Posted on 04-03-2020 10:26 AM
I'm attempting to remotely set Legacy VNC access on a few Mac desktops on my LAN via Jamf. I'm unable to configure the VNC password properly from a script.
1 If I run a script via a policy...
-The VNC service is activated/enabled (VNC box is ticked in Sharing Pane).
-The password field appears to get set, but it behaves as if the correct password wasn't set. (Cant connect to Mac - client sees an auth error). Failure!
-If I edit the ARD Sharing > VNC pane with the password manually it works again.
2 If I run the exact same script locally on the target Mac with sudo...
-VNC is configured correctly, and password is set correctly. VNC works. Success!
3 If I enable VNC as a one-liner as a "Files and Processes" payload (no script)...
-The VNC service is activated/enabled (VNC box is ticked in Sharing Pane).
-The password field appears to get set, but it behaves as if the correct password wasn't set. (Cant connect to Mac - client sees an auth error). Failure!
-If I edit the ARD Sharing > VNC pane with the password manually it works again.
4 If I configure the password manually in the ARD Sharing GUI...
-VNC is configured correctly, and VNC connections work great (password is set correctly). Success!
5 If I run the ARD commands over SSH as a one-liner with sudo...
-The VNC service is activated/enabled (VNC box is ticked in Sharing Pane).
-The password field appears to get set, but it behaves as if the correct password wasn't set. (Cant connect to Mac - client sees an auth error). Failure!
-If I edit the ARD Sharing > VNC pane with the password manually it works again.
6 If I stage the script in a package and deploy it to /tmp on the target Mac, and then execute the local script via a Jamf policy "Files and Processes" payload...
-Package installs the script into /tmp with correct execute permissions.
-Local script in /tmp is executed by Jamf.
-The VNC service is activated/enabled (VNC box is ticked in Sharing Pane).
-The password field appears to get set, but it behaves as if the correct password wasn't set. (Cant connect to Mac - client sees an auth error). Failure!
-If I edit the ARD Sharing > VNC pane with the password manually it works again.
7 If I configure a Mac manually for VNC via the Sharing GUI and copy the result /Library/Preferences/com.apple.VNCSettings.txt (pasword hash file) and create a package from this file, then deploy it to target Macs (and then run the Kickstart command as a Files and Processes" payload)...
-VNC is configured correctly, and VNC connections work great (password is set correctly). Success!
-HUGE downside here is that the com.apple.VNCSettings.txt file would deployed with the same password on each Mac (as opposed to a unique password based on serial number or some other arbitrary value etc).
-Thanks to Eric Hemmeter on Slack for spit-balling this with me.
Notes:
-Legacy VNC is restricted to max 8 characters.
-Results are the same for both Catalina 10.15.4 and Mojave 10.14.6.
-This is either a bug or an undocumented restriction by Apple. TCC?
-Behavior is the same in bash and zsh.
-IT looks to me like the password is mangled. I can verify this because the Sharing > VNC pane obfuscates the password.
-Im referring to legacy VNC here - not Screen Sharing or ARD Remote Management per se. Both ARD and Screen Sharing are working fine, but in this situation I need legacy VNC.
Here is the syntax to enable and configure Legacy VNC:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw password
Please advise and thanks!
Posted on 04-07-2020 09:15 PM
Thanks for writing this up. Very useful. Our problem now is that we do not have physical access to the Macs we are trying to access remotely. Were you able to figure out how to get this to work over SSH? You would think items 2 and 6 would have the same result.
I was able to get to one Mac that had Chrome Remote Desktop installed and we've been using Jamf Remote to jump off from that one Mac to configure the VNC settings.
Posted on 04-08-2020 08:21 AM
I ended up writing a script that can enable VNC, and then set the password by generating the VNC password hash file that lives here: /Library/Preferences/com.apple.VNCSettings.txt
The script just echos out the hash of my 8-char password. This file can be deployed via pkg (mentioned above) or script. I opted for a script so I can change the password on the fly and not have to rebuild a pkg each time.
-Locate an admin Mac to work on.
-Disable Legacy VNC. Does not affect ARD/Screen Sharing.
-Delete the /Library/Preferences/com.apple.VNCSettings.txt file (if it exists).
-Enable Legacy VNC, and set a 8-char password in Sharing pane GUI (or local CLI).
-Open the newly-generated com.apple.VNCSettings.txt file and copy the 32-char hash. This file contains a single line.
-Create a script that can generate the com.apple.VNCSettings.txt file and echo the hash to the file. Note the POSIX permissions are 400 (r--------) and owner is root:wheel.
-Upload script to Jamf and build a policy, etc.
-Test policy/script on a clean Mac client.
I also created a simple EA that can report the Legacy VNC status:
defaults read /Library/Preferences/com.apple.RemoteManagement.plist VNCLegacyConnectionsEnabled (returns a bool 1 or 0)
If anyone out there is using Apache Guacamole for HTML5-based legacy VNC for Macs, please chime-in: Id like to pick your brain. link