Skip to main content
Answer

Setting Screen Sharing

  • July 17, 2012
  • 6 replies
  • 43 views
T
Forum|alt.badge.img+21

Hi guys

Im trying to get a VPN solution working for our home users to connect in and vnc to their workstations. Problem Is the ARD directory access is not going to work for the mobile accounts because I don't run OD and have a setup using ADmitMac.

Cutting a long story short I have worked out that Screen Sharing activated for specific users in the System Preferences works and is what I need. Problem is I can't work out how to configure the access for specified users. Ive looked at the ARD kickstart but that's for setting Remote Management and not screen sharing.

Does anyone in the community know how to set the access for Screen Sharing (not ARD) for currently 10.6.8 and possibly 10.7.4?

Best answer by tkimpton

Thanks Tim your F**kin awesome lol

Here is what i use now for self service

#!/bin/bash

# Environment variable for the home directory of the account
FILE=/private/var/vnc
USER=dscl /Local/Default -list /Users | grep vnc

# Check to see if the account exists in dscl and the home folder
if [ "$USER" ] && [ $FILE ]; then

# If found echo it exists to the shell
echo "vnc account exists"

else

# If the account and home folder doesn't exist then go and create it
/usr/sbin/jamf createAccount -hiddenUser -username vnc -realname vnc -password DrillHall -home /private/var/vnc

fi

# GETTING THE CURRENT CONSOLE USER
rluser=ls -l /dev/console | cut -d " " -f4 | grep rufusleonard.hq

# SEE IF THE GROUP EXISTS
if
dscl . list /groups | grep com.apple.local.ard_interact
then
echo "Group already exists"

# CREATE THE GROUP IF DOESN'T EXIST
else
dscl . -create /groups/com.apple.local.ard_interact
dscl . -create /groups/com.apple.local.ard_interact PrimaryGroupID 1025

fi

# SEE IF CONSOLE USER IS IN THE GROUP
if
dscl . read /groups/com.apple.local.ard_interact | grep ${rluser}
then
echo "rluser is already in the group"

# DISPLAY A MESSAGE
jamf displayMessage -message "Group already exists!

${rluser} is already a member of it!

You don't need to run this anymore!"

# ADD THE CONSOLE USER IF NOT IN THE GROUP
else
dscl . -append /groups/com.apple.local.ard_interact GroupMembership ${rluser}

# DISPLAY A MESSAGE
jamf displayMessage -message "Group created

${rluser} is now a member of the group

vnc account created and the default password must be changed!"

fi

# Allow the local vnc account to control and observe modifying the trigger file
touch /Library/Management/Triggers/adminremotemanagement

    6 replies

    L
    Forum|alt.badge.img+15
    • Lhsachs
    • Contributor
    • July 18, 2012

    There are a a few things to look at for this issue:
    1. Having the workstations set to allow Remote Login and Remote Management - by specific users, with the options you choose set for observing, controlling, etc..
    2. If your dns is working - forward and reverse - and you know the user's system's name - once Screen Sharing is open, you should be able to connect with the system's name. (if you are static IP, the IP address will get you to the system)
    3. have the users at home know how to open Screen Sharing....

    ...If the users at home aren't running macs - they will need to set up a VNC password.

    If assisted customers working at home via VPN through screen sharing - a great way to assist...

    donmontalvo
    Forum|alt.badge.img+36
    • donmontalvo
    • Hall of Fame
    • July 18, 2012

    @Lhsachs I would be careful with that Sharing > VNC password feature...it's insecure. Anyone with the password can view/control the computer without the user being prompted. We use Remote Management instead, so any Mac on 10.5 or later can connect using local credentials (not the VNC password). This way each user has to use their account password.

    --https://donmontalvo.com
    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • July 18, 2012

    Thanks guys.

    VPN set allowing ports 5900 and 5901 only
    Macs to mac only
    No Dns for security they know their working reserved ip before they go home
    they have a 15 page instruction manual They get training sessions.

    As stated I cannot use remote management with specific user in my environment. It doesnt work with mobile accounts and I don't have an OD set up plus kickstart dirlogins won't work with ADmitMac.

    In my test Screen sharing enabled for specified user works but I just need to know how to set this up via the command line. I don't want to go down the manual route.

    This works to enable Screen Sharing on 10.6.8 but no ideas about setting access for specified users.

    sudo sh -c /bin/echo -n enabled > 
    /private/etc/ScreenSharing.lauchd

    For now I can get remote management to work at the moment on 10.6.8 using a script and the jamf binary to create a local vnc account, and then using Casper remote I get the user over and get them to change the user vnc password.

    Problem is I am thinking later down the road about 10.7 + where a vnc legacy password doesn't work anymore anyway and the vnc virtual desktop confusion/nightmare. I'd like them to authenticate as themselves and not log in as the local account vnc.

    For Remote Managemet to work I think I need to create the ard groups using discl

    This would be com.apple.local.ard_admin
    com.apple.local.ard_interact
    com.apple.local.ard_manage
    com.apple.local.ard_report

    Here is what I looked at but it says to create them with WGM locally. Does anyone know how to create these from the command line using dscl?

    http://tinyurl.com/cjvf5y

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • July 18, 2012

    I answered my own question lol.

    1. I created the group com.apple.local.ard_interact using WGM in the local node and added myself

    2. I found i had to add this to my ard script

      /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes

    3. I found i also still had to specify my access

    # GETTING THE CURRENT CONSOLE USER
    consoleuser=ls -l /dev/console | cut -d " " -f4

    # Allow tkimpton account access
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs -ControlObserve -ShowObserve -users ${consoleuser}

    1. I can now vnc authenticate using my mobile cached account from my home mac to my work laptop :)

    Please can someone help me how to create the following groups using dscl in a script

    com.apple.local.ard_admin
    com.apple.local.ard_interact
    com.apple.local.ard_manage
    com.apple.local.ard_report

    My idea to help automate it as much as possible is to just using a command to add a user to the com.apple.local.ard_interact group when needed :)

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • July 18, 2012

    so far i have below but need to work out how to exclude a local admin account when quering the console user. hmmmmmmmm...

    #!/bin/bash
    # GETTING THE CURRENT CONSOLE USER
    consoleuser=ls -l /dev/console | cut -d " " -f4

    # SEE IF THE GROUP EXISTS
    if
    dscl . list /groups | grep com.apple.local.ard_interact
    then
    echo "Group already exists"

    # CREATE THE GROUP IF DOESN'T EXIST
    else
    dscl . -create /groups/com.apple.local.ard_interact
    dscl . -create /groups/com.apple.local.ard_interact PrimaryGroupID 1025
    fi

    # SEE IF CONSOLE USER IS IN THE GROUP
    if
    dscl . read /groups/com.apple.local.ard_interact | grep ${consoleuser}
    then
    echo "Console user is already in the group"

    #ADD THE CONSOLE USER IF NOT IN THE GROUP
    else
    dscl . -append /groups/com.apple.local.ard_interact GroupMembership ${consoleuser}
    fi

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • Answer
    • July 18, 2012

    Thanks Tim your F**kin awesome lol

    Here is what i use now for self service

    #!/bin/bash

    # Environment variable for the home directory of the account
    FILE=/private/var/vnc
    USER=dscl /Local/Default -list /Users | grep vnc

    # Check to see if the account exists in dscl and the home folder
    if [ "$USER" ] && [ $FILE ]; then

    # If found echo it exists to the shell
    echo "vnc account exists"

    else

    # If the account and home folder doesn't exist then go and create it
    /usr/sbin/jamf createAccount -hiddenUser -username vnc -realname vnc -password DrillHall -home /private/var/vnc

    fi

    # GETTING THE CURRENT CONSOLE USER
    rluser=ls -l /dev/console | cut -d " " -f4 | grep rufusleonard.hq

    # SEE IF THE GROUP EXISTS
    if
    dscl . list /groups | grep com.apple.local.ard_interact
    then
    echo "Group already exists"

    # CREATE THE GROUP IF DOESN'T EXIST
    else
    dscl . -create /groups/com.apple.local.ard_interact
    dscl . -create /groups/com.apple.local.ard_interact PrimaryGroupID 1025

    fi

    # SEE IF CONSOLE USER IS IN THE GROUP
    if
    dscl . read /groups/com.apple.local.ard_interact | grep ${rluser}
    then
    echo "rluser is already in the group"

    # DISPLAY A MESSAGE
    jamf displayMessage -message "Group already exists!

    ${rluser} is already a member of it!

    You don't need to run this anymore!"

    # ADD THE CONSOLE USER IF NOT IN THE GROUP
    else
    dscl . -append /groups/com.apple.local.ard_interact GroupMembership ${rluser}

    # DISPLAY A MESSAGE
    jamf displayMessage -message "Group created

    ${rluser} is now a member of the group

    vnc account created and the default password must be changed!"

    fi

    # Allow the local vnc account to control and observe modifying the trigger file
    touch /Library/Management/Triggers/adminremotemanagement

    Terms & ConditionsCookie settingsAccessibility statement