Help

Enable and Configure Remote Management?

atomason
New Contributor III

Posted on ‎06-17-2022 09:06 AM

I know a lot has changed in the last few years, but is there a way to enable and configure Remote Management without having to physically do this on each device?

I know you can use ARD when you are physically at the device to configure the service, and Jamf Pro has a "Enable Remote Desktop" command. However the "Enable Remote Desktop" command does not allow for specifying a specific user and what permissions they have. What I would like to do is:

- Enable Remote Management
- Set "Only these users:"
- Add our Management Account
- Set the permissions

Thanks!

NOTE: We are currently doing User-Initiated Enrollments. We are hoping to have access to ABM in the near future.

0 Kudos
Reply
2 REPLIES 2

Discher
New Contributor III

‎06-17-2022 10:43 AM - edited ‎06-17-2022 11:05 AM

I am currently using this script with success, which sounds like what you want to do.  I take no credit for writing it.  Good luck!

 

#!/bin/bash

LOCALADMIN="youradminaccount"
kickstart=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart

echo "Configuring Remote Management"
if id -u $LOCALADMIN >/dev/null 2>&1; then
    echo "Defined local admin account exists"
    # Deactivate ARD agent, deny all access
    echo "Deactivating ARD agent"
    $kickstart -deactivate -configure -access -off
    echo "Turning off default AllLocalUsers remote management setting"
    defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers -bool FALSE
    # Remove 'naprivs' key from users configured by ARD's -specifiedUSers flag
    echo "Removing naprivs key from local users"
    RemoteManagementUsers=$(dscl . list /Users naprivs | awk '{print $1}')
        for EnabledUser in $RemoteManagementUsers; do
            echo "--- naprivs removed from $EnabledUser"
            dscl . delete /Users/$EnabledUser naprivs
        done
    # Turn ARD back on and enable only the specified LOCALADMIN
    echo "Reconfiguring ARD for only specified users"
    $kickstart -configure -allowAccessFor -specifiedUsers
    echo "Setting specified local admin account as sole ARD user"
    $kickstart -configure -users $LOCALADMIN -access -on -privs -all
    echo "Restarting ARD agent"
    $kickstart -activate -restart -agent
    echo "--- Remote management reset; user ${LOCALADMIN} configured for access"
    exit 0
else
    echo "--- ERROR: The specified local admin account does not exist."
    exit 1
fi

 

(edited for formatting)

 

Reply

atomason
New Contributor III
In response to Discher

Posted on ‎06-21-2022 05:17 AM

Thank you! I was able to get things mostly working by scrapping a few things together using that.

0 Kudos
Reply