Jamf Nation Community

Likewise, I have not.  I thought I had it, but Bol has been giving me some things to try.  I've been slacking, due to work getting in the way.  😓

-But discovered how I can poke at it remotely to wake it up again by Disable Remote Desktop when I need to, as mentioned above.  

To review, here's my current workflow...

1st - a policy to create local admin accounts during my pre-stage enrollment 

2nd - my ARD script 

Script: Special thanks to "RossMadness."  Source Link: https://www.reddit.com/r/macsysadmin/comments/f2recc/apple_remote_desktop_and_jamf_pro/fhec8aj/

==================

#!/bin/sh

#enables screen share for specifiedusers then restarts agent

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent

#specifies user then sets permissions for specified user then restarts agent

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users [user1],[user2] -access -on -privs -all -clientopts -setmenuextra -menuextra no -restart -agent

==================

3rd - workaround, as mentioned above as needed:

In Jamf Pro, I went into a computer's Management tab and clicked Disable Remote Desktop button, refresh my screen, then do it again, a few times (which I thought was quirky) until I get the Enable Remote Desktop button.  Once I got that, I was able to ARD into the workstation as normal. 

I figured out a simple way to enable Remote Management using a script and a custom trigger that seems to work now.

Create a script like this: 

... attach it to a policy, use a custom trigger, run that in Terminal or set it to run itself after enrollment. I'm testing it now, seems to work.

Step #3 seems like the only other way to Enable Remote Desktop for now as well as messing with the API.

That’s what I have been using. Even with a PPPC profile, black screen on Monterey. I have resorted to keeping the PPPC and manually checking the Remote Management box and selecting all the options on each machine. Not ideal, but it’s working for now. 

Same here.

Did you ever find a way to automate this? I tried multiple ways of the using the scripts in this post and haven't been able to make it work. 

Will this work on Intel Macs as well? 

Thank you.  I'll have to give it a shot.  To be continued...

This is fantastic and very intriguing @junjishimazaki. Thanks, for sharing this. I've found that my script above works as well on Monterey. Give it a try, it's more simple and doesn't require auth tokens. I'm still testing it, However, this is awesome!

I tried using the kickstart on the M1 and it didn't work which is why I ended up using curl to send the command to enable remote desktop. Then I use kickstart to allow the users.

Do you mind if I implement some of your API calls into a script in a public repo and add you to the file header as a contributor?

I don't mind. Go ahead

Thanks! I'll publish my variant of the script once I get some testing done on it.

Sounds good and thank you. 

Do you happen to know the minimum API permissions needed to perform these functions?

Thank you very much for this. This resolved the ARD screenshare error on the Intel/Monterey devices we have. Will also use this for the M1/Monterey.

I still can’t get my Intel based Macs working. Your script works perfectly on M1 macs. 

I don't understand this should work on either one. All it does is send the command. It works fine for me on Intel and on M1. When you run it, do you get any error messages?

I get the following error when I try to connect via Apple Remote Desktop or the built in VNC…

connectionFailed

serverUnableToReadScreenMessage

But, what error message do you get when you run the policy from Jamf?

I don't get any error in Jamf. As far as Jamf thinks, it installed correctly. In use, I get that popup message from any computer trying to connect to any Intel Mac, using ARD. It's perplexing to be sure.

Have you tried running the script locally on the mac?

I have, I get the same error when trying to connect from a different Mac using ARD. Again, only affecting the Intel Mac's.

Do you have any Config profiles deployed that would affect this? 

Nope, sure don't.

Trully bizarre. Do you have the firewall enabled on the mac?

Nope, this is affecting every Intel Mac on macOS 12...unless I had manually flipped on Remote Management.

Is the kickstart PPPC no longer required if you use the API to enable?

FWIW this applies to a mix of T2s and Apple Silicon for us.

My script doesn't require the kickstart PPPC since the script handles it anyway.  

Hello all.  I'm just now finally getting back on this.  Here's an update...

1. Enable Remote Desktop from the Jamf Pro Computer Management:
   • So far, the workaround of manually Enable Remote Desktop from the Jamf Pro Computer Management works except for one thing, that's all it is.  I can remote to the workstation, however I can initiate a restart, a reboot, etc. from ARD tools.  After investigating, I found that the options for the Enable Remote Desktop from the Jamf Pro Computer Management is just an "Observe" and "Control" only.  -Plus for "All Users", not for the "Only these users."  
2.   Junjishimazaki's Script Test: Failed Unable to Connect
   1. I removed an Intel machine and an M1, both with Monterey from my ARD script.
   2. I disabled Remote Desktop from the Jamf Pro Computer Management for each workstation.
   3. I created another policy with your script and scoped it out.
   4. It looked promising.  It enabled it, however when I try to establish an ARD session, I get this on both machines:
      • 

        Thoughts?

3. I noticed that your script allowed "All users" with all options.
   1. "

      ## Enable ARD options using the kickstart command

      $KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers

      "
   2. I tried to do this below to specify a user that is created during enrollment... Unfortunately it didn't work.
      1. "

         ## Enable ARD options using the kickstart command

         $KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers -users [user1,user2]

         "

Any suggestions?

See here in Apple's old docs;

Try setting up like this;

$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users "$localUserName" -privs "$privs" -clientopts -setmenuextra -menuextra no -restart -agent -console -menu

Yeah Bol.  The first two line above is exactly on my original script.  Now I'm just updating that to fit in Junjishimazaki's script.  Thanks for the $kickstart lines.  I'll give it a shot.  

Oh... This is for all local user accounts. Yes?  

-users "$localUserName"

So for specific users, should it look like this?

-users "USER1" "USER2"

  Or without quotes?

-users USER1,USER2   

Didn't work.  Here's everything combined:

#!/bin/bash

jamf_User="$4"
jamf_Pass="$5"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

echo "Enabling ARD..."

# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)

# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\n" )

# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$authToken\`).token" )

# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"

# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"

#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST

## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
$kickstart -targetdisk / -verbose -uninstall -settings -prefs
$kickstart -targetdisk / -verbose -configure -allowAccessFor -specifiedUsers
$kickstart -targetdisk / -activate -configure -access -on -users "$localUserName" -privs "$privs" -clientopts -setmenuextra -menuextra no -restart -agent -console -menu

# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"

exit 0

Yes sorry, replace with your local users, I am using a script variable so I can enter the username on the policy page.

Im sorry if it’s been said but are you all scoping these two settings by config profiles also?

I haven’t gone back to see if one or both is still required but I know, at some point of testing, they were both needed to allow ARD to work again in latest macOS builds.

I get the same results using a PPPC or without. Strange error, or a black screen. 

😣

Hmmm... 🤔