Configuration profile / PPPC for Remote Management on ADE-enrolled Macs?

DanJ_LRSFC
Contributor II

Does anyone have the details of what we need to set up in a configuration profile / PPPC to enable Remote Management for our admin account on ADE-enrolled Macs? Apple has an article that says it can be done, at https://support.apple.com/en-us/HT209161 but it is a bit light on detail. In particular I don't understand the last sentence.

Basically we have a local admin account that exists on all our Macs (it's created via policy) and we need it to have Remote Management permissions without us needing to go to every Mac and click to enable it. All our Macs are now enrolled via ADE/DEP so the UAMDM state is considered to be on.

5 REPLIES 5

jcarr
Contributor III

MDM can enable or disable Remote Management, but by default it does so for all users.  You can no longer enable or disable using the kickstart command, but you can configure the options.  I've had success pushing out a script to configure ARD for a specific user, and then sending the command to devices that do not have remote management enabled (you can create an advanced computer search for this).

Here's an example (pass the username to the script as parameter 4 in the policy):

 

 

 

#!/bin/sh

# ARD User short named passed to this script from Jamf Pro policy as parameter $4

logger "$0: Configure Apple Remote Desktop access for $4."

usermissing=`finger -ms $4 2>&1 1>/dev/null | wc -l`

if [ ${usermissing} -eq 1 ]; then
	echo "User $4 not found."
	logger "$0: User $4 not found."
	exit 1
fi

# Hide ARD user from login window

dscl . create /Users/$4 IsHidden 1

# Configure Apple Remote Desktop access only for specified users

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers

# Configure Apple Remote Desktop Agent for ARD user specified by parameter $4

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $4 -access -on -privs -all -clientopts -setmenuextra -menuextra yes

# Hide 'Other' from Login Window

defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false

exit 0

 

 

  

@jcarr what configuration profile payload does enabling Remote Management live in? Or is that what the PPPC is for? The Apple help article didn't really explain it very well.

jcarr
Contributor III

It's not a profile payload, it's an MDM command (similar to enable/disable bluetooth).  PPPC isn't used for Remote Management.  Sending the command will either enable Remote Management for all users (by default), or disable it.  If you first run the above script on all of your devices, sending the command will enable Remote Management for the user you specify.  Think of it as the MDM command checking or unchecking the box in the Sharing pane of System Preferences, but the script is using the 'Options...' button.

 

https://docs.jamf.com/10.31.0/jamf-pro/administrator-guide/Remote_Commands_for_Computers.html

@jcarr is it possible to use the Jamf API to instruct Jamf to run MDM commands? As I don't fancy wading through 200+ computer records manually clicking Enable Remote Management on each one.

Also if PPPC isn't used, why is it mentioned in the official Apple article on the subject?

https://support.apple.com/en-us/HT209161

EDIT: the PPPC seems like it might be this one: https://community.jamf.com/t5/jamf-pro/enable-remote-management-full-control-in-mojave/m-p/185453/hi...

 

 

mm2270
Legendary Contributor II

It is in fact possible to enable it via the API. It lives under the computercommands resource path.

Such a script might look something like this:

#!/bin/zsh

KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

## Get the Jamf Pro URL this Mac is enrolled in
JSS_URL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | sed 's|/$||')

## The API username and password are obtained from script parameters
API_USER="$4"
API_PASS="$5"

## Note: when adding in list of usernames to the script parameter, add in each user shortname separated by a "," and no spaces
ENABLED_USERS="$6"

## Get the UUID of the Machine
UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}')

## Get the ID of the Mac from Jamf Pro (uses an API call)
JAMF_ID=$(/usr/bin/curl -su "${API_USER}:${API_PASS}" "${JSS_URL}/JSSResource/computers/udid/${UUID}/subset/general" | xmllint --format - | awk -F'>|<' '/<id>/{print $3; exit}')

## Send MDM command to Enable Remote Desktop for this Mac
/usr/bin/curl -su "${API_USER}:${API_PASS}" "${JSS_URL}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST

## Enable ARD options using the kickstart command (This only enables basic view, not control)
$KICK_START_BINARY -configure -users ${ENABLED_USERS} -access -on -privs -all
sleep 1
$KICK_START_BINARY -activate -configure -allowAccessFor -specifiedUsers
sleep 1
$KICK_START_BINARY -activate -configure -clientopts -setmenuextra -menuextra no

But to take a step back, what @jcarr was saying was that you can pull up all machines in one shot with an advanced search and then use the Action button to enable ARD on all of them at one time. No need to go into each record one by one.

But if you wanted to script it, try something like the above. It has worked for me in the past, but to be truthful it's been awhile now since I've used it as I don't have a need for it in my current position.