Skip to main content

I know a lot has changed in the last few years, but is there a way to enable and configure Remote Management without having to physically do this on each device?

I know you can use ARD when you are physically at the device to configure the service, and Jamf Pro has a "Enable Remote Desktop" command. However the "Enable Remote Desktop" command does not allow for specifying a specific user and what permissions they have. What I would like to do is:

- Enable Remote Management
- Set "Only these users:"
- Add our Management Account
- Set the permissions

Thanks!

NOTE: We are currently doing User-Initiated Enrollments. We are hoping to have access to ABM in the near future.

I am currently using this script with success, which sounds like what you want to do.  I take no credit for writing it.  Good luck!

 

#!/bin/bash LOCALADMIN="youradminaccount" kickstart=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart echo "Configuring Remote Management" if id -u $LOCALADMIN >/dev/null 2>&1; then echo "Defined local admin account exists" # Deactivate ARD agent, deny all access echo "Deactivating ARD agent" $kickstart -deactivate -configure -access -off echo "Turning off default AllLocalUsers remote management setting" defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers -bool FALSE # Remove 'naprivs' key from users configured by ARD's -specifiedUSers flag echo "Removing naprivs key from local users" RemoteManagementUsers=$(dscl . list /Users naprivs | awk '{print $1}') for EnabledUser in $RemoteManagementUsers; do echo "--- naprivs removed from $EnabledUser" dscl . delete /Users/$EnabledUser naprivs done # Turn ARD back on and enable only the specified LOCALADMIN echo "Reconfiguring ARD for only specified users" $kickstart -configure -allowAccessFor -specifiedUsers echo "Setting specified local admin account as sole ARD user" $kickstart -configure -users $LOCALADMIN -access -on -privs -all echo "Restarting ARD agent" $kickstart -activate -restart -agent echo "--- Remote management reset; user ${LOCALADMIN} configured for access" exit 0 else echo "--- ERROR: The specified local admin account does not exist." exit 1 fi

 

(edited for formatting)

 

I am currently using this script with success, which sounds like what you want to do.  I take no credit for writing it.  Good luck!

 

#!/bin/bash LOCALADMIN="youradminaccount" kickstart=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart echo "Configuring Remote Management" if id -u $LOCALADMIN >/dev/null 2>&1; then echo "Defined local admin account exists" # Deactivate ARD agent, deny all access echo "Deactivating ARD agent" $kickstart -deactivate -configure -access -off echo "Turning off default AllLocalUsers remote management setting" defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers -bool FALSE # Remove 'naprivs' key from users configured by ARD's -specifiedUSers flag echo "Removing naprivs key from local users" RemoteManagementUsers=$(dscl . list /Users naprivs | awk '{print $1}') for EnabledUser in $RemoteManagementUsers; do echo "--- naprivs removed from $EnabledUser" dscl . delete /Users/$EnabledUser naprivs done # Turn ARD back on and enable only the specified LOCALADMIN echo "Reconfiguring ARD for only specified users" $kickstart -configure -allowAccessFor -specifiedUsers echo "Setting specified local admin account as sole ARD user" $kickstart -configure -users $LOCALADMIN -access -on -privs -all echo "Restarting ARD agent" $kickstart -activate -restart -agent echo "--- Remote management reset; user ${LOCALADMIN} configured for access" exit 0 else echo "--- ERROR: The specified local admin account does not exist." exit 1 fi

 

(edited for formatting)

 


Thank you! I was able to get things mostly working by scrapping a few things together using that.

Terms & ConditionsCookie settingsAccessibility statement