Enable remote management (full control) in Mojave??

taugust04
Valued Contributor

So...

Prepare your institution for iOS 12 or macOS Mojave
[https://support.apple.com/en-us/HT209028](link URL)

"For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences."

So any thoughts on how we can enable full control Apple Remote Desktop management in 10.14? Some of us still have computer labs to manage. I know JAMF Remote provides some of this functionality, but the full console where you see all your systems in Apple Remote Desktop still hasn't been replicated nicely by a third party product.

Its hard to believe how many more things we now need to enable manually in the year 2018 for the sake of security. I remember the good old days where I could just a schedule re-image an entire lab without any intervention... sigh... Apple really needs DEP to catch up with their security policies they keep rolling out...

121 REPLIES 121

tnielsen
Valued Contributor

@sullrich, there are no different results. People did not test thoroughly.

There are two situations:
1) Computer was upgraded to Mojave, in which case the settings carry over and everything is great. Works
2) New computer, you cannot script enable ARD CONTROL. Keyword, control won't work but you can view, using the old commands.

Simply checking and unchecking the Remote Management box in system preferences is a fix.

I was doing some testing on this today and I'm willing to bet money you can get this script enabled. I bet it can be done with applescript. Keep trying boys!

dstranathan
Valued Contributor II

@tnielsen

So the kickstart commands can still enable all functionality other than screen sharing/control options? Packages can still be installed, Scripts run, ARD fields populated, etc?

Can you clarify - not working for me.

Clicking in the preference pane is not a viable option in my environment (plus, I lock the Sharing pre pane anyway).

I contacted my rep. No feedback yet.

taugust04
Valued Contributor

Does Jamf Remote screen sharing work in Mojave on a system that doesn't have remote management already manually enabled? From 10.7.1 release notes:

Further Considerations Because of increased user data protections with macOS 10.14, you cannot enable remote management remotely using the SSH protocol. To enable remote management on computers with macOS 10.14, the user must click the Screen Sharing checkbox in System Preferences.

I haven't had a chance to test yet as I haven't enrolled a factory install of Mojave into Jamf Pro yet. Added to the list.

fidg0010
New Contributor II

Would be interested to see what people come up with, we have a fleet of ~650 macOS machines of varying ages and we use Bomgar as our remote desktop software.

It seems that we have the same issue as everyone else, we can view but cant control natively on 10.14.

I haven't looked into if JAMF Pro 10.7.1 allows any extra control of this or not, it certainly cant be done in 10.4.1.

Eigger
Contributor III
it seems apple has a longer term strategy/roadmap that they aren't ready to reveal. Over the years I've noticed they take these small steps which seem to be counter productive at the time, but once the grander vision rolls out over the next months/years it starts to make sense, or at least you can see why they did those things.

To comment at what @jwojda posted above, I heard of a rumor that the Classroom App will be able to control Macs and IOS Devices simultaneously soon. (Classroom App for Macs to control iPads is already out I believe) This is exciting news for EDU. We are currently using Impero Edu Pro, its usable, but still buggy and slow. If Classroom App can do the same thing what Impero does natively, cant wait!

JesseNCSD
New Contributor III

@dstranathan

So the kickstart commands can still enable all functionality other than screen sharing/control options? Packages can still be installed, Scripts run, ARD fields populated, etc? Can you clarify - not working for me.

The behavior you're seeing is view screen only, all other functionality is no-go?

a_stonham
Contributor II

Here is what i am getting on fresh install of 10.14.0 DEP enrolled mac. Fully formated drive and clean install from USB. Remote control is working

Executing Policy ANZ: Enable ARD
Running script EnableARD...
Script exit code: 0
Script result: Clearing ARD Settings
Starting...
Removed remote control privileges for all users.
Done.
Starting...
Setting allow all users to NO.
Done.
Starting...
local-admin: Set user remote control privileges.
local-admin: Set user remote access.
jamfmgmt: Set user remote control privileges.
jamfmgmt: Set user remote access.
Done.
No admin group specified skipping directory authentication config
Starting...
Set the client options.
Done.
Starting...
Activated Remote Management.
Stopped ARD Agent.
Done.

Here is my script:

#!/bin/bash
###################################################################################################
#
#   enableARD.sh Ashley Stonham <reddrop>
#   v1.0 - 06/12/2016
#
#   Enables ARD for specified users and optionally configures for 
#   directory based authentication.
#
#
###################################################################################################

ADMINUSER="$4";
ADMINGROUP="$5";
DEFAULTADMIN="jamfmgmt";
KICKSTART="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";



createARDAdminGroup() {
    dscl . -read /Groups/ard_admin  > /dev/null 2>&1
    if [ $? -ne 0 ]; then
        echo "Creating group ard_admin";
        dseditgroup -o create -r "ARD Admins" ard_admin;
    else
        echo "Group ard_admin already exists";
    fi
}


addAdminGroupToARD_admin() {
        echo "Adding $ADMINGROUP to ard_admin";
        SAVEIFS=$IFS
        IFS=$(echo -en "
")
        ADMINGROUPS=$(echo "$ADMINGROUP" | tr "," "
");
        for AGROUP in $ADMINGROUPS; do
            echo "GROUP; $AGROUP";
            dseditgroup -o edit -a "$AGROUP" -t group ard_admin;
        done
        IFS=$SAVEIFS
}


if [ "$ADMINUSER" == "" ]; then
    echo "No admin user specified";
    ADMINUSER="$DEFAULTADMIN";
else
    ADMINUSER="$ADMINUSER,$DEFAULTADMIN";
fi


echo "Clearing ARD Settings"
$KICKSTART -uninstall -settings


#ENABLE ARD FOR DEFAULT ADMINS
$KICKSTART -configure -allowAccessFor -specifiedUsers
$KICKSTART -configure -users $ADMINUSER -access -on -privs  -all


if [ "$ADMINGROUP" == "" ]; then
        echo "No admin group specified skipping directory authentication config";
        $KICKSTART -configure -clientopts -setreqperm -reqperm yes
else
    createARDAdminGroup;
    addAdminGroupToARD_admin;
    $KICKSTART -configure -users ard_admin -access -on -privs -all
    $KICKSTART -configure -clientopts -setreqperm -reqperm yes -setdirlogins -dirlogins yes
fi

$KICKSTART -activate -restart -agent

exit 0;

I could possibly be because i am using ard_admin groups rather than specifying the users. Apple might have overlooked that hole and will be patched eventually.

If i try to run the script locally on my machine it fails. It only works when pushed out via Jamf.

I do also have the Jamf Config profile to allow the Jamf Agent increased privacy controls and I am also running 10.7.1.
Privacy Control Config Profile here: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

allanp81
Valued Contributor

Tried your script and still get the warning that it can't be enabled.

Maybe it works for DEP enrolled devices only? I can't test this yet unfortunately.

a_stonham
Contributor II

If i try to run the script locally on my machine I cant. It only works via Jamf.

I do also have the Jamf Config profile to allow the Jamf Agent increased privacy controls and I am also running 10.7.1.
Privacy Control Config Profile here

a_stonham
Contributor II

I just tried on a non DEP enrolled Mac and it showed the warning. So it looks like DEP is the reason it is working for some and failing for others.
However despite getting the warning i was still able to remotely control the mac.

taugust04
Valued Contributor

Just wanted to come back and post this article here in case anyone else is searching for it:

Use the kickstart command-line utility on macOS Mojave 10.14
https://support.apple.com/en-us/HT209161

If the device is enrolled in MDM, kickstart can still be used to enable full remote control with the addition of a Privacy Preferences Policy Control payload.

cjacksonuk
New Contributor

maybe there is something here ...the beginnings of some way in...perhaps!
https://www.sentinelone.com/blog/mojaves-security-hardening-user-protections-bypassed/

allanp81
Valued Contributor

@taugust04

Do you have some pointers on how you are achieving this? I'm reading through the Jamf docs about preparing for Mojave but my brain must be stuck this morning as I can't get my head around it.

*Never mind, I've managed to get it working :)

ryan_ball
Valued Contributor

For those who are interested, this is how I've accomplished this.

  1. Download tccprofile.py
  2. Unzip the archive
  3. Open terminal
  4. cd into the unzipped archive's folder where tccprofile.py exists
  5. Run the following command:
./tccprofile.py --pe /System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent --allow --payload-description="Enables ARD Kickstart on MacOS 10.14 Mojave" --payload-identifier="com.mygreatcompany.com" --payload-name="Enable ARD Kickstart" --payload-org="My Great Company" --payload-version="1" -o ~/Desktop/Enable_ARD_Kickstart.mobileconfig

6. On your Desktop open the Enable_ARD_Kickstart.mobileconfig file in your text editor of choice
7. Change the following lines:

<key>Identifier</key>
<string>/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent</string>
<key>IdentifierType</key>
<string>path</string>

TO

<key>Identifier</key>
<string>com.apple.screensharing.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>

8. Save the changes you've made
9. Upload the profile into your Jamf Pro Server
10. Enter whatever name/description you want
11. Deploy to test systems

The resulting installed profile should look like this:
fa267b14f6994f36ad95657cb78dd815

tnielsen
Valued Contributor

Thank you Ryan. Ball. Where do I send the bitcoins?

mwilkerson
New Contributor III

@ryan.ball When I have this config profile applied to a test machine, I'm not seeing "Screen Sharing" enabled in System Prefs > Sharing. Should it be enabled and grayed out?

Correction: ID10T error... have to also run the kickstart command in conjunction with the config profile... got it.

UESCDurandal
Contributor II

@ryan.ball I've created the configuration profile and deployed to my test 10.14.1 Macs. However, I'm still unable to kickstart full ARD with the following command. Are you using a different kickstart command?

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users localadminuser -privs -all -restart -agent -menu

ryan_ball
Valued Contributor

@UESCDurandal I copied your exact command and just changed the username, and I get the warning, but it does check the remote management box in System Preferences and when I run the following command, I can see my account has ARD access:

dscl . -list /Users dsAttrTypeNative:naprivs

UESCDurandal
Contributor II

Must have had something odd with my config profile. Rerunning your instructions and applying again is working for me. Thanks, @ryan.ball !

IT-Chris
New Contributor III

from Ryan. Ball post.
I was able to do the kick start as a policy and that works but no command that is documented will add full control to all users or even a single user. anyone figure out a new way to add the control???

allanp81
Valued Contributor

@pranzinic You can use the kickstart command just fine if you add a config profile to allow it. I've tested this with Mojave using the same commands to enable screen sharing for the admin user and it works great.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Screen Sharing Enable</string>
            <key>PayloadDisplayName</key>
            <string>Screen Sharing Enable</string>
            <key>PayloadIdentifier</key>
            <string>63DFC01F-E3AF-43FD-941C-317AA4309C33</string>
            <key>PayloadOrganization</key>
            <string>Kingston University</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>C99E0187-FB1B-4F5A-A14B-344F9E2C59C9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>PostEvent</key>
  <array>
    <dict>
      <key>Allowed</key>
      <true/>
      <key>CodeRequirement</key>
      <string>identifier "com.apple.screensharing.agent" and anchor apple</string>
      <key>Comment</key>
      <string>Allow Control mode when starting Remote Management via kickstart</string>
      <key>Identifier</key>
      <string>com.apple.screensharing.agent</string>
      <key>IdentifierType</key>
      <string>bundleID</string>
    </dict>
  </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Screen Sharing Enable</string>
    <key>PayloadDisplayName</key>
    <string>Screen Sharing Enable</string>
    <key>PayloadIdentifier</key>
    <string>63DFC01F-E3AF-43FD-941C-317AA4309C33</string>
    <key>PayloadOrganization</key>
    <string>Kingston University</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>B8711922-EB7B-4BB3-A9AF-B430CFB3ED97</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

Chuey
Contributor III

I created the mobileconfig as described.

In terminal output when I monitor my script I see this:

Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.

I understand this is just a warning -- will it always say this regardless of the config profile?

nberanger
Contributor

@ryan.ball

Thanks for the steps sir. When I tried them, the "Remote Management" box was 100% checked off. However, when I clicked on "Options", no options were actually selected.

ryan_ball
Valued Contributor

@nberanger The profile has to be used in conjunction with the kickstart command (using one of the posted scripts from above):

echo "Enabling Apple Remote Desktop Agent..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
echo "Setting Remote Management Privileges for User: $targetUsername ..." /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername

damienbarrett
Valued Contributor

I'm having the same problem as @nberanger above. I have a PPPC mobile config in place on a Mojave system. When I execute the kickstart command locally (like I go into Terminal on a logged in user and paste in the command), it executes and all boxes are check in "Options" in Sharing, but when I put the same kickstart command into a script in JSS and attach the script to a policy and execute it, the script runs without errors, but then no boxes are checked in "Options" in Sharing pane.

What am I missing? I've tried making the script execute as part of a recurring policy and also during login/logout.

The PPPC mobile config profile must be correct, or when I manually run the kickstart command in Terminal, it would fail, but it works. The PPPC config profile is successfully allowing full permissions for my admin user, as it's supposed to.

damienbarrett
Valued Contributor

@nberanger and I spent quite a long time today working on this problem. I admit I still don't fully understand the syntax of the kickstart command, but I did read that some of the kickstart options need to be separate commands and called separately. So, in the end, there was nothing wrong with my PPPC config profile. It was the logic/syntax of my ARD kickstart command. Here is what I ended up using in a script, than when run on a 10.14 machine where the PPPC config profile is in place, it checks all the boxes in Sharing --> Remote Management --> Options:

#!/bin/bash

## Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes

## Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

exit 0

You should pretty easily be able to alter this if you want to limit full control to just a single user instead of all users (on the system).

Thank you, @nberanger . If you're at PSU MacAdmins this year, I will buy you a beer (or beverage of your choice).

nberanger
Contributor

I've been testing the script/workflow that @damienbarrett and I came up with last week, and it does appear to be working 100% of the time. Hope it helps out some more of you out there :-)

j_meister
Contributor II

Great guys, thank you so much, enabling remote management works again on macOS Mojave!

I just created a .mobileconfig file with allanp81's config and created a script with damienbarrett's code and it just works! thumbsup

jalcorn
Contributor II

Is there a way we can get ride of that icon in the tool bar via script?

allanp81
Valued Contributor

Try:

defaults write /Library/Preferences/com.apple.RemoteManagement LoadRemoteManagementMenuExtra -bool false

jalcorn
Contributor II

CrushedIt [~allanp81]

AVmcclint
Honored Contributor

I seem remember older versions of ARD would let you build a package with the ARDAgent in it and pre-define settings. Then you could take that package and install it on any Mac you wanted to control. I wish that still existed. We could take that package and make it install from JamfPro at Enrollment. Does anyone know how that package was created? Maybe we can reverse engineer it? I'm guessing Mojave's tighter controls would probably block it from working anyway.

szultzie
Contributor II

FYI, i don't see this issue in my build process and i use the kickstart command. No configuration profiles for PPPC either.

I run the following command in a Policy with a Files and Processes Payload, it runs on StartUp. We also have a nightly reboot of our Lab machines so if someone happens to mess with it it goes back. For faculty or 1-to-1 machines reboot weekly but we always reboot them before clients gets them so it just works.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users MyARDAccount -privs -all -restart -agent -menu

Hope this helps someone.

I will also say i didn't read thru every comment so someone may have already gotten it to work.

-Peter

j_meister
Contributor II

As far as I understand the release notes of jamf Pro 10.11.0 it is now possible to enable Remote Control via command.

"You can now send the Enable/Disable Remote Desktop command for computers with macOS 10.14.4 or late...

Can anybody of you acknowledge that? As we are currently at 10.10.1 I cannot test it.

Sandy
Valued Contributor II

e3110838867c45ae8487053f067f5960

Gascolator
New Contributor III

I can confirm you can enable remote desktop via remote commands in 10.11.1 for computers on 10.14.4. Now that this is an option, is there anyway to automate this as part of deployment? Or, am I going to have to go in after deployment, and push the command?

j_meister
Contributor II

Thanks Sandy!

hrhnick
New Contributor III

Also curious if this can be automated during deployment?

Andy_McCaskill
Contributor

Since a few of you are asking for how to automate this process, Apple Support has an article explaining this new(ish) process. Keep in mind I think you need JAMF 10.11 or higher to have the features this article is talking about for the privacy config profile settings.

Use the kickstart command-line utility on macOS Mojave 10.14

jared_f
Valued Contributor

Yes, it is possible to automate this by pushing the PPPC and tying the kickstart command to a smart group of computers that have the profile installed. We update inventory every half an hour so time isn't of the essence.