Script to allow Administrators sec group to Remote Login

@dsmetham I believe you just need to add them to the ard access group. A simple Google search on adding a group to ard access should do it.

@dsmetham You will need to create the group first, then you will be able to add users to the group.

You can create the group either from the GUI or command line.

Are you talking about SSH access?

If it is SSH, you used to use a group called com.apple.access_ssh. Not sure if thats still the case but if it is you should be able to use

dseditgroup -o create -q com.apple.access_ssh
  # Create the group

dseditgroup -o edit -a admin -t group com.apple.access_ssh
  # Add the admin group to it

Thanks for this @davidacland !

@davidacland your Terminal commands worked for me on a Yosemite test machine, but doesn't seem to work on my machine running 10.11.4. The first command does create the com.apple.access_ssh group, but then does not add the local Administrators group to the remote login panel like I was seeing on Yosemite.

I just double checked the commands and the man pages. All the options look to be the same so I'm not sure why they wouldn't be working.

When I tried them, creating the groups was fine, and adding a user to a group seemed to work intermittently.

Thanks for checking @davidacland . Looking at things more closely, it seems that the commands are working in that the com.apple.access_ssh group gets created, enables remote login (systemsetup -setremote login on), and sets remote login to "only these users". But no users or user groups are listed.

When I try and manually add the Administrators group it appears as added, but when I quit Sys Prefs and reopen it it no longer is shown as listed.

If confirmed that I can ssh into the machine from different accounts with admin privileges but cannot connect with standard users.

So, it appears to be working but not properly showing the Administrators group as the user group with privileges to ssh.

I can confirm the above is happening on both 10.10.4 and 10.11.4

@aporlebeke Even though nothing shows in the "remote login" list, try running in the Terminal:

/usr/bin/dscl . -read /Groups/com.apple.access_ssh

If your user shows there, you're golden. My JAMF management user does not show in the remote login list but it shows in that command. Also showing are "nested groups," one of which should be "ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050", the admin group.

Something I realized, I was misentering the command posted further up the thread, the "T" needs to be capitalized, not lowercase:

dseditgroup -o create -q com.apple.access_ssh
  # Create the group

dseditgroup -o edit -a admin -T group com.apple.access_ssh
  # Add the admin group to it

However, when I do these commands together now, it adds just the local admin user to the Remote Login specified users rather than the Administrators group ... Any other thoughts?

Did you run /usr/bin/dscl . -read /Groups/com.apple.access_ssh ?
Anything under "NestedGroups"?

@tony.schaps Nothing about nested groups after running the command. As I mentioned in my post above, the command changed from a lowercase "t" to an uppercase in the second command, but that change just adds our local admin user to the remote login user list, not the Administrators group.

OK - so I started from scratch again. Running the original commands (with lowercase t) and then doing the dscl . read /Groups/com.apple.access_ssh reveals that there is in fact a nested group - the admin group with the UID you specified previously in the com.apple.access_ssh group.

Although the Administrators group is still not showing up in the listed remote login account list.

Just in case anyone is browsing for other solutions. This my script for granting the local "Administrators" group ssh access. Jamf removes the "Administrators" group from the Remote Login list when a machine is enrolled and replaced with the jamfadmin account. The script below grants the local "Administrators" group ssh access and it will show in the list again after you logoff and log back in:

#!/bin/sh

#Add Administrators group to Remote Login access list
dseditgroup -o edit -n /Local/Default -a admin -t group com.apple.access_ssh

exit 0

@jamaya77 is this a one time fix or does it need to be run from time to time?

@clint.arndt We've always enabled remote login as part of a series of post-enrollment policies and never had to rerun / reactivate.