I tried to find something on this and came up empty.
I am surprised that we have not been asked this yet, but is there anything that anyone has done to show the clients when an active Remote session is in place? When it terminates?
I know some of our clients at some point will bring this up, and I thought I'd ask before I get asked.
Solved! Go to Solution.
There is a JSS user setting for Remote Privileges. You can configure your tech's user accounts that will be remote accessing systems to only screen share w/asking and the user will be prompted to accept the session.
The specific permissions you're looking for are as follows under Casper Remote Privileges.
Screen Share with Remote Computers Screen Share with Remote Computers Without Asking
@Kaltsas][/url - yeah, I know about those - thanks. I'm talking about making sure that the user feels comfortable that a session is over and nobody is on the Mac. We've got some assistants to top exec's that are a pain when it comes to this stuff. They have to give permission, but I think there should be a way to show an active session.
ARD has the menu item. Other packages have icons as well for this.
I guess there's an assumption on JAMFs part that if the management client is on the system IT has certain access to the machine, period.
I understand your concern, well I understand that some people have this concern. I have some doctors that are the same way. We just don't remote them period and send a tech. Dum, maybe, but they are 12 levels above my pay grade they get whatever they want.
You could make a feature request about it. Or you might be better served with something like zoho remote or gotoassist for those users. Since they are "in control" of the session on their end with those tools.
@Kaltsas is correct. You do want to configure that setting for your accounts in the JSS
There are three things you should be aware of though with that setting:
1) if your account is a full access JSS admin with the "Administrator" privilege set, you will need to drop it down to the "Custom" privilege setting before you can uncheck the option labeled "Screen Share with Remote Computers Without Asking" When its a full admin it has all options on by default and grayed out, so the only way to actually disable any privilege option is to drop it down a notch.
2) This only applies to actual Screen Sharing, not any other actions done in Casper Remote, like pushing software, etc. but I'm assuming by "remote session" you're actually talking about Screen Sharing anyway.
3) This is a big one - the above setting will only prompt for when a session starts, but does nothing for when it ends to alert the end user.
On that last point, if you can wait until around the end of this week, I'll be releasing a small toolset (script + launchds) that will send up Notification Center messages whenever a screen sharing session starts and ends and also logs it on the local client along with timestamps. The messages will display information about who connected, and also whether it was initiated by Casper Remote or just regular Screen Sharing. In fact, it doesn't rely on the Casper Suite at all to work, so it can be used just as well in a non Casper environment.
I'm getting ready to put it all up on a Github page for others to use if you find it useful, so just give me a couple more days.
@mm2270 - I've got the current capabilities in JSS setup just fine - it's the notification bit that's my wish to address here, as @Kaltsas posts - we have higher ups that are funky and we too often have to send a body there in lieu of remote control.
I thought of this whilst helping the new help desk train today - I didn't know when they were off of my test Mac so I just rebooted it - sure, I could have searched for an active process, but it made me think of this so I wanted to query here.
As for waiting for your solution - I technically don't even have a problem "yet" so I most certainly look forward to what you put together. And I surely can wait. Thank you.
Yeah, I was writing my post above while you two were having a conversation on the topic here, so I didn't see your reply on the JSS settings part. :)
Anyway, its a very valid concern and you're right in asking about it, and I also don't blame your users for being concerned/paranoid. There's simply no indication that someone has disconnected, which is why I decided to look into building a solution. Its not perfect, but in my own testing with it, it seems to work pretty well. The perfect solution would really be for JAMF to build this functionality in. I'm hoping in my releasing this that it will spark them to try to build something native into the product that will do it.
@jescala You have to enable screen sharing on 10.10. I got bit by this. Something must have changed that prevents the jamf binary from temporarily enabling the service for the remote session like on previous OS's.
From the admin guide.
In addition, if the target computer has OS X v10.10 or later, Screen Sharing must also be enabled on the computer.
We are still determining how to deal with the change. Previously most systems did not have this turned on by default, and the security office was happy with this arrangement, letting casper do it on the fly.
@Kaltsas Thanks for clearing that up. That change in Yosemite really stinks. We have a company policy prohibiting VNC due to it's insecure default configuration. I found this thread on the issue: https://jamfnation.jamfsoftware.com/discussion.html?id=12196. Any idea if JAMF has a defect number for this issue?
@boettchs You're right, it is pretty easy to miss. They always know when I connect because we have it configured to request permission from the logged in user. And I make it a point to inform users about that icon when I remote their Macs so they can tell when I disconnect.
@jescala I assume it's not a bug, since it's listed in the admin guide for 9.6. Technically it doesn't require turning on VNC, we would never enable VNC (i.e. screen sharing on by default leaves VNC disabled). I'm still playing with exactly what needs to be set to ensure this works consistently and will be kosher by the Security office.
It's just we have some enterprising users that understand screen sharing and will not be pleased if I'm pushing a policy that turns it on all the time. It was nice that it could be off and the jamfbinary took care of enabling it temporally.
@Kaltas It may be different now, but in the past our security scanners would identify ARD as VNC and flag it as something that needed to be disabled. That's because ARD runs on the same port and is based on the same protocol. As such, we were not allowed to leave it enabled.
I would believe that, but I would hope a discussion with your security folks could clear up the difference between ARD and VNC even if the port scan says hey there's something wrong here. Or are they more of the, welp qualys says it's bad so its bad you can't use it type?
Just thought I would share what we are doing at my shop.
In my research I found that whenever Casper Remote screen sharing was activated a launch daemon is created called /Library/LaunchDaemons/com.jamfsoftware.task.screensharingunloader.plist. In addition to this launchdaemon a jamf process is spawned called: /usr/sbin/jamf unloadScreenSharingIfNotInUse.
What we ended up doing is setting up a watch path for the creation of the LaunchDaemon as the trigger and then looked for the jamf unloadScreenSharingIfNotInUse process and if it was there, we send a notification. When the process is closed and the launchdaemon is gone, we send another notification saying that the session has ended.
Hi Guys, I'm totally new here and was recently tasked with getting to know Casper toolset. I'm directed to disable VNC on all MACs and I'm looking through Casper and I don't see any settings in policies or anywhere to do that. I've been reading some of the forums suggestions, but totally lost. Any assistance is greatly appreciated.
#!/bin/sh sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra yes
Seanhansell - this is the command I have been using via Jamf to show the ARD Menu Extra on High Sierra & Mojave - hope this helps!