checking the box, then checking all the options. Restarted the computer... When I tried to connect to the new machine (M1 MBP 13") I am getting the error I have seen a lot and listed above. Seems something is amiss here.
Wait a second, I’m confused.
If you are leaving out the remote management command in the script, are you then using the ‘enable remote desktop’ button in Jamf for this computer record?
If the device is enrolled in MDM, then it must have enable Remote Desktop enabled via MDM also to work. (Either script : api or Jamf)
https://support.apple.com/en-us/HT209161
Wait a second, I’m confused.
If you are leaving out the remote management command in the script, are you then using the ‘enable remote desktop’ button in Jamf for this computer record?
If the device is enrolled in MDM, then it must have enable Remote Desktop enabled via MDM also to work. (Either script : api or Jamf)
https://support.apple.com/en-us/HT209161
Usually I am doing the remote management command when provisioning a computer. Since I’m doing 80 this week and next, I’m trying out a few things as I go. Today, I disabled the remote management command in Jamf and wanted to see the behavior of manually enabling it. On 12.4, I get the same error across the board. M1/Intel… Jamf enabled or manually enabled… I get the same error when trying to connect to any computer on 12.4 from multiple other computers running ARD.
Usually I am doing the remote management command when provisioning a computer. Since I’m doing 80 this week and next, I’m trying out a few things as I go. Today, I disabled the remote management command in Jamf and wanted to see the behavior of manually enabling it. On 12.4, I get the same error across the board. M1/Intel… Jamf enabled or manually enabled… I get the same error when trying to connect to any computer on 12.4 from multiple other computers running ARD.
If you're certain everything else is correct then all i can offer more if reboot. I find after sending the command either by script or Jamf, it takes a restart before I can then connect without authentication error.
Also I'm using Apple remote desktop so if any machine is being stubborn, I delete the record out first. Then add the creds again, run an admin report to confirm all the privileges are ok, lastly reconnect and control screen.
Usually I am doing the remote management command when provisioning a computer. Since I’m doing 80 this week and next, I’m trying out a few things as I go. Today, I disabled the remote management command in Jamf and wanted to see the behavior of manually enabling it. On 12.4, I get the same error across the board. M1/Intel… Jamf enabled or manually enabled… I get the same error when trying to connect to any computer on 12.4 from multiple other computers running ARD.
Also, what happens if you enroll and solely use the script to automate the permissions?
