Help

ARD Kickstart issue?

TechSpecialist
Contributor

Posted on ‎08-22-2019 04:20 AM - last edited a week ago by Community Manager

Hi There,

I think I'm going mad.

I'm trying to find the right kickstart command to DISABLE the "Show when being observed" option in the privs, for all users.

I believe this is done with the "-configure -privs -ShowObserve" command:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -privs -ShowObserve

But It doesn't change anything on the settings (when I test it on my own local terminal to make sure before I script it out via Jamf).

Not any of the ticks in the sys prefs seem to be responding to any of the kickstart commands.

I must be doing something wrong, but I can't figure it out.. Anyone? Please?

0 Kudos
Reply
4 REPLIES 4

tuinte
Contributor III

Posted on ‎08-22-2019 01:17 PM

-ControlObserve, hombre.

EDIT: To be more helpful:

#!/bin/sh
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
targetUser="username"

dseditgroup -o edit -a "$targetUser" -t user com.apple.access_ssh
"$kickstart" -activate -configure -allowAccessFor -specifiedUsers
"$kickstart" -configure -access -on -privs "$privs" -users "$targetUser"

Adjust privs and user as needed.

EDIT 2: To be more helpful, none of this can be done via command line in Mojave unless user-level MDM is approved.

0 Kudos
Reply

TechSpecialist
Contributor

Posted on ‎08-22-2019 11:13 PM

This looks good, thank you for the effort, it is much appreciated.

One more question tho, what do I fill in as the Username if I want these settings for all users?

0 Kudos
Reply

tuinte
Contributor III

Posted on ‎08-27-2019 03:50 AM

That would mean all local users on the machine can VNC/ARD into the box. Is that you want? Generally, people are looking to just allow the local admin account this privilege.

Nevertheless, to enable for all local users indiscriminately, change -specifiedUsers to -allUsers in the second to last line and delete -users "$targetUser" in the last.

The dseditgroup line is for turning on SSH for the target user. If you want to open that up to all admins, replace with:

sudo systemsetup -setremotelogin on
0 Kudos
Reply

TechSpecialist
Contributor

Posted on ‎08-28-2019 12:20 AM

Thanks heaps!

0 Kudos
Reply