Enable Remote Control to Big Sur

Networld
New Contributor

Hi,

I try to enable Remote Control for Big Sur with a script. I try that :

 

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -allowAccessFor -specifiedUsers
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users admin -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -RestartShutDown -SendFiles -ChangeSettings
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent -menu
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate

 

With Apple Remote Desktop I have a black screen. I run this command :

tccutil reset ScreenCapture

 

No more black screen. But, I can observe, but not control! πŸ˜…

11 REPLIES 11

J_Mukite
New Contributor III

You can not enable this via a script with Big Sur. It has to be an MDM command. For a quick fix, go into Jamf Pro / Management Commands / Disable Remote Desktop and then enable it again. This will keep all the settings from your script in place and will actually allow you to remote the device. At least that works for me. Hope that helps. 

swhps
Contributor III

How do you automate that?  We have to toggle that setting for each machine? 

J_Mukite
New Contributor III

I only do this on an as needed bases, not every machine. It only takes a few seconds and I don't mind it. I don't believe you can do this in mass in the Jamf Pro UI. You might be able to do with with the Jamf Pro API. I'll see what I can find out. 

Did you get that working?  I'm trying to EnableRemoteDesktop through the API but I get an error "The method specified in the request is not allowed for the resource identified by the request URI".

MNussbaum
New Contributor III

Ever have any luck with this? Would be nice if there is a command we can trigger from the computer to automate this on the MDM side versus having to manually click the button.

Chiming in would really like to be able to automate this. I did some research and it is possible to run it as a script. I am not good with scripting but this is my logic:

- Export UUID of the devices from Smart Group via API

- Flatten the UUIDs into an XML

- Apply to a script like this and change the lines to "/computercommands/commands/EnableRemoteDesktop" as per API doc

 https://gist.github.com/talkingmoose/f2fbca97b3b5b58d4192be1e2f326eff

https://github.com/rtrouton/rtrouton_scripts/blob/main/rtrouton_scripts/Casper_Scripts/clear_failed_...

 

That's pretty much what I did.  I used powershell since that's what we have to use here on our job server.  It runs several times per day and scans a smart group called "Remote Desktop Not Enabled" and calls that API.  The script is a big long and uses functions from my script library, but the meat of it looks like:

$Params = @{ "URI" = ""; "Method" = 'GET'; "ContentType" = 'application/xml'; "Header" = $Header }
$Params.URI = 'https://' + $Site + '/JSSResource/computercommands/command/EnableRemoteDesktop/id/' + $ID
$Params.Method = 'POST'
$Params.ContentType = 'text/xml'
[XML]$result = Invoke-RestMethod -NoProxy @Params
 
I think the curl equivalent of that would look like this (I haven't tested this):
/usr/bin/curl -s -u "$jamfUsername:$jamfPassword" https://mysite.jamfcloud.com/JSSResource/computercommands/command/EnableRemoteDesktop/id/$ID -X POST # NOTE capital letters for POST

I am thinking more inline with running it as script on the client's computer once a day, That should be more manageable for me since I don't need to pull a Smart Group and make a XML out of it. I can supply the api credentials in the policy parameters to avoid putting them in the script.

So do all of your users have Jamf accounts with permissions to execute that API?  Or would you be including the username and password of an admin-level account in the script?

The script will be deployed via a policy and JAMF will run the script as root. I have setup a few JAMF accounts specifically for API calls and send MDM commands. I just have to make the script to use the API account credentials in the Script parameters in the policy and the script will pull the UDID of the computer is it run on, then run an API call to JAMF to send the EnableRemoteDesktop command.

That's my theory anyways, I have not written anything in this calibre so I might not do it after all. It's likely cheaper to find a new guy in my department to make this a daily duty. 🀣

scottwertz
New Contributor

A Jamf policy.  Gee, why didn't I think of that?  Need...more...coffeeee.....