- Jamf Nation Community
- Products
- Jamf Pro
- Re: Configuration profile / PPPC for Remote Manage...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Configuration profile / PPPC for Remote Management on ADE-enrolled Macs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-16-2021 06:40 AM
Does anyone have the details of what we need to set up in a configuration profile / PPPC to enable Remote Management for our admin account on ADE-enrolled Macs? Apple has an article that says it can be done, at https://support.apple.com/en-us/HT209161 but it is a bit light on detail. In particular I don't understand the last sentence.
Basically we have a local admin account that exists on all our Macs (it's created via policy) and we need it to have Remote Management permissions without us needing to go to every Mac and click to enable it. All our Macs are now enrolled via ADE/DEP so the UAMDM state is considered to be on.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2021 07:23 AM - edited 09-16-2021 07:25 AM
MDM can enable or disable Remote Management, but by default it does so for all users. You can no longer enable or disable using the kickstart command, but you can configure the options. I've had success pushing out a script to configure ARD for a specific user, and then sending the command to devices that do not have remote management enabled (you can create an advanced computer search for this).
Here's an example (pass the username to the script as parameter 4 in the policy):
#!/bin/sh
# ARD User short named passed to this script from Jamf Pro policy as parameter $4
logger "$0: Configure Apple Remote Desktop access for $4."
usermissing=`finger -ms $4 2>&1 1>/dev/null | wc -l`
if [ ${usermissing} -eq 1 ]; then
echo "User $4 not found."
logger "$0: User $4 not found."
exit 1
fi
# Hide ARD user from login window
dscl . create /Users/$4 IsHidden 1
# Configure Apple Remote Desktop access only for specified users
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
# Configure Apple Remote Desktop Agent for ARD user specified by parameter $4
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $4 -access -on -privs -all -clientopts -setmenuextra -menuextra yes
# Hide 'Other' from Login Window
defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-16-2021 07:28 AM
@jcarr what configuration profile payload does enabling Remote Management live in? Or is that what the PPPC is for? The Apple help article didn't really explain it very well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2023 11:29 AM
So i added the username in parameter 4, but where do I put the password for the account?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2023 11:33 AM
Would the password just be parameter 5?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2021 09:31 AM - edited 09-16-2021 09:33 AM
It's not a profile payload, it's an MDM command (similar to enable/disable bluetooth). PPPC isn't used for Remote Management. Sending the command will either enable Remote Management for all users (by default), or disable it. If you first run the above script on all of your devices, sending the command will enable Remote Management for the user you specify. Think of it as the MDM command checking or unchecking the box in the Sharing pane of System Preferences, but the script is using the 'Options...' button.
https://docs.jamf.com/10.31.0/jamf-pro/administrator-guide/Remote_Commands_for_Computers.html
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2021 11:08 AM - edited 09-16-2021 11:16 AM
@jcarr is it possible to use the Jamf API to instruct Jamf to run MDM commands? As I don't fancy wading through 200+ computer records manually clicking Enable Remote Management on each one.
Also if PPPC isn't used, why is it mentioned in the official Apple article on the subject?
https://support.apple.com/en-us/HT209161
EDIT: the PPPC seems like it might be this one: https://community.jamf.com/t5/jamf-pro/enable-remote-management-full-control-in-mojave/m-p/185453/hi...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-16-2021 05:53 PM
It is in fact possible to enable it via the API. It lives under the computercommands resource path.
Such a script might look something like this:
#!/bin/zsh
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
## Get the Jamf Pro URL this Mac is enrolled in
JSS_URL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | sed 's|/$||')
## The API username and password are obtained from script parameters
API_USER="$4"
API_PASS="$5"
## Note: when adding in list of usernames to the script parameter, add in each user shortname separated by a "," and no spaces
ENABLED_USERS="$6"
## Get the UUID of the Machine
UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}')
## Get the ID of the Mac from Jamf Pro (uses an API call)
JAMF_ID=$(/usr/bin/curl -su "${API_USER}:${API_PASS}" "${JSS_URL}/JSSResource/computers/udid/${UUID}/subset/general" | xmllint --format - | awk -F'>|<' '/<id>/{print $3; exit}')
## Send MDM command to Enable Remote Desktop for this Mac
/usr/bin/curl -su "${API_USER}:${API_PASS}" "${JSS_URL}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command (This only enables basic view, not control)
$KICK_START_BINARY -configure -users ${ENABLED_USERS} -access -on -privs -all
sleep 1
$KICK_START_BINARY -activate -configure -allowAccessFor -specifiedUsers
sleep 1
$KICK_START_BINARY -activate -configure -clientopts -setmenuextra -menuextra noBut to take a step back, what @jcarr was saying was that you can pull up all machines in one shot with an advanced search and then use the Action button to enable ARD on all of them at one time. No need to go into each record one by one.
But if you wanted to script it, try something like the above. It has worked for me in the past, but to be truthful it's been awhile now since I've used it as I don't have a need for it in my current position.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2022 06:48 AM - edited 06-20-2022 06:50 AM
Hi All,
I have ran into the same issue in our environment on the M1 chip macs only. So following your advise i can get observe and control to work, but no advanced stuff like "send unix command" or even restart.
Am i doing it wrong? I first send the two kick starts command using policies, then i run the MDM commands on the machines (ill script the API part later once this is fully tested) and ARD reports back with the dark blue dots and i am able to observe and control, but nothing else.
If i run the two kick starts commands using terminal on the machine it works fine as well. Just cant push it out using JAMF.
-Peter
