I think I'm going mad.
I'm trying to find the right kickstart command to DISABLE the "Show when being observed" option in the privs, for all users.
I believe this is done with the "-configure -privs -ShowObserve" command:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -privs -ShowObserve
But It doesn't change anything on the settings (when I test it on my own local terminal to make sure before I script it out via Jamf).
Not any of the ticks in the sys prefs seem to be responding to any of the kickstart commands.
I must be doing something wrong, but I can't figure it out.. Anyone? Please?
EDIT: To be more helpful:
#!/bin/sh kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart" privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings" targetUser="username" dseditgroup -o edit -a "$targetUser" -t user com.apple.access_ssh "$kickstart" -activate -configure -allowAccessFor -specifiedUsers "$kickstart" -configure -access -on -privs "$privs" -users "$targetUser"
Adjust privs and user as needed.
EDIT 2: To be more helpful, none of this can be done via command line in Mojave unless user-level MDM is approved.
That would mean all local users on the machine can VNC/ARD into the box. Is that you want? Generally, people are looking to just allow the local admin account this privilege.
Nevertheless, to enable for all local users indiscriminately, change -specifiedUsers to -allUsers in the second to last line and delete -users "$targetUser" in the last.
The dseditgroup line is for turning on SSH for the target user. If you want to open that up to all admins, replace with:
sudo systemsetup -setremotelogin on