Skip to main content

So...



Prepare your institution for iOS 12 or macOS Mojave
[https://support.apple.com/en-us/HT209028](link URL)



"For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences."



So any thoughts on how we can enable full control Apple Remote Desktop management in 10.14? Some of us still have computer labs to manage. I know JAMF Remote provides some of this functionality, but the full console where you see all your systems in Apple Remote Desktop still hasn't been replicated nicely by a third party product.



Its hard to believe how many more things we now need to enable manually in the year 2018 for the sake of security. I remember the good old days where I could just a schedule re-image an entire lab without any intervention... sigh... Apple really needs DEP to catch up with their security policies they keep rolling out...

Thanks Sandy!

Also curious if this can be automated during deployment?

Since a few of you are asking for how to automate this process, Apple Support has an article explaining this new(ish) process. Keep in mind I think you need JAMF 10.11 or higher to have the features this article is talking about for the privacy config profile settings.



Use the kickstart command-line utility on macOS Mojave 10.14

Yes, it is possible to automate this by pushing the PPPC and tying the kickstart command to a smart group of computers that have the profile installed. We update inventory every half an hour so time isn't of the essence.

@jared_f I am curious how you used PPPC to do this could you explain a bit on what you did and what your overall results where. Currently I am In the early stages of JAMF but unable to control any of the machines put on it via JAMF Remote.

@CorpIT_eB The first thing is to create the PPPC to allow the kickstart command.



Second, I have an extension attribute that checks to see if remote management is enabled on enrolled machines. Note: Devices will need to update inventory to show a status if you set this up.



#!/bin/sh



loggedInUser=$( ls -l /dev/console | awk '{print $3}' )

Status=$( sudo -u $loggedInUser launchctl list | grep com.apple.RemoteDesktop.agent  | awk '{ print $1 }')

echo $Status



if [[ $Status == "-" ]] ; then

    echo "<result>Off</result>"

else

    echo "<result>On</result>"

fi


Then I have a smart group setup with devices that have the kickstart profile, are in a computer group (I scope to all computers), and Remote Management Status is "Off".



Lastly, I have a policy setup with the attached script scoped to that smart group. I have it set to ongoing @ login, enrollment complete, and recurring check-in. I can set it to ongoing as that smart group is re-calculated after running the kickstart policy.



#!/bin/bash



## Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes



## Restart the ARD Agent and helper:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent



exit 0

@jared_f That's outstanding, thank you I will give this a shot today.



@jared_f UPDATE: This works flawlessly.



Thanks Again.

No problem @CorpIT_eB... glad it is working.

i think this is an appropriate location for my question, forgive me if it isnt



I'm simply attempting to log into MacBook A from MacBook B.



On MacBook A, I've gone to Sharing, and enabled screen sharing and remote log in.
Screen Sharing/Remote login both showing as enabled, and even says "other users can access at vnc://10.7.89.8"



On MacBook B, I do not see anything in the Finder Sidebar. And when i go to Go-->Connect to Server..., and type in the above vnc address, i get a message saying "Connection failed to "10.7.89.8" Make sure screen sharing or Remote mgmt is enabled"



Everything is enabled/green lit, any idea what could be going wrong? both machines are on the same network.

@impressivegol What macOS Versions are you running? Mojave?

@jared_f I have not been able to get any reports on knowing which machine has it Enabled / Disabled despite it running "Update Inventory" on a daily basis.



I just want to know if its "On" or "Off"






UPDATE: Never-mind I figured it out like a NOOB was using your Profile name instead of the one I am using for Criteria.

@Gascolator
In reference to the MDM-approach:@Sandy 



/usr/bin/curl -s -u $apiUser:$apiPass https://yourmdm.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/$machineID -X POST

Thanks @michaelhusar, I'll give that a try. I was looking for a solution other than the Kickstart command as I had seen posts about Apple deprecating that in the future. If that's actually going to happen, I guess only time will tell.

You are very welcome @Gascolator
Here a little script you can run on the machine where you want to enable Remote Desktop by using MDM command:



#!/bin/bash

############

#

apiURL="https://yourjamf.com:8443/JSSResource/computers/"

apiUser="APIUser"

apiPass="Secret"



# Get the Serial Number of the Machine

sn=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')

#echo $sn

####

#Get ID by looking up Serial Number

answer=$(/usr/bin/curl -s -H "Content-Type: text/xml" -u ${apiUser}:${apiPass} https://yourjamf.com:8443/JSSResource/computers/serialnumber/$sn/subset/general )

jamfID=$(echo $answer | xpath '/computer/general/id/text()' 2>/dev/null)

#

#echo $jamfID

#Send MDM command to Enable Remote Desktop

/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/$jamfID -X POST

##########################################

#This would be the counterpart: Send MDM command to Disable Remote Desktop

#/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/DisableRemoteDesktop/id/$jamfID -X POST

@michaelhusar Forgive the probably dumb question, but the apiUser/apiPass, are those our Jamf user/pass credentials or do we leave what you have in your script as is?

@kwoodard they will be the credentials for your api user account. You would typically create a separate account for api access as you can control exactly what the account can see or do.

@szultzie I just want to say that we see the same thing here.
We have been deploying Mojave machines for a while now, and are still using the same kickstart command we always have been. No PPPC config profile being used either.
My boss has decided to jump straight ahead to the 10.15.1 beta and is only now experiencing issues. I will set up the config profile and scope it to his new machine and see if that fixes anything.

@jared_f



firstly thank you for the fix, its been working in our environment so far!



only issue i have noticed is grepping the status.



i have verifibly (either actually doing a screen share and/or looking at the system preferences to see) that screenshare and remote management is set to ALL.



however, on my personal machine when i grep for status i actually get a number.
on another test machine (also mojave) and a catalina machine, i get no number as a status, so technically 90% or more of the population is reporting no ARD even though it works as expected.



Any insight?

@jcheLC I looked at our environment and it is grabbing "On" and "Off" as expected. I would double check the EA, here is what we are using:



Remember your devices need to Update Inventory to grab the state once you update the EA.

wierd, iono why i had this:



if [[ -z $Status ]] ; then
echo "<result>Off</result>"
else
echo "<result>On</result>"
fi



the update inventory is auto right, as long as it recons in?

@jcheLC Yes. Update Inventory / Recon are basically the same thing.

Just in case anyone is trying to do this in Catalina, there is a bug that does not set the VNC password correctly if you are using that feature. I have a ticket open with Apple Support about the issue. 101002627882

We have no issues getting the screen sharing (observe/control) part of ARD working with the proper script and PPPC profile. The issue we are having is getting Send UNIX Command, reports, etc working. So basically anything that is port 3283 based seems not to work, but port 5900 works. When the computers are added to ARD the Current Status shows as "Screen Sharing Available" and we can observe/control....but we cannot send unix commands. As a test we have manually enabled remote management on test machines and all ARD tasks, observe/control, send unix command, etc work so we know that this isn't a network or firewall or security tool issue. Anyone have a similar problem and or have any suggestions in this scenario?



Thanks!

@page.229 Thanks for putting that there as I couldn't work out what was going on while trying to sort out a black screen issue when remoting in (manually entering the password gave access but scripting it wouldn't). Nice to find the answer randomnly on a Jamf forum...

@jared_f I have my EA set up identical to yours but it just shows a blank space. I've ran sudo jamf policy and I see multiple computers checking in, but it's still not giving me a yes or no on any of them. Anything else I can try?



Update: I honestly don't know what happened but it all of a sudden started working, sorry for jumping the gun, and thank you for having such a detailed comment on how to set this up, you rock!





Reply


Terms & ConditionsCookie settings