ARD Kickstart issue?

TechSpecialist
Contributor

Hi There,

I think I'm going mad.

I'm trying to find the right kickstart command to DISABLE the "Show when being observed" option in the privs, for all users.

I believe this is done with the "-configure -privs -ShowObserve" command:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -privs -ShowObserve

But It doesn't change anything on the settings (when I test it on my own local terminal to make sure before I script it out via Jamf).

Not any of the ticks in the sys prefs seem to be responding to any of the kickstart commands.

I must be doing something wrong, but I can't figure it out.. Anyone? Please?

4 REPLIES 4

tuinte
Contributor III

-ControlObserve, hombre.

EDIT: To be more helpful:

#!/bin/sh
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
targetUser="username"

dseditgroup -o edit -a "$targetUser" -t user com.apple.access_ssh
"$kickstart" -activate -configure -allowAccessFor -specifiedUsers
"$kickstart" -configure -access -on -privs "$privs" -users "$targetUser"

Adjust privs and user as needed.

EDIT 2: To be more helpful, none of this can be done via command line in Mojave unless user-level MDM is approved.

TechSpecialist
Contributor

This looks good, thank you for the effort, it is much appreciated.

One more question tho, what do I fill in as the Username if I want these settings for all users?

tuinte
Contributor III

That would mean all local users on the machine can VNC/ARD into the box. Is that you want? Generally, people are looking to just allow the local admin account this privilege.

Nevertheless, to enable for all local users indiscriminately, change -specifiedUsers to -allUsers in the second to last line and delete -users "$targetUser" in the last.

The dseditgroup line is for turning on SSH for the target user. If you want to open that up to all admins, replace with:

sudo systemsetup -setremotelogin on

TechSpecialist
Contributor

Thanks heaps!