Disable everything inside Sharing preferences and enable Screen sharing only.

sudoErase
Contributor

Hello! 

I hope someone can help me with this. I've look into several other links and it does not seem to work.
We generally have the Sharing preferences disabled in our Jamf using the Config Profile. 
We have a certain group of people who needs Screen Sharing. 

While we can exempt them from Sharing preferences which allows Screen Sharing, this will open up the ability for them to enable File Sharing, Media Sharing, Content Caching, and so on. 

1. Is there a way to keep Sharing preferences disabled and allow only Screen Sharing? 
2. Is there a way to enable Sharing preferences, allow Screen Sharing but disable the rest inside the Sharing preferences (File, media, Content cache, Bluetooth, internet sharing, printer sharing...etc)

I've tried the below but it doesnt seem to work. My test machine is on Sonoma.

!/bin/bash
/usr/libexec/PlistBuddy -c ‘Set :com.apple.screensharing:Disabled No’ /private/var/db/launchd.db/com.apple.launchd/overrides.plist
launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
for userid in $(ps -Ajc | grep loginwindow | grep -v grep | awk ‘{print $1}’); do
if [ "$userid" = "USER" ] ; then
launchctl load /System/Library/LaunchAgents/com.apple.screensharing.agent.plist
else
su “$userid” -c ‘launchctl load /System/Library/LaunchAgents/com.apple.screensharing.agent.plist’
fi
done

 

1 ACCEPTED SOLUTION

mainelysteve
Valued Contributor II

There are several 14.x and above MDM settings available to selectively enable/disable sharing settings in the restrictions payload. Have you tried those? Tried it myself a short while ago and it does work. The only setting left in that case is Media Sharing. Media sharing could be controlled using an OS firewall rule or at the network level if necessary.

View solution in original post

4 REPLIES 4

mm2270
Legendary Contributor III

@sudoErase wrote:

2. Is there a way to enable Sharing preferences, allow Screen Sharing but disable the rest inside the Sharing preferences (File, media, Content cache, Bluetooth, internet sharing, printer sharing...etc)


The short answer is "No". Apple doesn't have any facility in their MDM spec to control which items within the Sharing Preference Pane are allowed and which are not. You can either block the entire Pref pane and everything in it, or open it up. And believe me, a lot of us wish they did have such controls, but it's just not there.

Best you can do is to monitor whether some of the prohibited functions are enabled and then use policies and Smart groups to auto disable them.

For example, you can use Extension Attributes to detect if File Sharing, Media Sharing, Content Caching etc. are enabled. If enabled, the Macs can land into a Smart Group that can have a policy attached to it with an Ongoing frequency that runs a script that turns the feature(s) off.

As for question 1, do you mean turning on Remote Desktop? Because that can be done per device from the Management tab when viewing a computer. There's a built in button to turn it on. I haven't looked close enough to the script you're testing to see what might need to be adjusted. But see if the "Enable Remote Desktop" button under the Management tab for a computer does what you want.

mainelysteve
Valued Contributor II

There are several 14.x and above MDM settings available to selectively enable/disable sharing settings in the restrictions payload. Have you tried those? Tried it myself a short while ago and it does work. The only setting left in that case is Media Sharing. Media sharing could be controlled using an OS firewall rule or at the network level if necessary.

Thank you so much! This has worked really well. 
I did notice that Remote Login is also turned on including with Media sharing that you mentioned. 

Do you have a script or is there somewhere to turn the Remote Login off?

 

Thank you~

mainelysteve
Valued Contributor II

Shoot I did just see that. Nothing prebuilt for this, sorry. If you don't use SSH then ensure in your jamf Pro settings that enabling SSH is not checked. Setting is located in: Computer Management > Check-In > Startup Script > Create startup script. It's disabled by default or at least should be, but it's worth checking. 

After that you can run a policy to turn it off on your endpoints, but you won't be able to discourage busy bodies from reenabling it. Set your policy trigger to whatever works best for you and it will be turned off.

Use the Files and Processes payload in a policy and use the following:

systemsetup -setremotelogin off