Little full summary for what's at the moment working for our 10.14 and 10.15 machines:
PPPC profile for kickstart https://support.apple.com/en-us/HT209161
Send MDM command to activate
(otherwise you could end up with only "observe" )
#!/bin/bash
############
#
apiURL="https://yourjamf.com:8443/JSSResource/computers/"
apiUser="APIUser"
apiPass="Secret"
# Get the Serial Number of the Machine
sn=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
#echo $sn
####
#Get ID by looking up Serial Number
answer=$(/usr/bin/curl -s -H "Content-Type: text/xml" -u ${apiUser}:${apiPass} https://yourjamf.com:8443/JSSResource/computers/serialnumber/$sn/subset/general )
jamfID=$(echo $answer | xpath '/computer/general/id/text()' 2>/dev/null)
#
#echo $jamfID
#Send MDM command to Enable Remote Desktop
/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/$jamfID -X POST
##########################################
#This would be the counterpart: Send MDM command to Disable Remote Desktop
#/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/DisableRemoteDesktop/id/$jamfID -X POST
For the following commands simply use policy with "execute command"
3.Reset RD
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -verbose -uninstall -settings -prefs && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -verbose -restart -agent -console
4. Activate RD e.g for all users that have accounts on machine
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers && nutzer=$(dscl . list /Users | grep -v '^_' -v | grep -v 'daemon'|grep -v 'nobody'| grep -v 'root' | paste -s -d, - | paste -s -d, -) && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $nutzer -access -on && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings -verbose && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent -verbose
My bad: wrong sequence: After the MDM command you look at "all users" enabled - so access rights have to be shaped afterwards.Updated that.
@michaelhusar
Really great work it's nice
But I have one question is this will support for the older version Highsierra to kikstart this.
If any pls share us
@mani2care Thank you.
Yes, it works and you shouldn't need the PPPC and MDM part. So only steps 3 and 4 remain.
One more thought: Often the machine is asleep...maybe a
systemsetup -setcomputersleep Never
makes sense if the machine has to be reachable
Had to update that because MDM command changes kickstart settings.
Thanks @michaelhusar that's a great script. We added in -setvnclegacy -vnclegacy yes -setvncpw -vncpw psswrd so we can use DameWare from Windows as well.
Worth noting that your API user account in the JSS will need:
Jamf Pro Server Objects -> Computers: Create & Read.
Jamf Pro Server Actions -> Send Computer Remote Desktop Command
This is the script I use with my computers that are enrolled in Jamf (doesn't seem to matter if they are DEP enrollments or not). This works up to current Catalina. If I am watching when the script runs, I see the message about this might not work in 10.14 and up, but up to now, it has worked properly. I cobbled this together from a couple different sources, so I don't know who to give attribution too.
#!/bin/bash
error=0
# To use this script to assign Apple Remote Desktop permissions, define the following:
#
# The username of the account that needs to be assigned Apple Remote Desktop permissions.
# The name of the Apple Remote Desktop management group which assigns the right permissions.
#
# The Apple Remote Desktop group permissions are defined below:
#
# Name: com.apple.local.ard_admin
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
# Delete and replace items, Send messages, Restart and Shut down, Control,
# Observe, Show being observed
#
# Name: com.apple.local.ard_interact
# Assigned rights: Send messages, Control, Observe, Show being observed
#
# Name: com.apple.local.ard_manage
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
# Delete and replace items, Send messages, Restart and Shut down
#
# Name: com.apple.local.ard_reports
# Assigned rights: Generate reports
#
# For example, to assign all Apple Remote Desktop permissions to an account named
# "administrator", the user and group variables should appear as shown below:
#
# arduser="administrator"
# ardgroup="com.apple.local.ard_admin"
#
# To assign only the permissions to screenshare and send messages to an account
# named "helpdesk", the user and group variables should appear as shown below:
#
# arduser="helpdesk"
# ardgroup="com.apple.local.ard_interact"
#
arduser="insertAdminNameHere"
ardgroup="com.apple.local.ard_admin"
# Do not edit below this line.
CreateGroups(){
# This function will create groups as needed using the dseditgroup tool.
/usr/sbin/dseditgroup -n /Local/Default "$groupname"
if [ $? != 0 ]; then
echo "$groupname group does not exist. Creating $groupname group."
/usr/sbin/dseditgroup -n /Local/Default -o create "$groupname"
else
echo "$groupname group already exists."
fi
}
CreateAppleRemoteDesktopGroups(){
# This function will use the CreateGroups function to create the local groups used by
# Apple Remote Desktop's directory-based permissions management.
# To create the com.apple.local.ard_admin group
groupname=com.apple.local.ard_admin
CreateGroups
# To create the com.apple.local.ard_interact group
groupname=com.apple.local.ard_interact
CreateGroups
# To create the com.apple.local.ard_manage group
groupname=com.apple.local.ard_manage
CreateGroups
# To create the com.apple.local.ard_reports group
groupname=com.apple.local.ard_reports
CreateGroups
}
AddUsersToAppleRemoteDesktopGroups(){
# This function will add users to the groups used by Apple Remote Desktop's directory-based management:
/usr/sbin/dseditgroup -o edit -a "$arduser" -t user "$ardgroup"
echo "Added $arduser to $ardgroup"
}
EnableAppleRemoteDesktopDirectoryManagement(){
ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
# Turn on Apple Remote Desktop by activating
# the Apple Remote Desktop management agent
$ardkickstart -activate
# Allow Apple Remote Desktop accesss only for specified users
$ardkickstart -configure -allowAccessFor -specifiedUsers
# Enable Apple Remote Desktop management groups
$ardkickstart -configure -clientopts -setdirlogins -dirlogins yes
# Restart the Apple Remote Desktop agent process
$ardkickstart -restart -agent &
}
VerifyUser(){
/usr/bin/id "$arduser"
if [ $? != 0 ]; then
echo "Unable to set specified Apple Remote Desktop permissions!"
echo "$arduser account not found on this Mac."
error=1
exit "$error"
else
echo "$arduser account verified as existing on this Mac. Proceeding..."
fi
}
if [[ -n "$arduser" ]] && [[ -n "$ardgroup" ]]; then
# Verify that the specified user account exists.
VerifyUser
# Create Apple Remote Desktop management groups
# and add the specified user account to the
# specified management group.
CreateAppleRemoteDesktopGroups
AddUsersToAppleRemoteDesktopGroups
# Turn on Apple Remote Desktop and configure
# it to use Apple Remote Desktop's directory-based
# management to assign permissions.
EnableAppleRemoteDesktopDirectoryManagement
else
echo "Unable to set specified Apple Remote Desktop permissions!"
echo "arduser variable is set to: $arduser"
echo "ardgroup variable is set to: $ardgroup"
error=1
fi
exit $error
@kwoodard This script looks great! Two questions- I'm only trying to use Jamf Remote, not the Apple RD client, does this script still apply? If yes, then how would I go about adding two or more admins to the remote desktop permitted group?
Do I define multiple like this,
arduser1="adminusername1"
arduser2="adminusername2"
then add them all to the group with
/usr/sbin/dseditgroup -o edit -a "$arduser1" -t user "$ardgroup"
echo "Added $arduser to $ardgroup"
/usr/sbin/dseditgroup -o edit -a "$arduser2" -t user "$ardgroup"
echo "Added $arduser to $ardgroup"
But that seems like I'll break the VerifyUser pieces? Appreciate the guidance.
I don't use Jamf Remote, so I don't know for sure.
@ryan.ball Your instructions worked for me. Thanks for the help.
@page.229 Do you know if the VNC password issue was resolved in 10.15.4?
@dstranathan I don't think so. But there is another way to set the VNC password: /Library/Preferences/com.apple.VNCSettings.txt. Set the password and Composer this file into a package.
Also you can use command line to decrypt the password from this file:
$ sudo cat /Library/Preferences/com.apple.VNCSettings.txt
7F513D02E4A8C5E2FF1C39567390ADCA
$ sudo cat /Library/Preferences/com.apple.VNCSettings.txt | perl -wne 'BEGIN { @k = unpack "C*", pack "H*", "1734516E8BA8C5E2FF1C39567390ADCA"}; chomp; @p = unpack "C*", pack "H*", $_; foreach (@k) { printf "%c", $_ ^ (shift @p || 0) }; print "
"'
hello
Source: Manage the VNC / screen sharing password remotely
@cbd4s Thanks. I just figured this out after pounding my head into my desk for a couple days. I documented all my attempts/failures here: https://www.jamf.com/jamf-nation/discussions/35352/enable-configure-legacy-vnc-via-jamf
Creating a "master VNC password file" will work, but its not optimal - but it works! Thanks!
EDIT: The Perl code in the above post does NOT work. The source post for this tip is located HERE
For some reason I'm still having an impossible time with this. Currently on 10.15.3 (and tested on 10.15.4). But I have created the PPPC profile exactly as Apple has suggested and confirmed by others' exact same configurations posted here. I have the following script created:
#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
When I run this script or even the exact same kickstart commands many of you are via policy, I get the following:
Executing Policy enable ARD
Running script enableARD.sh...
Script exit code: 0
Script result: Starting...
Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.
Activated Remote Management.
Setting allow all users to YES.
Setting all users privileges to 1073742079.
Done.
Starting...
Stopped ARD Agent.
Done.
After that I go to check System Preferences > Sharing and while Remote Management is enabled, absolutely zero privileges have been enabled. I cannot for the life of me figure out how to make this work.
Creating a "master VNC password file" will work, but its not optimal - but it works! Thanks!
EDIT: The Perl code in the above post does NOT work. The source post for this tip is located HERE
Hi @dstranathan,
The code on that page to create the password is missing two important characters: "-n"
The 'echo "hello"' part should read 'echo -n "hello"' which suppresses adding a newline to the end of the string.
I wish I could say I hadn't made that mistake a gazillion times myself, but that's how I knew it at a glance.
I tried it several times with and without the "-n" flag and I am 100% sure of it now.
#justanotherperlhacker
#okaytechnicallytheminusnbitisbashnotperl
@AVmcclint
I think all you are missing is the "-access -on" bit. This is what we have in the script:
#!/bin/sh
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -ShowObserve -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername
Source: enableARD.sh
@AVmcclint rather than using the PPPC profile and a script, a simpler solution might be to use a script to configure remote access (so that is isn't on for all users when enabled), and then send the MDM command to enable remote management.
Create a smart group to identify devices that don't have your remote user and run a policy to create that user and run this script:
#!/bin/sh
# ARD User short named passed to this script from Jamf Pro policy as parameter $4
logger "$0: Configure Apple Remote Desktop access for $4."
# Hide ARD user from login window
dscl . create /Users/$4 IsHidden 1
# Configure Apple Remote Desktop access only for specified users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
# Configure Apple Remote Desktop Agent for ARD user specified by parameter $4
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $4 -access -on -privs -all -clientopts -setmenuextra -menuextra yes
# Hide 'Other' from Login Window
defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false
exit 0
Once that is done, set up a smart search to find devices that have the user and do not have remote management enabled and send the command to enable it.
Well, whatever the last security update that just happened has messed up Remote Management on half of my computers that I manage. It appears to have emptied out all the check boxes inside the options of Remote Management. What is the most annoying is that even with physical access to the computers, I can remove Jamf and re-enroll and RM won't actually turn on now. The checkbox next to RM will check, but none of the options will get set. What doubly sucks is that Remote Login also gets unchecked, so I can't SSH in to do anything. I now have several hundred computers that I have to go to, one by one, to fix.
Anyone have any ideas? This has turned into a nightmare for me. Does anyone know where the plist file for RM lies? On a few machines that I have had access too, I have been able to manually toggle RM off, then on, then going into Options and cycle the options on/off/on to get it to work again.
Let me add to my previous comment... This seems to be affecting High Sierra machines mostly, I do have a few Mojave computers with this issue though. 99% seem to be High Sierra though.
OK, here is an updated script that seems to be working. Also included is the Jamf trigger to enable Remote Login, in case it somehow got unchecked. Came up with this working with Jamf Support on a few things. There are a few things still in the script that I left in there for when my school is no longer working from home. Mainly the privs line with the remote management options.
#!/bin/bash
error=0
# To use this script to assign Apple Remote Desktop permissions, define the following:
#
# The username of the account that needs to be assigned Apple Remote Desktop permissions.
# The name of the Apple Remote Desktop management group which assigns the right permissions.
#
# The Apple Remote Desktop group permissions are defined below:
#
# Name: com.apple.local.ard_admin
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
# Delete and replace items, Send messages, Restart and Shut down, Control,
# Observe, Show being observed
#
# Name: com.apple.local.ard_interact
# Assigned rights: Send messages, Control, Observe, Show being observed
#
# Name: com.apple.local.ard_manage
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
# Delete and replace items, Send messages, Restart and Shut down
#
# Name: com.apple.local.ard_reports
# Assigned rights: Generate reports
#
# For example, to assign all Apple Remote Desktop permissions to an account named
# "administrator", the user and group variables should appear as shown below:
#
# arduser="administrator"
# ardgroup="com.apple.local.ard_admin"
#
# To assign only the permissions to screenshare and send messages to an account
# named "helpdesk", the user and group variables should appear as shown below:
#
# arduser="helpdesk"
# ardgroup="com.apple.local.ard_interact"
#
arduser="user1"
arduser2="user2"
ardgroup="com.apple.local.ard_admin"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
# Do not edit below this line.
CreateGroups(){
# This function will create groups as needed using the dseditgroup tool.
/usr/sbin/dseditgroup -n /Local/Default "$groupname"
if [ $? != 0 ]; then
echo "$groupname group does not exist. Creating $groupname group."
/usr/sbin/dseditgroup -n /Local/Default -o create "$groupname"
else
echo "$groupname group already exists."
fi
}
CreateAppleRemoteDesktopGroups(){
# This function will use the CreateGroups function to create the local groups used by
# Apple Remote Desktop's directory-based permissions management.
# To create the com.apple.local.ard_admin group
groupname=com.apple.local.ard_admin
CreateGroups
# To create the com.apple.local.ard_interact group
groupname=com.apple.local.ard_interact
CreateGroups
# To create the com.apple.local.ard_manage group
groupname=com.apple.local.ard_manage
CreateGroups
# To create the com.apple.local.ard_reports group
groupname=com.apple.local.ard_reports
CreateGroups
}
AddUsersToAppleRemoteDesktopGroups(){
# This function will add users to the groups used by Apple Remote Desktop's directory-based management:
/usr/sbin/dseditgroup -o edit -a "$arduser" -t user "$ardgroup"
echo "Added $arduser to $ardgroup"
/usr/sbin/dseditgroup -o edit -a "$arduser2" -t user "$ardgroup"
echo "Added $arduser2 to $ardgroup"
}
EnableAppleRemoteDesktopDirectoryManagement(){
ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
# Turn on Apple Remote Desktop by activating
# the Apple Remote Desktop management agent
$ardkickstart -activate
# Allow Apple Remote Desktop accesss only for specified users
$ardkickstart -configure -allowAccessFor -allUsers -privs -all
# Enable Apple Remote Desktop management groups
$ardkickstart -configure -clientopts -setdirlogins -dirlogins yes
# Restart the Apple Remote Desktop agent process
$ardkickstart -restart -agent
}
# NOTES $ardkickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes
VerifyUser(){
/usr/bin/id "$arduser"
if [ $? != 0 ]; then
echo "Unable to set specified Apple Remote Desktop permissions!"
echo "$arduser account not found on this Mac."
error=1
exit "$error"
else
echo "$arduser account verified as existing on this Mac. Proceeding..."
fi
/usr/bin/id "$arduser2"
if [ $? != 0 ]; then
echo "Unable to set specified Apple Remote Desktop permissions!"
echo "$arduser2 account not found on this Mac."
error=1
exit "$error"
else
echo "$arduser2 account verified as existing on this Mac. Proceeding..."
fi
}
StartSSH(){
/usr/local/jamf/bin/jamf startSSH -background
}
if [[ -n "$arduser" ]] && [[ -n "$arduser2" ]] && [[ -n "$ardgroup" ]]; then
# Verify that the specified user account exists.
VerifyUser
# Create Apple Remote Desktop management groups
# and add the specified user account to the
# specified management group.
CreateAppleRemoteDesktopGroups
AddUsersToAppleRemoteDesktopGroups
# Turn on Apple Remote Desktop and configure
# it to use Apple Remote Desktop's directory-based
# management to assign permissions.
EnableAppleRemoteDesktopDirectoryManagement
StartSSH
else
echo "Unable to set specified Apple Remote Desktop permissions!"
echo "arduser variable is set to: $arduser"
echo "ardgroup variable is set to: $ardgroup"
error=1
fi
exit $error
@kwoodard
Hi there, I have tried your script on macOS 10.15.6 and it does work but it sets the All Users to have full access to the Remote managed section but is there a way of just specifying the 'Only these users'
This is the output from the script.
ladmin@mac-01 ~ % sudo /Users/ladmin/Downloads/EnableARD.sh
uid=502(ladmin) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),705(com.apple.sharepoint.group.5),702(com.apple.sharepoint.group.2),704(com.apple.sharepoint.group.4),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh-disabled),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),707(com.apple.sharepoint.group.7),706(com.apple.sharepoint.group.6),703(com.apple.sharepoint.group.3)
ladmin account verified as existing on this Mac. Proceeding...
uid=502(ladmin) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),705(com.apple.sharepoint.group.5),702(com.apple.sharepoint.group.2),704(com.apple.sharepoint.group.4),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh-disabled),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),707(com.apple.sharepoint.group.7),706(com.apple.sharepoint.group.6),703(com.apple.sharepoint.group.3)
ladmin account verified as existing on this Mac. Proceeding...
dsAttrTypeStandard:GeneratedUID -
AC8BFEA5-DBFD-4D1A-AB14-69F2A93164BF
dsAttrTypeStandard:PrimaryGroupID -
501
dsAttrTypeStandard:RecordName -
com.apple.local.ard_admin
dsAttrTypeStandard:RecordType -
dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation -
/Local/Default
com.apple.local.ard_admin group already exists.
dsAttrTypeStandard:GeneratedUID -
25D80698-F180-4969-A0C0-6E9746FB4EDD
dsAttrTypeStandard:PrimaryGroupID -
502
dsAttrTypeStandard:RecordName -
com.apple.local.ard_interact
dsAttrTypeStandard:RecordType -
dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation -
/Local/Default
com.apple.local.ard_interact group already exists.
dsAttrTypeStandard:GeneratedUID -
5653F237-3B29-46AE-92FF-0427F4624370
dsAttrTypeStandard:PrimaryGroupID -
503
dsAttrTypeStandard:RecordName -
com.apple.local.ard_manage
dsAttrTypeStandard:RecordType -
dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation -
/Local/Default
com.apple.local.ard_manage group already exists.
dsAttrTypeStandard:GeneratedUID -
BC780899-7FDB-49D4-8294-7061B6677BC1
dsAttrTypeStandard:PrimaryGroupID -
504
dsAttrTypeStandard:RecordName -
com.apple.local.ard_reports
dsAttrTypeStandard:RecordType -
dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation -
/Local/Default
com.apple.local.ard_reports group already exists.
Added ladmin to com.apple.local.ard_admin
Starting...
Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.
Activated Remote Management.
Done.
Starting...
Setting allow all users to YES.
Setting all users privileges to 1073742079.
Done.
Starting...
Set the client options.
Done.
Starting...
Stopped ARD Agent.
Done.
@Tildo If you look at the script, you can see this line defines all users:
# Allow Apple Remote Desktop accesss only for specified users
$ardkickstart -configure -allowAccessFor -allUsers -privs -all
If you want, you can instead define users by changing it to -allowAccessFor -specifiedUsers
Then you can define the users you want.
If you want to read more about options available with Kickstart, check out the man page by running this in Terminal:
man /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
Cheers!
Thanks @nberanger , that's how I would attack this. I have this set for all users as sometimes a computer isn't on a domain for the domain admins to gain access. Standard users can't do anything as all the tools they could possibly use for RM are blocked. They only get access to some software titles in the Applications folder, everything else, no dice.
