Jamf Nation Community

@Kaltsas][/url - yeah, I know about those - thanks. I'm talking about making sure that the user feels comfortable that a session is over and nobody is on the Mac. We've got some assistants to top exec's that are a pain when it comes to this stuff. They have to give permission, but I think there should be a way to show an active session.

ARD has the menu item. Other packages have icons as well for this.

I guess there's an assumption on JAMFs part that if the management client is on the system IT has certain access to the machine, period.

I understand your concern, well I understand that some people have this concern. I have some doctors that are the same way. We just don't remote them period and send a tech. Dum, maybe, but they are 12 levels above my pay grade they get whatever they want.

You could make a feature request about it. Or you might be better served with something like zoho remote or gotoassist for those users. Since they are "in control" of the session on their end with those tools.

@Kaltsas is correct. You do want to configure that setting for your accounts in the JSS
There are three things you should be aware of though with that setting:

1) if your account is a full access JSS admin with the "Administrator" privilege set, you will need to drop it down to the "Custom" privilege setting before you can uncheck the option labeled "Screen Share with Remote Computers Without Asking" When its a full admin it has all options on by default and grayed out, so the only way to actually disable any privilege option is to drop it down a notch.
2) This only applies to actual Screen Sharing, not any other actions done in Casper Remote, like pushing software, etc. but I'm assuming by "remote session" you're actually talking about Screen Sharing anyway.
3) This is a big one - the above setting will only prompt for when a session starts, but does nothing for when it ends to alert the end user.

On that last point, if you can wait until around the end of this week, I'll be releasing a small toolset (script + launchds) that will send up Notification Center messages whenever a screen sharing session starts and ends and also logs it on the local client along with timestamps. The messages will display information about who connected, and also whether it was initiated by Casper Remote or just regular Screen Sharing. In fact, it doesn't rely on the Casper Suite at all to work, so it can be used just as well in a non Casper environment.
I'm getting ready to put it all up on a Github page for others to use if you find it useful, so just give me a couple more days.

@mm2270 - I've got the current capabilities in JSS setup just fine - it's the notification bit that's my wish to address here, as @Kaltsas posts - we have higher ups that are funky and we too often have to send a body there in lieu of remote control.

I thought of this whilst helping the new help desk train today - I didn't know when they were off of my test Mac so I just rebooted it - sure, I could have searched for an active process, but it made me think of this so I wanted to query here.

As for waiting for your solution - I technically don't even have a problem "yet" so I most certainly look forward to what you put together. And I surely can wait. Thank you.

Yeah, I was writing my post above while you two were having a conversation on the topic here, so I didn't see your reply on the JSS settings part. :)
Anyway, its a very valid concern and you're right in asking about it, and I also don't blame your users for being concerned/paranoid. There's simply no indication that someone has disconnected, which is why I decided to look into building a solution. Its not perfect, but in my own testing with it, it seems to work pretty well. The perfect solution would really be for JAMF to build this functionality in. I'm hoping in my releasing this that it will spark them to try to build something native into the product that will do it.

@mm2270 - awesome. Consider this steps #1 and #2 to a feature request that I will post once I test out your solution.

I think this day and age it's important and should be part of the base JSS feature set.

@boettchs][/url The RemoteDesktop menu item works with Casper Remote. It displays an icon on the menu bar when a connection is active. You can find it here:

/System/Library/CoreServices/Menu Extras/RemoteDesktop.menu

I'm having a different experience than @jescala. Even with "Show when being observed" enabled, the ARD menu extra doesn't change its icon after a Casper Remote user connects. It does change when an ARD user connects.

@bvrooman What version of OS X? I've had that work for us since 10.7 and I just confirmed it works with 10.9, but I haven't tried it on 10.10 yet.

@jescala][/url, I'm on 10.10.1 with ARDAgent 3.8. That must be it.

@bvrooman I just fired up a Mac with our 10.10 image that's still in development and I can't even connect to the screen sharing service with Casper Remote.

@jescala You have to enable screen sharing on 10.10. I got bit by this. Something must have changed that prevents the jamf binary from temporarily enabling the service for the remote session like on previous OS's.

From the admin guide.

In addition, if the target computer has OS X v10.10 or later, Screen Sharing must also be enabled on the computer.

We are still determining how to deal with the change. Previously most systems did not have this turned on by default, and the security office was happy with this arrangement, letting casper do it on the fly.

@jescala - Yes, that shows up, but it's very innocuous, and the "message to administrator" item does not work, which would likely cause more frustration.

It is there, but I'm hoping to get a more visible option, and the one @mm2270 has been working on is promising. Check it out!

@Kaltsas Thanks for clearing that up. That change in Yosemite really stinks. We have a company policy prohibiting VNC due to it's insecure default configuration. I found this thread on the issue: https://jamfnation.jamfsoftware.com/discussion.html?id=12196. Any idea if JAMF has a defect number for this issue?

@boettchs You're right, it is pretty easy to miss. They always know when I connect because we have it configured to request permission from the logged in user. And I make it a point to inform users about that icon when I remote their Macs so they can tell when I disconnect.

@jescala I assume it's not a bug, since it's listed in the admin guide for 9.6. Technically it doesn't require turning on VNC, we would never enable VNC (i.e. screen sharing on by default leaves VNC disabled). I'm still playing with exactly what needs to be set to ensure this works consistently and will be kosher by the Security office.

It's just we have some enterprising users that understand screen sharing and will not be pleased if I'm pushing a policy that turns it on all the time. It was nice that it could be off and the jamfbinary took care of enabling it temporally.

@Kaltas It may be different now, but in the past our security scanners would identify ARD as VNC and flag it as something that needed to be disabled. That's because ARD runs on the same port and is based on the same protocol. As such, we were not allowed to leave it enabled.

I would believe that, but I would hope a discussion with your security folks could clear up the difference between ARD and VNC even if the port scan says hey there's something wrong here. Or are they more of the, welp qualys says it's bad so its bad you can't use it type?

Just thought I would share what we are doing at my shop.

In my research I found that whenever Casper Remote screen sharing was activated a launch daemon is created called /Library/LaunchDaemons/com.jamfsoftware.task.screensharingunloader.plist. In addition to this launchdaemon a jamf process is spawned called: /usr/sbin/jamf unloadScreenSharingIfNotInUse.

What we ended up doing is setting up a watch path for the creation of the LaunchDaemon as the trigger and then looked for the jamf unloadScreenSharingIfNotInUse process and if it was there, we send a notification. When the process is closed and the launchdaemon is gone, we send another notification saying that the session has ended.

@mm2270 Your screen share monitor solution is exactly what I need, but unfortunately I am not smart enough to understand how to get it installed and running. Can you help me understand where to put the various components?

@znilsson Just download the pre-built package installer I have on that github page. You can go there directly by clicking here You should just be able to deploy it as is.
I provide all the source files so anyone can customize them to their needs if that's a requirement.

@mm2270 Thanks, sorry - not sure why I didn't see that before.

Hi Guys, I'm totally new here and was recently tasked with getting to know Casper toolset. I'm directed to disable VNC on all MACs and I'm looking through Casper and I don't see any settings in policies or anywhere to do that. I've been reading some of the forums suggestions, but totally lost. Any assistance is greatly appreciated.

@katluri - welcome! I would recommend that you start a new thread for this as you are much more likely to get the help you need here.

Scott

Yes. All we need is bright yellow one-pixel-wide frame around client's screen untill remote session. Simple, right? Everyone would be happy

/System/Library/CoreServices/Menu Extras/RemoteDesktop.menu

This is not present in High Sierra or Mojave. Does anyone know where it has moved to?

#!/bin/sh

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra yes

Seanhansell - this is the command I have been using via Jamf to show the ARD Menu Extra on High Sierra & Mojave - hope this helps!