Casper Remote: Show client when remote session is active?

scottb
Honored Contributor

I tried to find something on this and came up empty. I am surprised that we have not been asked this yet, but is there anything that anyone has done to show the clients when an active Remote session is in place? When it terminates?
I know some of our clients at some point will bring this up, and I thought I'd ask before I get asked.

Scott

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

@boettchs - Take a look here for information on what I put together - https://jamfnation.jamfsoftware.com/discussion.html?id=12735

Let me know what you think if you decide to try it out.

View solution in original post

28 REPLIES 28

Kaltsas
Contributor III

There is a JSS user setting for Remote Privileges. You can configure your tech's user accounts that will be remote accessing systems to only screen share w/asking and the user will be prompted to accept the session.

The specific permissions you're looking for are as follows under Casper Remote Privileges.
Screen Share with Remote Computers Screen Share with Remote Computers Without Asking

scottb
Honored Contributor

@Kaltsas][/url - yeah, I know about those - thanks. I'm talking about making sure that the user feels comfortable that a session is over and nobody is on the Mac. We've got some assistants to top exec's that are a pain when it comes to this stuff. They have to give permission, but I think there should be a way to show an active session.

ARD has the menu item. Other packages have icons as well for this.

Kaltsas
Contributor III

I guess there's an assumption on JAMFs part that if the management client is on the system IT has certain access to the machine, period.

I understand your concern, well I understand that some people have this concern. I have some doctors that are the same way. We just don't remote them period and send a tech. Dum, maybe, but they are 12 levels above my pay grade they get whatever they want.

You could make a feature request about it. Or you might be better served with something like zoho remote or gotoassist for those users. Since they are "in control" of the session on their end with those tools.

mm2270
Legendary Contributor III

@Kaltsas is correct. You do want to configure that setting for your accounts in the JSS
There are three things you should be aware of though with that setting:

1) if your account is a full access JSS admin with the "Administrator" privilege set, you will need to drop it down to the "Custom" privilege setting before you can uncheck the option labeled "Screen Share with Remote Computers Without Asking" When its a full admin it has all options on by default and grayed out, so the only way to actually disable any privilege option is to drop it down a notch.
2) This only applies to actual Screen Sharing, not any other actions done in Casper Remote, like pushing software, etc. but I'm assuming by "remote session" you're actually talking about Screen Sharing anyway.
3) This is a big one - the above setting will only prompt for when a session starts, but does nothing for when it ends to alert the end user.

On that last point, if you can wait until around the end of this week, I'll be releasing a small toolset (script + launchds) that will send up Notification Center messages whenever a screen sharing session starts and ends and also logs it on the local client along with timestamps. The messages will display information about who connected, and also whether it was initiated by Casper Remote or just regular Screen Sharing. In fact, it doesn't rely on the Casper Suite at all to work, so it can be used just as well in a non Casper environment.
I'm getting ready to put it all up on a Github page for others to use if you find it useful, so just give me a couple more days.

scottb
Honored Contributor

@mm2270 - I've got the current capabilities in JSS setup just fine - it's the notification bit that's my wish to address here, as @Kaltsas posts - we have higher ups that are funky and we too often have to send a body there in lieu of remote control.

I thought of this whilst helping the new help desk train today - I didn't know when they were off of my test Mac so I just rebooted it - sure, I could have searched for an active process, but it made me think of this so I wanted to query here.

As for waiting for your solution - I technically don't even have a problem "yet" so I most certainly look forward to what you put together. And I surely can wait. Thank you.

mm2270
Legendary Contributor III

Yeah, I was writing my post above while you two were having a conversation on the topic here, so I didn't see your reply on the JSS settings part. :)
Anyway, its a very valid concern and you're right in asking about it, and I also don't blame your users for being concerned/paranoid. There's simply no indication that someone has disconnected, which is why I decided to look into building a solution. Its not perfect, but in my own testing with it, it seems to work pretty well. The perfect solution would really be for JAMF to build this functionality in. I'm hoping in my releasing this that it will spark them to try to build something native into the product that will do it.

scottb
Honored Contributor

@mm2270 - awesome. Consider this steps #1 and #2 to a feature request that I will post once I test out your solution.

I think this day and age it's important and should be part of the base JSS feature set.

mm2270
Legendary Contributor III

@boettchs - Take a look here for information on what I put together - https://jamfnation.jamfsoftware.com/discussion.html?id=12735

Let me know what you think if you decide to try it out.

jescala
Contributor II

@boettchs][/url The RemoteDesktop menu item works with Casper Remote. It displays an icon on the menu bar when a connection is active. You can find it here:

/System/Library/CoreServices/Menu Extras/RemoteDesktop.menu

bvrooman
Valued Contributor

I'm having a different experience than @jescala. Even with "Show when being observed" enabled, the ARD menu extra doesn't change its icon after a Casper Remote user connects. It does change when an ARD user connects.

jescala
Contributor II

@bvrooman What version of OS X? I've had that work for us since 10.7 and I just confirmed it works with 10.9, but I haven't tried it on 10.10 yet.

bvrooman
Valued Contributor

@jescala][/url, I'm on 10.10.1 with ARDAgent 3.8. That must be it.

jescala
Contributor II

@bvrooman I just fired up a Mac with our 10.10 image that's still in development and I can't even connect to the screen sharing service with Casper Remote.

Kaltsas
Contributor III

@jescala You have to enable screen sharing on 10.10. I got bit by this. Something must have changed that prevents the jamf binary from temporarily enabling the service for the remote session like on previous OS's.

From the admin guide.

In addition, if the target computer has OS X v10.10 or later, Screen Sharing must also be enabled on the computer.

We are still determining how to deal with the change. Previously most systems did not have this turned on by default, and the security office was happy with this arrangement, letting casper do it on the fly.

scottb
Honored Contributor

@jescala - Yes, that shows up, but it's very innocuous, and the "message to administrator" item does not work, which would likely cause more frustration.

It is there, but I'm hoping to get a more visible option, and the one @mm2270 has been working on is promising. Check it out!

jescala
Contributor II

@Kaltsas Thanks for clearing that up. That change in Yosemite really stinks. We have a company policy prohibiting VNC due to it's insecure default configuration. I found this thread on the issue: https://jamfnation.jamfsoftware.com/discussion.html?id=12196. Any idea if JAMF has a defect number for this issue?

@boettchs You're right, it is pretty easy to miss. They always know when I connect because we have it configured to request permission from the logged in user. And I make it a point to inform users about that icon when I remote their Macs so they can tell when I disconnect.

Kaltsas
Contributor III

@jescala I assume it's not a bug, since it's listed in the admin guide for 9.6. Technically it doesn't require turning on VNC, we would never enable VNC (i.e. screen sharing on by default leaves VNC disabled). I'm still playing with exactly what needs to be set to ensure this works consistently and will be kosher by the Security office.

It's just we have some enterprising users that understand screen sharing and will not be pleased if I'm pushing a policy that turns it on all the time. It was nice that it could be off and the jamfbinary took care of enabling it temporally.

jescala
Contributor II

@Kaltas It may be different now, but in the past our security scanners would identify ARD as VNC and flag it as something that needed to be disabled. That's because ARD runs on the same port and is based on the same protocol. As such, we were not allowed to leave it enabled.

Kaltsas
Contributor III

I would believe that, but I would hope a discussion with your security folks could clear up the difference between ARD and VNC even if the port scan says hey there's something wrong here. Or are they more of the, welp qualys says it's bad so its bad you can't use it type?

FritzsCorner
Contributor III

Just thought I would share what we are doing at my shop.

In my research I found that whenever Casper Remote screen sharing was activated a launch daemon is created called /Library/LaunchDaemons/com.jamfsoftware.task.screensharingunloader.plist. In addition to this launchdaemon a jamf process is spawned called: /usr/sbin/jamf unloadScreenSharingIfNotInUse.

What we ended up doing is setting up a watch path for the creation of the LaunchDaemon as the trigger and then looked for the jamf unloadScreenSharingIfNotInUse process and if it was there, we send a notification. When the process is closed and the launchdaemon is gone, we send another notification saying that the session has ended.

znilsson
Contributor II

@mm2270 Your screen share monitor solution is exactly what I need, but unfortunately I am not smart enough to understand how to get it installed and running. Can you help me understand where to put the various components?

mm2270
Legendary Contributor III

@znilsson Just download the pre-built package installer I have on that github page. You can go there directly by clicking here You should just be able to deploy it as is.
I provide all the source files so anyone can customize them to their needs if that's a requirement.

znilsson
Contributor II

@mm2270 Thanks, sorry - not sure why I didn't see that before.

katluri
New Contributor

Hi Guys, I'm totally new here and was recently tasked with getting to know Casper toolset. I'm directed to disable VNC on all MACs and I'm looking through Casper and I don't see any settings in policies or anywhere to do that. I've been reading some of the forums suggestions, but totally lost. Any assistance is greatly appreciated.

scottb
Honored Contributor

@katluri - welcome! I would recommend that you start a new thread for this as you are much more likely to get the help you need here.

Scott

mhasman
Valued Contributor

Yes. All we need is bright yellow one-pixel-wide frame around client's screen untill remote session. Simple, right? Everyone would be happy

seanhansell
Contributor
/System/Library/CoreServices/Menu Extras/RemoteDesktop.menu

This is not present in High Sierra or Mojave. Does anyone know where it has moved to?

- Sean

EduMac89
New Contributor II
#!/bin/sh

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra yes

Seanhansell - this is the command I have been using via Jamf to show the ARD Menu Extra on High Sierra & Mojave - hope this helps!