How are you enabling ARD?
@prujamf I don’t have either of those scenarios setup to test but noticed this recent change note below;
macOS Monterey 12.1
Hello Junjishimazaki/Bol,
Thanks for responding.
Remote Management is enabled via the kickstart command for a local administrator account.
I also scope a PPPC payload with the follow settings:
This how the firewall settings look on an Intel and M1 Mac:
@Bol Thanks for suggesting enabling the three Restrictions for Screenshots, Airplay and Classroom. Unfortunately enabling these had no effect.
Oddly screensharing briefly worked on one of my test M1 Macs after updating the OS from 12.0 to 12.2. Same settings as before. Unfortunately it stopped working as soon as I rebooted the Mac.
Under the Jamf Management Commands I can successfully send "Disable Remote Desktop Command" , but don't get an option to enable again..
Best Regards,
Rob.
Hello Junjishimazaki/Bol,
Thanks for responding.
Remote Management is enabled via the kickstart command for a local administrator account.
I also scope a PPPC payload with the follow settings:
This how the firewall settings look on an Intel and M1 Mac:
@Bol Thanks for suggesting enabling the three Restrictions for Screenshots, Airplay and Classroom. Unfortunately enabling these had no effect.
Oddly screensharing briefly worked on one of my test M1 Macs after updating the OS from 12.0 to 12.2. Same settings as before. Unfortunately it stopped working as soon as I rebooted the Mac.
Under the Jamf Management Commands I can successfully send "Disable Remote Desktop Command" , but don't get an option to enable again..
Best Regards,
Rob.
Because of Apple's changes, you now need to use MDM / Jamf to do this.
Either press the 'Enable Remote Desktop' button on the computer object in Jamf or you can script the same outcome by using the API (there's scripts on the forums you can try).
Because of Apple's changes, you now need to use MDM / Jamf to do this.
Either press the 'Enable Remote Desktop' button on the computer object in Jamf or you can script the same outcome by using the API (there's scripts on the forums you can try).
Do you happen to have a link to a script that works with 12.2+? Aiding a remote machine today and was stuck with a black screen. Thanks
Do you happen to have a link to a script that works with 12.2+? Aiding a remote machine today and was stuck with a black screen. Thanks
I have a script but uses basic authentication which is depreciated now, needs to use bearer tokens so i need to update.
I have a script but uses basic authentication which is depreciated now, needs to use bearer tokens so i need to update.
Oh the API is changing to bearer tokens. I'd love to see the script once it's updated. Maybe I can help improve on it to run it as a Lambda or similar automation.
Oh the API is changing to bearer tokens. I'd love to see the script once it's updated. Maybe I can help improve on it to run it as a Lambda or similar automation.
No problem at all. I spent some time reading and testing at one site, while I got it working, I don't yet know enough to make the api do what I think it should (uuid -> jamf id).. So for now I've pieced together what I found from the community, really nice information (as usual) at Mr Flounder's blog;
https://derflounder.wordpress.com/2021/12/10/obtaining-checking-and-renewing-bearer-tokens-for-the-jamf-pro-api/
Same again from Mr Purves site;
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
Then finding what I need from the Jamf developer site;
https://developer.jamf.com/jamf-pro/reference/createcomputercommandbycommandandid
- As a test, I disabled remote desktop in Jamf
- Confirmed black screen during ARD connection
- Sending this command immediately re-connected screen session
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Previously, I would use this to the same effect
/usr/bin/curl -Ssu "${jamfpro_user}:${jamfpro_password}" "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${computerID}" -X POST Also to note, for whatever reason while testing on 12.2.1, it no longer displayed the warning message "Your screen is being observed”.
Previously it would show unless I reconnected in succession to the same machine. Even after a reboot and login, hilarious, I'll ignore that and save myself revisiting an old rabbit hole.
Because of Apple's changes, you now need to use MDM / Jamf to do this.
Either press the 'Enable Remote Desktop' button on the computer object in Jamf or you can script the same outcome by using the API (there's scripts on the forums you can try).
I haven't seen a 'Enable Remote Desktop' button on the computer object in Jamf. I do have the PPPC payloads that bol and prujamf suggested that fixed this issue when Catalina came out.
I ended up creating in JAMF inventory an advanced search of all my macOS Monterey devices. Then in
the Search opened view -> Action -> Send Remote Commands -> Set Remote Desktop (macOS 10.14.4 or later) -> Enable
The answer displayed was,
Complete
The remote command failed to send.😕😕
😀 However Screen Sharing was enabled, the 5 or 6 system that I reached out with using JAMF Remote or Apple Remote Desktop or screen sharing, and they all properly shared the screen.
Not sure how I can send a MDM command to a new device when it is enrolled. Any suggestions would be welcome.
No problem at all. I spent some time reading and testing at one site, while I got it working, I don't yet know enough to make the api do what I think it should (uuid -> jamf id).. So for now I've pieced together what I found from the community, really nice information (as usual) at Mr Flounder's blog;
https://derflounder.wordpress.com/2021/12/10/obtaining-checking-and-renewing-bearer-tokens-for-the-jamf-pro-api/
Same again from Mr Purves site;
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
Then finding what I need from the Jamf developer site;
https://developer.jamf.com/jamf-pro/reference/createcomputercommandbycommandandid
- As a test, I disabled remote desktop in Jamf
- Confirmed black screen during ARD connection
- Sending this command immediately re-connected screen session
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Previously, I would use this to the same effect
/usr/bin/curl -Ssu "${jamfpro_user}:${jamfpro_password}" "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${computerID}" -X POST Also to note, for whatever reason while testing on 12.2.1, it no longer displayed the warning message "Your screen is being observed”.
Previously it would show unless I reconnected in succession to the same machine. Even after a reboot and login, hilarious, I'll ignore that and save myself revisiting an old rabbit hole.
How are you getting $computerID?
How are you getting $computerID?
@route1337 wrote:
How are you getting $computerID?
Firstly you need the machine UUID;
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')Then I used this as my guide because I had exhausted my patience on how to do this straight using the api;
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
Any update on this? I would love to create a profile or policy that I can scope my computers to to get this turned on.
I haven't seen a 'Enable Remote Desktop' button on the computer object in Jamf. I do have the PPPC payloads that bol and prujamf suggested that fixed this issue when Catalina came out.
I ended up creating in JAMF inventory an advanced search of all my macOS Monterey devices. Then in
the Search opened view -> Action -> Send Remote Commands -> Set Remote Desktop (macOS 10.14.4 or later) -> Enable
The answer displayed was,
Complete
The remote command failed to send.😕😕
😀 However Screen Sharing was enabled, the 5 or 6 system that I reached out with using JAMF Remote or Apple Remote Desktop or screen sharing, and they all properly shared the screen.
Not sure how I can send a MDM command to a new device when it is enrolled. Any suggestions would be welcome.
I tried this...still getting black screen. :(
I opened a ticket with support, they said JAMF remote is deprecated and suggested using team viewer integration?? I guess I'll just use MS teams, or send the MDM command to a device using an advance search so I can use ARD or Screen Sharing.
Any update on this? I would love to create a profile or policy that I can scope my computers to to get this turned on.
@kwoodard wrote:
Any update on this? I would love to create a profile or policy that I can scope my computers to to get this turned on.
You can use this if basic authentication is still enabled;
/usr/bin/curl -Ssu "${jamfpro_user}:${jamfpro_password}" "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${computerID}" -X POST Otherwise, this command enable's remote desktop;
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Jamf - Creates a new computer command using command name and device IDs
I opened a ticket with support, they said JAMF remote is deprecated and suggested using team viewer integration?? I guess I'll just use MS teams, or send the MDM command to a device using an advance search so I can use ARD or Screen Sharing.
Can TeamViewer be easily set up for unattended access? We have a lot of headless Mac minis for testing (Intel, and ARM) that we like to use ARD on.
Can TeamViewer be easily set up for unattended access? We have a lot of headless Mac minis for testing (Intel, and ARM) that we like to use ARD on.
Hello all. I think I'm having the same issue. The behavior I'm experiencing is that I can ARD to the machines. It indicates that it's connected and on the client end it's "being observed." However, on my end the screen is completely blank. I found that the quick fix is to manually toggle the System Preferences/Sharing/Remote Management OFF and ON again. I had never had an issue until Monterey. Same issue? Any suggestions?
This is what I'm using.
(Special thanks to "RossMadness." Source Link: https://www.reddit.com/r/macsysadmin/comments/f2recc/apple_remote_desktop_and_jamf_pro/fhec8aj/)
==================
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
==================
I preload my system admin profiles (user1, user2, etc.] during the pre-stage enrollment.
This is by design and the changes are noted here;
Your script will handle the ARD settings and allow you to connect fine. Although the blank screen can only be fixed by enabling Remote Desktop via MDM. Add into your script an API call to do this and it will work again.
I have this setup after enrollment as a policy / script and allows me to ARD to a machine, erase & wipe, then after enrollment my original ARD window reconnects again. Not that helpful but it works :D
This is by design and the changes are noted here;
Your script will handle the ARD settings and allow you to connect fine. Although the blank screen can only be fixed by enabling Remote Desktop via MDM. Add into your script an API call to do this and it will work again.
I have this setup after enrollment as a policy / script and allows me to ARD to a machine, erase & wipe, then after enrollment my original ARD window reconnects again. Not that helpful but it works :D
Hello Bol. First off, thanks for the quick response. I appreciate yours and everyone elses' feedback on this post. 'Still new to this. This has given me something else new to try.
"Although the blank screen can only be fixed by enabling Remote Desktop via MDM. Add into your script an API call to do this and it will work again." -So does this look about right?
==================
#!/bin/sh
#enables screen share for specifiedusers then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent
#specifies user then sets permissions for specified user then restarts agent
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
==================
My tests so far:
- So from what you did, I disabled remote desktop to my Test-1 machine in Jamf.
- I noticed immediately that it did in fact disable it when I checked my ARD console: I couldn't remote in.
- I also noticed that in Jamf on my Test-1 machine, after a refresh, there was no "Enable Remote Desktop."
- Afterwards following the steps you took, I created a Policy with the following script: unfortunately failed. Maybe I wasn't doing it right.
==========
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
=========
3. So I then I saw your reference to the Richard-Purves post on the API script and created another policy with the following script below.
==================
computerrecord=$( /usr/bin/curl --request GET \\
--url "${jamfpro_server_address}/api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${machineUUID}%22" \\
--silent \\
--header "Authorization: Bearer $token" )
computerID=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\\`$computerrecord\\`).results[0].id" )
====================
- When I scoped this to my Test-1 machine, it ran and appeared to have been applied (the machine log indicated that it executed).
- However in Jamf Pro it indicated that it failed.
- BUT! Interesting enough though... My Test-1 machine in Jamf now shows that Enable Remote Desktop. I clicked it and it worked. Once I did that, it does not show “Disable Remote Desktop.”
- Is this a normal behavior?
- How can I disable it so I can test if the my script above will work?
I think what it tripping this all up is even without using the API call to enable / disable remote desktop, you ARD code will still change the button behaviour in Jamf Pro.
eg. Will say that it's been enabled but you are still seeing the blank screen. You want your script to first enable via API, then make ARD setting changes after this and it should work.
At a guess I think your script needs to have a variable set for the machine uuid, i couldn't see that in your examples and is required to pull the jamf pro id from API like you have added.
machineUUID=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk '/IOPlatformUUID/ { gsub(/"/,"",$3); print $3; }')
Does anyone have this setup and working properly yet? Seems like there are a few different things suggested now and none seem to completely work. I know that the old script that I used to kickstart the service as well as the script I had been using to fix the black screen issue no longer seem to work. I use ARD a lot, so not having it working to screen share properly is a big productivity blow for me and the few other guys that work on Macs.
@kwoodard wrote:
Any update on this? I would love to create a profile or policy that I can scope my computers to to get this turned on.
You can use this if basic authentication is still enabled;
/usr/bin/curl -Ssu "${jamfpro_user}:${jamfpro_password}" "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${computerID}" -X POST Otherwise, this command enable's remote desktop;
/usr/bin/curl --request POST \\
--url "${jamfpro_server_address}/JSSResource/computercommands/command/EnableRemoteDesktop/id/$computerID" \\
--silent \\
--header "Authorization: Bearer $token"
Jamf - Creates a new computer command using command name and device IDs
I must be doing something wrong, this did nothing except pop out errors with using curl etc.
This is by design and the changes are noted here;
Your script will handle the ARD settings and allow you to connect fine. Although the blank screen can only be fixed by enabling Remote Desktop via MDM. Add into your script an API call to do this and it will work again.
I have this setup after enrollment as a policy / script and allows me to ARD to a machine, erase & wipe, then after enrollment my original ARD window reconnects again. Not that helpful but it works :D
Super curious about your script @obola. Especially, because it allows you to ARD to a machine and do that after enrollment. How did you avoid the black screen issue? Or, do you run this script with an "Enrollment Complete" trigger and then also press the. button to Enable Remote Desktop as well? Is it a two part process for you now?
@kwoodard wrote:
I must be doing something wrong, this did nothing except pop out errors with using curl etc.
The snippet above works but you still need to declare those variables curl is using. eg. jamfpro_server_address = "https://xxx:8443"
By just cut and pasting those lines, yes it will give you errors. You can still maintain your kickstart script and settings, you will just need to add enabling ARD for each computer via MDM (Jamf API). This article will step you through encoding your api credentials / obtaining & invalidating api token, then you can use the code above to enable ARD.
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
My workflow is roughly;
Generate Token
Get Jamf Computer ID
Set Apple Remote Desktop via API
Set Apple Remote Desktop via Kickstart
Expire Token
@kwoodard wrote:
I must be doing something wrong, this did nothing except pop out errors with using curl etc.
The snippet above works but you still need to declare those variables curl is using. eg. jamfpro_server_address = "https://xxx:8443"
By just cut and pasting those lines, yes it will give you errors. You can still maintain your kickstart script and settings, you will just need to add enabling ARD for each computer via MDM (Jamf API). This article will step you through encoding your api credentials / obtaining & invalidating api token, then you can use the code above to enable ARD.
https://richard-purves.com/2021/12/09/jamf-pro-api-for-fun-and-profit/
My workflow is roughly;
Generate Token
Get Jamf Computer ID
Set Apple Remote Desktop via API
Set Apple Remote Desktop via Kickstart
Expire Token
I get the workflow. It makes sense. I’m not a programmer (I use mostly the GUI, but I do have some smaller and less complex scripts for some things), so I’m banging my head on my desk trying to get the coding sorted out. I’m not seeing how to turn on Remote Management via the API and I don’t know how to integrate the token into it (and the kickstart) to make this work. Can you share your code?
