ARD 3.9 agent update - keychain error

SGill
Contributor III

Anyone seeing keychain errors deploying the new ARD 3.9 client update released today?05d71af9f37140d79f0930bb964c0581

1 ACCEPTED SOLUTION

SGill
Contributor III

Yeah, restarting seemed to kill it here, too.

I added a restart to the package to see if that will help...also noticed that the default user context was current user --changed that to system account instead....thanks!

View solution in original post

37 REPLIES 37

imgappleadmin
New Contributor

We are getting this in our enterprise.

bainter
Contributor

Be wary of the ARD Admin update to 3.9. Installation/upgrade on an admittedly iffy 10.12.3 standard, non-privileged account results in failure to launch. Installation from a local admin appears to be normal.

imgappleadmin
New Contributor

What is the actual fix for this ?

bentoms
Release Candidate Programs Tester

Restarting seems to fix the issue.

According to folks on the macadmins slack

RobertHammen
Valued Contributor II

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent on the affected clients seems to do the trick at least for some short period of time. Not sure if this keychain prompt keeps re-occurring...

SGill
Contributor III

Yeah, restarting seemed to kill it here, too.

I added a restart to the package to see if that will help...also noticed that the default user context was current user --changed that to system account instead....thanks!

imgappleadmin
New Contributor

We are seeing the following post restart. Casper Remote returning back password incorrect when trying to screen share. Also ARD appears to not see the machine when scanning the IP range in which the machine is on.

SGill
Contributor III

Those might be 2 separate issues....not sure.

Can't duplicate either of those issues here with ARD Admin 3.9 and a mix of 3.9 and 3.8.5 clients....think my issue was simply installing with a logged-in user context instead of the system user. That fix appears to have resolved my install issue for now.

RobertHammen
Valued Contributor II

For best results, make sure to restart the clients after getting the Agent update.

If you can't restart them, you may need to ssh in and run the kickstart -restart -agent command above with administrative credentials.

If you have clients/agents that ARD shows as being offline, but you can ssh into them and restart the agent, you can try the trick of "Get Info" on the computer in ARD, Edit it, and delete the IP address or name, then close the Get Info window. This will force the Remote Desktop app to re-try connecting to the client. Sometimes I have to re-enter administrative credentials to make this work. Worst-case scenario is to delete and re-add the client...

djtaylor
New Contributor II

I'm not seeing the DeepFreeze status of my machines anymore. In 3.8.5 this information was displayed in ARD Field/Computer Info 1 column. Now it's just blank.

AVmcclint
Honored Contributor

I just discovered that Manage > Upgrade Client Software has been removed from ARD 3.9. So I launch ARD admin 3.9 and I see all machines listed with no information other than "Needs Upgrade". When I try to run a unix command (softwareupdate) it tells me the task is not authorized. How am I supposed to upgrade the agents and regain control of the Macs now?

skinford
Contributor III

Experiencing the same thing as @AVmcclint. Sort of at a lose what to do.

AVmcclint
Honored Contributor

Here is a workaround: If you still have a Mac with ARD admin 3.8 DO NOT UPGRADE IT YET. Use that version to connect to all your Macs and send the command softwareupdate -i RemoteDesktopClient-3.9.0 The task will appear to not finish because the agents are basically restarting and can't tell the admin Mac that it finished. Wait several minutes just to make sure enough time is given for the update to finish. Quit your ARD admin app and relaunch. If you display the column for ARD Version, you'll see those Macs were upgraded and you can still perform tasks on 3.9 clients with the 3.8 admin app.
Alternatively, you can make a JSS Policy to run the command at check-in and wait for things to happen. Once you have all your client Macs updated, then it should be safe to upgrade your admin app to 3.9. And don't forget to file a Bugreport with Apple on this. This is a pretty serious oversight.

AVmcclint
Honored Contributor

oops... don't update the ARD agent on your Mac that you are still running ARD admin 3.8. updating the agent will break your admin. :(

skinford
Contributor III

Thank you @AVmcclint

Have a good morning!

AVmcclint
Honored Contributor

MORE INFO: In ARD 3.9 > Preferences > Security tab > Allow communication with older clients.
fedbdb5bdf2148fdbf4616c84f530703
Checking this box seems to help with accessing older Macs but there doesn't appear to be any way to push an upgrade to the clients.... despite what the box in the bottom half of the window says.

murph
New Contributor III

Seeing this issue on 10.11.6 clients too as they update.

SGill
Contributor III

The "Allow communication with older clients" feature appears to be working here. I was looking all over for the upgrade client feature only to also discover that it's gone. I used my deployment app to send out the 3.9 update instead of ARD, and then discovered I needed to specify install as system user instead of logged-in user context the way Apple set it by default.

AVmcclint
Honored Contributor

I am starting to see the ARDagent pop-up asking for access to a keychain too. So far rebooting the Macs affected by it clears it but I don't know if enough time has elapsed to say that a reboot definitely stops the alert and it will never come up again.

SGill
Contributor III

I gave it overnight on my affected macs, and it seemed to clear it up. I added a restart to the package because of that, but of course that slows down deployment because of the disruption of restarts everywhere....heh.

lynnaj
New Contributor III

I'm seeing the same behavior. I updated my ARD server to 3.9 and now all my clients are listed as "Needs Update". So, I thought, JAMF to the rescue ...

From the Casper Remote window I sent the command:

softwareupdate -i RemoteDesktopClient-3.9.0

and then the command

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

While the logs report successful completion, this combination of commands doesn't seem to have done anything. I'm new to running commands and scripts with the JAMF-Casper interface. Should I prepend "sudo" to all these system commands or does the casper agent run these as root anyway ???

Other thoughts?
Thanks all -
- Lynna Jackson, Williams College

SGill
Contributor III

I don't know if I'd particularly recommend ARD client 3.9.0 just yet...think it needs a few tweaks first....ignore for now?

lynnaj
New Contributor III

Answered my own question - both commands MUST be prepended with sudo as follows:

sudo softwareupdate -i RemoteDesktopClient-3.9.0

and then:

sudo/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

Since I have close to 300 macs to do this do I'm considering a using a script with a check-in policy. Thoughts?
- Lynna Jackson, Williams College

SGill
Contributor III

@lynnaj I guess I didn't notice that one because I've always run those 2 commands with sudo. Sudo may also give you the System User installation context I found myself needing to avoid the few keychain errors that were popping up (original post) here.

lynnaj
New Contributor III

This is the script I came up with which seems to work to both update the ARD client to 3.9 and restart the agent:

#!/bin/sh softwareupdate -i 'RemoteDesktopClient-3.9.0' /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent exit 0

The single quotes around RemoteDesktopClient-3.9.0 are absolutely required. Otherwise the script returns an error not finding the update.

For the compete newbies like me:
First create this script in the JSS server section under " Management Settings - Computer Management - Scripts". Then create a Policy to run the script at the recurring check-in on your computers - once per computer and no restart is required so remove the restart configuration.

This script works if you log into the target computer and manually run:
sudo jams policy

It reports an error with no update availble if run at the random (i.e. normal) computer checkin. I going to post this as a different thread

Hope it helps someone else -
- Lynna Jackson, Williams College

klholloway
New Contributor

Hello. I have been trying to use the script via ARD to update all of my clients and I always get the returned message:
RemoteDesktopClient-3.9.0: no such update
No updates are available.

This is on 10.11.6 ARD 3.8.5 and 10.10.5 ARD 3.8.4

My ARD admin version is 3.9 with the preference set to allow communication with older clients.

What am I doing wrong?

This is what I am using in ARD as root:

sudo softwareupdate -i 'RemoteDesktopClient-3.9.0'

Thanks.

SGill
Contributor III

Try to set the package 'RemoteDesktopClient-3.9.0' to use the System user installation context if you can. Apple set it to only install via the logged-in user context, meaning that you have to be logged in to see it as available.

System user context for that package flag will allow it to be shown as available regardless of whether or not a user is logged in.

bainter
Contributor

Hi Kristl,
Getting a list of needed updates first from softwareupdate, then selecting the desired item worked for us. Here's the Policy results:

Executing Policy Remote Desktop Client Update
Running command sudo softwareupdate -l; sudo softwareupdate -i 'RemoteDesktopClient-3.9.0' --force; sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent; sudo /usr/local/jamf/bin/jamf recon...

Result of command:
Software Update Tool
Copyright 2002-2015 Apple Inc.

Finding available software
Software Update found the following new or updated software:

•RemoteDesktopClient-3.9.0
Remote Desktop Client Update (3.9.0), 8563K [recommended]
•iTunesXPatch-12.5.5
iTunes (12.5.5), 113476K [recommended]
Software Update Tool
Copyright 2002-2015 Apple Inc.

Downloading Remote Desktop Client Update
Downloaded Remote Desktop Client Update
Installing Remote Desktop Client Update
Done with Remote Desktop Client Update
Done.
Starting...
Stopped ARD Agent.
Done.
Retrieving inventory preferences from https://casper
Finding extension attributes...
Locating accounts...
Locating applications...
Locating package receipts...
Searching path: /Applications
Locating hard drive information...
Locating software updates...
Locating plugins...
Searching path: /Library/Internet Plug-Ins
Locating hardware information (Mac OS X 10.11.6)...
Gathering application usage information...
Submitting data to https://casper

lynnaj
New Contributor III

See my update in: https://www.jamf.com/jamf-nation/discussions/23140/ard-3-9-update-one-solution-using-jamf

The script approach in this post only works if you can log into the target computers and force the jamf check in with:

sudo jamf policy
  • Lynna

klholloway
New Contributor

Thanks everyone. I just ended up installing the package via ARD. It was slow but it worked. Now I have an updated admin machine and just over 400 updated clients. Any new machines going forward will have the new ARD version so it is all good. Certainly can't thank Apple enough for their stellar R&D. It is like they don't even test anything anymore. They just roll it out as fast as they can and deal with the fall out later. ARD has always been buggy but still a good tool.

psousa
New Contributor

Some of you could be getting the "No update available" response on the scripts because your OS version isn't fully up to date. I know on ours, we were running 10.11.5 which returned the No update available response from Apple until we updated to 10.11.6. Once we've updated to the latest OS, ARD Client 3.9 is ready to pull down and install.

bscarborough
New Contributor II

I just got off the phone with Applecare Enterprise, and they told me the fix they have for the Keychain error is to restart. They were not aware of the kickstart command:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

so I forwarded it to my agent. Of course, he says they don't deal with Terminal much unless directed to by Engineering...

iOSGenius
New Contributor III

thanks @bscarborough - In the past i provided them a script as well and it is always through engineering and it takes awhile to get them to start doing things, so i tend to just use ard or terminal script to send it on my own.

At least i still have one backup mac with old version as my district ran into same issue.

Dan

donmontalvo
Esteemed Contributor III

Thiscommand

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

...can be shorter if we create a symbolic link on all our managed computers:

$ sudo  ln -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart /usr/local/bin/kickstart

...this creates an alias:

$ ls -l /usr/local/bin/kickstart 
lrwxr-xr-x  1 root  wheel  87 Feb 24 19:46 /usr/local/bin/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
$ which kickstart
/usr/local/bin/kickstart

...the command can now be simpler:

kickstart -restart -agent

With that said, I haven't seen the issue. ARD 3.9 doesn't seem any newer or better, but its working for us.

--
https://donmontalvo.com

iOSGenius
New Contributor III

made a video in case others trying to catch up reading - https://www.youtube.com/watch?v=n4xHU4DV28M

donmontalvo
Esteemed Contributor III

No need to deploy 3.8.x client with ARD.

Use JSS to deploy both.

--
https://donmontalvo.com

nhubbard
New Contributor III

@bainter - This script actually worked for me, thank you for posting. However, it did not work yesterday and I tried throwing it through ARD and also Casper Remote. Today through another forum I realized Jamf had released another update to their casper suite. I updated that (although I had just done an update last week) and ran the script again today. Success!

Thanks to everyone for your posts and help.