We'd like to remove having a local administrator account on our computers but I'm wondering how you might've addressed the issue of SSH/Remote Management/Screen Sharing access in your environments. The obvious answer seems to be a policy to create a temporary Admin and then remove it with another policy when it is done being used, but this isn't viable when there is an immediate need. I'd need to wait for the policy to run before getting access. Thoughts?
If screen sharing is enabled on those devices you should be able to utilize VNC(Google Chome should still support this I believe). Though that's Mac-Mac and both need to be on the same network as far as I'm aware of. I've had some success with other support tools like Beyond Trust. I'm able to remote in on any platform and because it installs a thin-client it doesn't really matter if the machine is on a different network.
What's prompting the need for an ssh or screen sharing session? The end user or someone in your department logging into an unattended machine, or if this is edu a lab machine? If it's the end user what about placing a policy in Self Service that creates local admin account and gives it access to those two services? You'd have to either move it to a static group that runs a policy to remove it or think up some other way to remove the account after the fact.