Skip to main content

So...

Prepare your institution for iOS 12 or macOS Mojave
[https://support.apple.com/en-us/HT209028](link URL)

"For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences."

So any thoughts on how we can enable full control Apple Remote Desktop management in 10.14? Some of us still have computer labs to manage. I know JAMF Remote provides some of this functionality, but the full console where you see all your systems in Apple Remote Desktop still hasn't been replicated nicely by a third party product.

Its hard to believe how many more things we now need to enable manually in the year 2018 for the sake of security. I remember the good old days where I could just a schedule re-image an entire lab without any intervention... sigh... Apple really needs DEP to catch up with their security policies they keep rolling out...

maybe there is something here ...the beginnings of some way in...perhaps!
https://www.sentinelone.com/blog/mojaves-security-hardening-user-protections-bypassed/

@taugust04

Do you have some pointers on how you are achieving this? I'm reading through the Jamf docs about preparing for Mojave but my brain must be stuck this morning as I can't get my head around it.

*Never mind, I've managed to get it working :)

For those who are interested, this is how I've accomplished this.

  1. Download tccprofile.py
  2. Unzip the archive
  3. Open terminal
  4. cd into the unzipped archive's folder where tccprofile.py exists
  5. Run the following command:
./tccprofile.py --pe /System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent --allow --payload-description="Enables ARD Kickstart on MacOS 10.14 Mojave" --payload-identifier="com.mygreatcompany.com" --payload-name="Enable ARD Kickstart" --payload-org="My Great Company" --payload-version="1" -o ~/Desktop/Enable_ARD_Kickstart.mobileconfig

6. On your Desktop open the Enable_ARD_Kickstart.mobileconfig file in your text editor of choice
7. Change the following lines:

<key>Identifier</key>
<string>/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent</string>
<key>IdentifierType</key>
<string>path</string>

TO

<key>Identifier</key>
<string>com.apple.screensharing.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>

8. Save the changes you've made
9. Upload the profile into your Jamf Pro Server
10. Enter whatever name/description you want
11. Deploy to test systems

The resulting installed profile should look like this:

Thank you Ryan. Ball. Where do I send the bitcoins?

@ryan.ball When I have this config profile applied to a test machine, I'm not seeing "Screen Sharing" enabled in System Prefs > Sharing. Should it be enabled and grayed out?

Correction: ID10T error... have to also run the kickstart command in conjunction with the config profile... got it.

@ryan.ball I've created the configuration profile and deployed to my test 10.14.1 Macs. However, I'm still unable to kickstart full ARD with the following command. Are you using a different kickstart command?

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users localadminuser -privs -all -restart -agent -menu

@UESCDurandal I copied your exact command and just changed the username, and I get the warning, but it does check the remote management box in System Preferences and when I run the following command, I can see my account has ARD access:

dscl . -list /Users dsAttrTypeNative:naprivs

Must have had something odd with my config profile. Rerunning your instructions and applying again is working for me. Thanks, @ryan.ball !

from Ryan. Ball post.
I was able to do the kick start as a policy and that works but no command that is documented will add full control to all users or even a single user. anyone figure out a new way to add the control???

@pranzinic You can use the kickstart command just fine if you add a config profile to allow it. I've tested this with Mojave using the same commands to enable screen sharing for the admin user and it works great.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Screen Sharing Enable</string>
            <key>PayloadDisplayName</key>
            <string>Screen Sharing Enable</string>
            <key>PayloadIdentifier</key>
            <string>63DFC01F-E3AF-43FD-941C-317AA4309C33</string>
            <key>PayloadOrganization</key>
            <string>Kingston University</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>C99E0187-FB1B-4F5A-A14B-344F9E2C59C9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>PostEvent</key>
  <array>
    <dict>
      <key>Allowed</key>
      <true/>
      <key>CodeRequirement</key>
      <string>identifier "com.apple.screensharing.agent" and anchor apple</string>
      <key>Comment</key>
      <string>Allow Control mode when starting Remote Management via kickstart</string>
      <key>Identifier</key>
      <string>com.apple.screensharing.agent</string>
      <key>IdentifierType</key>
      <string>bundleID</string>
    </dict>
  </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Screen Sharing Enable</string>
    <key>PayloadDisplayName</key>
    <string>Screen Sharing Enable</string>
    <key>PayloadIdentifier</key>
    <string>63DFC01F-E3AF-43FD-941C-317AA4309C33</string>
    <key>PayloadOrganization</key>
    <string>Kingston University</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>B8711922-EB7B-4BB3-A9AF-B430CFB3ED97</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

I created the mobileconfig as described.

In terminal output when I monitor my script I see this:

Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.

I understand this is just a warning -- will it always say this regardless of the config profile?

@ryan.ball

Thanks for the steps sir. When I tried them, the "Remote Management" box was 100% checked off. However, when I clicked on "Options", no options were actually selected.

@nberanger The profile has to be used in conjunction with the kickstart command (using one of the posted scripts from above):

echo "Enabling Apple Remote Desktop Agent..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
echo "Setting Remote Management Privileges for User: $targetUsername ..." /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername

I'm having the same problem as @nberanger above. I have a PPPC mobile config in place on a Mojave system. When I execute the kickstart command locally (like I go into Terminal on a logged in user and paste in the command), it executes and all boxes are check in "Options" in Sharing, but when I put the same kickstart command into a script in JSS and attach the script to a policy and execute it, the script runs without errors, but then no boxes are checked in "Options" in Sharing pane.

What am I missing? I've tried making the script execute as part of a recurring policy and also during login/logout.

The PPPC mobile config profile must be correct, or when I manually run the kickstart command in Terminal, it would fail, but it works. The PPPC config profile is successfully allowing full permissions for my admin user, as it's supposed to.

@nberanger and I spent quite a long time today working on this problem. I admit I still don't fully understand the syntax of the kickstart command, but I did read that some of the kickstart options need to be separate commands and called separately. So, in the end, there was nothing wrong with my PPPC config profile. It was the logic/syntax of my ARD kickstart command. Here is what I ended up using in a script, than when run on a 10.14 machine where the PPPC config profile is in place, it checks all the boxes in Sharing --> Remote Management --> Options:

#!/bin/bash

## Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes

## Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

exit 0

You should pretty easily be able to alter this if you want to limit full control to just a single user instead of all users (on the system).

Thank you, @nberanger . If you're at PSU MacAdmins this year, I will buy you a beer (or beverage of your choice).

I've been testing the script/workflow that @damienbarrett and I came up with last week, and it does appear to be working 100% of the time. Hope it helps out some more of you out there :-)

Great guys, thank you so much, enabling remote management works again on macOS Mojave!

I just created a .mobileconfig file with allanp81's config and created a script with damienbarrett's code and it just works! thumbsup

Is there a way we can get ride of that icon in the tool bar via script?

Try:

defaults write /Library/Preferences/com.apple.RemoteManagement LoadRemoteManagementMenuExtra -bool false

CrushedIt [~allanp81]

I seem remember older versions of ARD would let you build a package with the ARDAgent in it and pre-define settings. Then you could take that package and install it on any Mac you wanted to control. I wish that still existed. We could take that package and make it install from JamfPro at Enrollment. Does anyone know how that package was created? Maybe we can reverse engineer it? I'm guessing Mojave's tighter controls would probably block it from working anyway.

FYI, i don't see this issue in my build process and i use the kickstart command. No configuration profiles for PPPC either.

I run the following command in a Policy with a Files and Processes Payload, it runs on StartUp. We also have a nightly reboot of our Lab machines so if someone happens to mess with it it goes back. For faculty or 1-to-1 machines reboot weekly but we always reboot them before clients gets them so it just works.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users MyARDAccount -privs -all -restart -agent -menu

Hope this helps someone.

I will also say i didn't read thru every comment so someone may have already gotten it to work.

-Peter

As far as I understand the release notes of jamf Pro 10.11.0 it is now possible to enable Remote Control via command.

"You can now send the Enable/Disable Remote Desktop command for computers with macOS 10.14.4 or later. This command can be sent as a remote command or as a mass action. This functionality is also available via the Classic API."

Can anybody of you acknowledge that? As we are currently at 10.10.1 I cannot test it.

I can confirm you can enable remote desktop via remote commands in 10.11.1 for computers on 10.14.4. Now that this is an option, is there anyway to automate this as part of deployment? Or, am I going to have to go in after deployment, and push the command?

Terms & ConditionsCookie settingsAccessibility statement