Configuration Profile to enforce Screen Sharing?

chmp1
New Contributor II

I've looked through jamfnation and the answer has always seemed to be ARD kickstart to enable Screen Sharing. That no longer seems to be viable moving forward starting with 10.14:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Starting...
Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.

I'm not seeing anything about it here either:

https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

Am I missing something or is there no way to enable/disable Screen Sharing in 10.14 without having to physically click around on the computer?

1 ACCEPTED SOLUTION

Hugonaut
Valued Contributor II

https://support.apple.com/en-us/HT201710

For increased security in macOS 10.14, you can only observe with Screen Sharing when you use the kickstart command-line tool. To control the Mac with Screen Sharing, open System Preferences on the target Mac, click Sharing, then select the "Remote Management" checkbox. If Remote Management is already selected, deselect it and select it again.

Being the only JAMF Admin in my organization we are staying at 10.13 for a while. I haven't gotten a chance to deep dive into this article - https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-... - but the following leads me to believe that we will eventually be able to .. AT THE VERY LEAST - during in house assignment and setup - create some sort of GUI script for the system preferences that are no longer scriptable.

Pre-Approval of Apple Events Jamf Pro administrators using AppleScript workflows prompting user interaction may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service within the Privacy Preferences Policy Control payload. To leverage the restricted Apple Events service, Jamf Pro administrators must provide the identifier type and code requirement for both the sending and receiving application. Common built-in services and apps receiving restricted Apple Events needed for user interaction include the following: System Events: - Receiver Identifier: com.apple.systemevents - Receiver Identifier Type: Bundle ID - Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple SystemUIServer: - Receiver Identifier: com.apple.systemuiserver - Receiver Identifier Type: Bundle ID - Receiver Code Requirement: identifier "com.apple.systemuiserver" and anchor apple Finder: - Receiver Identifier: com.apple.finder - Receiver Identifier Type: Bundle ID - Receiver Code Requirement: identifier "com.apple.finder" and anchor apple A pre-built configuration profile to approve interaction between the Jamf management framework and these three Apple services can be downloaded from the following link: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles. Upload the configuration profile in Jamf Pro 10.7.1 or later. In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow apps to function within the Privacy Preferences Policy Control framework. This app is available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility. Note: An upcoming release of Jamf Pro will provide a built-in way to create and deploy Privacy Preferences Policy Control payloads.
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

View solution in original post

7 REPLIES 7

dgreening
Valued Contributor II

It would be nice if they added ARD/Screen Sharing control to the MDM spec, no? Take away features and only possibly provided replacements when people complain. Classic Apple at this point.

mm2270
Legendary Contributor III
Am I missing something or is there no way to enable/disable Screen Sharing in 10.14 without having to physically click around on the computer?

You're not missing anything. On newly set up systems running 10.14.x that didn't already have the setting enabled, clicking on the checkbox directly on the Mac in the Pref pane is the only way to enable it, for now. You can thank Apple for that kick in the groin. They really must love us, right?

Hugonaut
Valued Contributor II

https://support.apple.com/en-us/HT201710

For increased security in macOS 10.14, you can only observe with Screen Sharing when you use the kickstart command-line tool. To control the Mac with Screen Sharing, open System Preferences on the target Mac, click Sharing, then select the "Remote Management" checkbox. If Remote Management is already selected, deselect it and select it again.

Being the only JAMF Admin in my organization we are staying at 10.13 for a while. I haven't gotten a chance to deep dive into this article - https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-... - but the following leads me to believe that we will eventually be able to .. AT THE VERY LEAST - during in house assignment and setup - create some sort of GUI script for the system preferences that are no longer scriptable.

Pre-Approval of Apple Events Jamf Pro administrators using AppleScript workflows prompting user interaction may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service within the Privacy Preferences Policy Control payload. To leverage the restricted Apple Events service, Jamf Pro administrators must provide the identifier type and code requirement for both the sending and receiving application. Common built-in services and apps receiving restricted Apple Events needed for user interaction include the following: System Events: - Receiver Identifier: com.apple.systemevents - Receiver Identifier Type: Bundle ID - Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple SystemUIServer: - Receiver Identifier: com.apple.systemuiserver - Receiver Identifier Type: Bundle ID - Receiver Code Requirement: identifier "com.apple.systemuiserver" and anchor apple Finder: - Receiver Identifier: com.apple.finder - Receiver Identifier Type: Bundle ID - Receiver Code Requirement: identifier "com.apple.finder" and anchor apple A pre-built configuration profile to approve interaction between the Jamf management framework and these three Apple services can be downloaded from the following link: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles. Upload the configuration profile in Jamf Pro 10.7.1 or later. In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow apps to function within the Privacy Preferences Policy Control framework. This app is available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility. Note: An upcoming release of Jamf Pro will provide a built-in way to create and deploy Privacy Preferences Policy Control payloads.
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

burdett
Contributor II

A new KB has surfaced, HT209161
Looks like we can use a configuration profile to get back ARD/Screen Sharing control on a Mac that's enrolled in MDM.

pueo
Contributor II

All good, did some more digging and found other sites to help me

Hello All

Has anyone managed to use the Jamf PPPC Utility App to create a profile for Apple Remote Desktop? I believe you need a App or executable file to change the access.

Thanking you.
A.

ryan_ball
Valued Contributor

michaelhusar
Contributor II

We successfully use an API-call:

/usr/bin/curl -s -u $apiUser:$apiPass https://yourmdm.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/2327 -X POST