@tnielsen

So the kickstart commands can still enable all functionality other than screen sharing/control options? Packages can still be installed, Scripts run, ARD fields populated, etc?

Can you clarify - not working for me.

Clicking in the preference pane is not a viable option in my environment (plus, I lock the Sharing pre pane anyway).

I contacted my rep. No feedback yet.

Does Jamf Remote screen sharing work in Mojave on a system that doesn't have remote management already manually enabled? From 10.7.1 release notes:

Further Considerations Because of increased user data protections with macOS 10.14, you cannot enable remote management remotely using the SSH protocol. To enable remote management on computers with macOS 10.14, the user must click the Screen Sharing checkbox in System Preferences.

I haven't had a chance to test yet as I haven't enrolled a factory install of Mojave into Jamf Pro yet. Added to the list.

Would be interested to see what people come up with, we have a fleet of ~650 macOS machines of varying ages and we use Bomgar as our remote desktop software.

It seems that we have the same issue as everyone else, we can view but cant control natively on 10.14.

I haven't looked into if JAMF Pro 10.7.1 allows any extra control of this or not, it certainly cant be done in 10.4.1.

it seems apple has a longer term strategy/roadmap that they aren't ready to reveal. Over the years I've noticed they take these small steps which seem to be counter productive at the time, but once the grander vision rolls out over the next months/years it starts to make sense, or at least you can see why they did those things.

To comment at what @jwojda posted above, I heard of a rumor that the Classroom App will be able to control Macs and IOS Devices simultaneously soon. (Classroom App for Macs to control iPads is already out I believe) This is exciting news for EDU. We are currently using Impero Edu Pro, its usable, but still buggy and slow. If Classroom App can do the same thing what Impero does natively, cant wait!

@dstranathan

So the kickstart commands can still enable all functionality other than screen sharing/control options? Packages can still be installed, Scripts run, ARD fields populated, etc? Can you clarify - not working for me.

The behavior you're seeing is view screen only, all other functionality is no-go?

Here is what i am getting on fresh install of 10.14.0 DEP enrolled mac. Fully formated drive and clean install from USB. Remote control is working

Executing Policy ANZ: Enable ARD
Running script EnableARD...
Script exit code: 0
Script result: Clearing ARD Settings
Starting...
Removed remote control privileges for all users.
Done.
Starting...
Setting allow all users to NO.
Done.
Starting...
local-admin: Set user remote control privileges.
local-admin: Set user remote access.
jamfmgmt: Set user remote control privileges.
jamfmgmt: Set user remote access.
Done.
No admin group specified skipping directory authentication config
Starting...
Set the client options.
Done.
Starting...
Activated Remote Management.
Stopped ARD Agent.
Done.

Here is my script:

#!/bin/bash
###################################################################################################
#
#   enableARD.sh Ashley Stonham <reddrop>
#   v1.0 - 06/12/2016
#
#   Enables ARD for specified users and optionally configures for 
#   directory based authentication.
#
#
###################################################################################################

ADMINUSER="$4";
ADMINGROUP="$5";
DEFAULTADMIN="jamfmgmt";
KICKSTART="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart";



createARDAdminGroup() {
    dscl . -read /Groups/ard_admin  > /dev/null 2>&1
    if [ $? -ne 0 ]; then
        echo "Creating group ard_admin";
        dseditgroup -o create -r "ARD Admins" ard_admin;
    else
        echo "Group ard_admin already exists";
    fi
}


addAdminGroupToARD_admin() {
        echo "Adding $ADMINGROUP to ard_admin";
        SAVEIFS=$IFS
        IFS=$(echo -en "
")
        ADMINGROUPS=$(echo "$ADMINGROUP" | tr "," "
");
        for AGROUP in $ADMINGROUPS; do
            echo "GROUP; $AGROUP";
            dseditgroup -o edit -a "$AGROUP" -t group ard_admin;
        done
        IFS=$SAVEIFS
}


if [ "$ADMINUSER" == "" ]; then
    echo "No admin user specified";
    ADMINUSER="$DEFAULTADMIN";
else
    ADMINUSER="$ADMINUSER,$DEFAULTADMIN";
fi


echo "Clearing ARD Settings"
$KICKSTART -uninstall -settings


#ENABLE ARD FOR DEFAULT ADMINS
$KICKSTART -configure -allowAccessFor -specifiedUsers
$KICKSTART -configure -users $ADMINUSER -access -on -privs  -all


if [ "$ADMINGROUP" == "" ]; then
        echo "No admin group specified skipping directory authentication config";
        $KICKSTART -configure -clientopts -setreqperm -reqperm yes
else
    createARDAdminGroup;
    addAdminGroupToARD_admin;
    $KICKSTART -configure -users ard_admin -access -on -privs -all
    $KICKSTART -configure -clientopts -setreqperm -reqperm yes -setdirlogins -dirlogins yes
fi

$KICKSTART -activate -restart -agent

exit 0;

I could possibly be because i am using ard_admin groups rather than specifying the users. Apple might have overlooked that hole and will be patched eventually.

If i try to run the script locally on my machine it fails. It only works when pushed out via Jamf.

I do also have the Jamf Config profile to allow the Jamf Agent increased privacy controls and I am also running 10.7.1.
Privacy Control Config Profile here: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

Tried your script and still get the warning that it can't be enabled.

Maybe it works for DEP enrolled devices only? I can't test this yet unfortunately.

If i try to run the script locally on my machine I cant. It only works via Jamf.

I do also have the Jamf Config profile to allow the Jamf Agent increased privacy controls and I am also running 10.7.1.
Privacy Control Config Profile here

I just tried on a non DEP enrolled Mac and it showed the warning. So it looks like DEP is the reason it is working for some and failing for others.
However despite getting the warning i was still able to remotely control the mac.

Just wanted to come back and post this article here in case anyone else is searching for it:

Use the kickstart command-line utility on macOS Mojave 10.14
https://support.apple.com/en-us/HT209161

If the device is enrolled in MDM, kickstart can still be used to enable full remote control with the addition of a Privacy Preferences Policy Control payload.

maybe there is something here ...the beginnings of some way in...perhaps!
https://www.sentinelone.com/blog/mojaves-security-hardening-user-protections-bypassed/

@taugust04

Do you have some pointers on how you are achieving this? I'm reading through the Jamf docs about preparing for Mojave but my brain must be stuck this morning as I can't get my head around it.

*Never mind, I've managed to get it working :)

For those who are interested, this is how I've accomplished this.

1. Download tccprofile.py
2. Unzip the archive
3. Open terminal
4. cd into the unzipped archive's folder where tccprofile.py exists
5. Run the following command:

./tccprofile.py --pe /System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent --allow --payload-description="Enables ARD Kickstart on MacOS 10.14 Mojave" --payload-identifier="com.mygreatcompany.com" --payload-name="Enable ARD Kickstart" --payload-org="My Great Company" --payload-version="1" -o ~/Desktop/Enable_ARD_Kickstart.mobileconfig

6. On your Desktop open the Enable_ARD_Kickstart.mobileconfig file in your text editor of choice
7. Change the following lines:

<key>Identifier</key>
<string>/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent</string>
<key>IdentifierType</key>
<string>path</string>

TO

<key>Identifier</key>
<string>com.apple.screensharing.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>

8. Save the changes you've made
9. Upload the profile into your Jamf Pro Server
10. Enter whatever name/description you want
11. Deploy to test systems

The resulting installed profile should look like this:

Thank you Ryan. Ball. Where do I send the bitcoins?

@ryan.ball When I have this config profile applied to a test machine, I'm not seeing "Screen Sharing" enabled in System Prefs > Sharing. Should it be enabled and grayed out?

Correction: ID10T error... have to also run the kickstart command in conjunction with the config profile... got it.

@ryan.ball I've created the configuration profile and deployed to my test 10.14.1 Macs. However, I'm still unable to kickstart full ARD with the following command. Are you using a different kickstart command?

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users localadminuser -privs -all -restart -agent -menu

@UESCDurandal I copied your exact command and just changed the username, and I get the warning, but it does check the remote management box in System Preferences and when I run the following command, I can see my account has ARD access:

dscl . -list /Users dsAttrTypeNative:naprivs

Must have had something odd with my config profile. Rerunning your instructions and applying again is working for me. Thanks, @ryan.ball !

from Ryan. Ball post.
I was able to do the kick start as a policy and that works but no command that is documented will add full control to all users or even a single user. anyone figure out a new way to add the control???

@pranzinic You can use the kickstart command just fine if you add a config profile to allow it. I've tested this with Mojave using the same commands to enable screen sharing for the admin user and it works great.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Screen Sharing Enable</string>
            <key>PayloadDisplayName</key>
            <string>Screen Sharing Enable</string>
            <key>PayloadIdentifier</key>
            <string>63DFC01F-E3AF-43FD-941C-317AA4309C33</string>
            <key>PayloadOrganization</key>
            <string>Kingston University</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>C99E0187-FB1B-4F5A-A14B-344F9E2C59C9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>PostEvent</key>
  <array>
    <dict>
      <key>Allowed</key>
      <true/>
      <key>CodeRequirement</key>
      <string>identifier "com.apple.screensharing.agent" and anchor apple</string>
      <key>Comment</key>
      <string>Allow Control mode when starting Remote Management via kickstart</string>
      <key>Identifier</key>
      <string>com.apple.screensharing.agent</string>
      <key>IdentifierType</key>
      <string>bundleID</string>
    </dict>
  </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Screen Sharing Enable</string>
    <key>PayloadDisplayName</key>
    <string>Screen Sharing Enable</string>
    <key>PayloadIdentifier</key>
    <string>63DFC01F-E3AF-43FD-941C-317AA4309C33</string>
    <key>PayloadOrganization</key>
    <string>Kingston University</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>B8711922-EB7B-4BB3-A9AF-B430CFB3ED97</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

I created the mobileconfig as described.

In terminal output when I monitor my script I see this:

Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.

I understand this is just a warning -- will it always say this regardless of the config profile?

@ryan.ball

Thanks for the steps sir. When I tried them, the "Remote Management" box was 100% checked off. However, when I clicked on "Options", no options were actually selected.

@nberanger The profile has to be used in conjunction with the kickstart command (using one of the posted scripts from above):

echo "Enabling Apple Remote Desktop Agent..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
echo "Setting Remote Management Privileges for User: $targetUsername ..." /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername

I'm having the same problem as @nberanger above. I have a PPPC mobile config in place on a Mojave system. When I execute the kickstart command locally (like I go into Terminal on a logged in user and paste in the command), it executes and all boxes are check in "Options" in Sharing, but when I put the same kickstart command into a script in JSS and attach the script to a policy and execute it, the script runs without errors, but then no boxes are checked in "Options" in Sharing pane.

What am I missing? I've tried making the script execute as part of a recurring policy and also during login/logout.

The PPPC mobile config profile must be correct, or when I manually run the kickstart command in Terminal, it would fail, but it works. The PPPC config profile is successfully allowing full permissions for my admin user, as it's supposed to.

@nberanger and I spent quite a long time today working on this problem. I admit I still don't fully understand the syntax of the kickstart command, but I did read that some of the kickstart options need to be separate commands and called separately. So, in the end, there was nothing wrong with my PPPC config profile. It was the logic/syntax of my ARD kickstart command. Here is what I ended up using in a script, than when run on a 10.14 machine where the PPPC config profile is in place, it checks all the boxes in Sharing --> Remote Management --> Options:

#!/bin/bash

## Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes

## Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

exit 0

You should pretty easily be able to alter this if you want to limit full control to just a single user instead of all users (on the system).

Thank you, @nberanger . If you're at PSU MacAdmins this year, I will buy you a beer (or beverage of your choice).

I've been testing the script/workflow that @damienbarrett and I came up with last week, and it does appear to be working 100% of the time. Hope it helps out some more of you out there :-)

Great guys, thank you so much, enabling remote management works again on macOS Mojave!

I just created a .mobileconfig file with allanp81's config and created a script with damienbarrett's code and it just works! thumbsup

Is there a way we can get ride of that icon in the tool bar via script?

Try:

defaults write /Library/Preferences/com.apple.RemoteManagement LoadRemoteManagementMenuExtra -bool false

CrushedIt [~allanp81]

I seem remember older versions of ARD would let you build a package with the ARDAgent in it and pre-define settings. Then you could take that package and install it on any Mac you wanted to control. I wish that still existed. We could take that package and make it install from JamfPro at Enrollment. Does anyone know how that package was created? Maybe we can reverse engineer it? I'm guessing Mojave's tighter controls would probably block it from working anyway.

FYI, i don't see this issue in my build process and i use the kickstart command. No configuration profiles for PPPC either.

I run the following command in a Policy with a Files and Processes Payload, it runs on StartUp. We also have a nightly reboot of our Lab machines so if someone happens to mess with it it goes back. For faculty or 1-to-1 machines reboot weekly but we always reboot them before clients gets them so it just works.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users MyARDAccount -privs -all -restart -agent -menu

Hope this helps someone.

I will also say i didn't read thru every comment so someone may have already gotten it to work.

-Peter

As far as I understand the release notes of jamf Pro 10.11.0 it is now possible to enable Remote Control via command.

"You can now send the Enable/Disable Remote Desktop command for computers with macOS 10.14.4 or late...

Can anybody of you acknowledge that? As we are currently at 10.10.1 I cannot test it.

I can confirm you can enable remote desktop via remote commands in 10.11.1 for computers on 10.14.4. Now that this is an option, is there anyway to automate this as part of deployment? Or, am I going to have to go in after deployment, and push the command?

Thanks Sandy!

Also curious if this can be automated during deployment?

Since a few of you are asking for how to automate this process, Apple Support has an article explaining this new(ish) process. Keep in mind I think you need JAMF 10.11 or higher to have the features this article is talking about for the privacy config profile settings.

Use the kickstart command-line utility on macOS Mojave 10.14

Yes, it is possible to automate this by pushing the PPPC and tying the kickstart command to a smart group of computers that have the profile installed. We update inventory every half an hour so time isn't of the essence.