Enable remote management (full control) in Mojave??

taugust04
Valued Contributor

So...

Prepare your institution for iOS 12 or macOS Mojave
[https://support.apple.com/en-us/HT209028](link URL)

"For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences."

So any thoughts on how we can enable full control Apple Remote Desktop management in 10.14? Some of us still have computer labs to manage. I know JAMF Remote provides some of this functionality, but the full console where you see all your systems in Apple Remote Desktop still hasn't been replicated nicely by a third party product.

Its hard to believe how many more things we now need to enable manually in the year 2018 for the sake of security. I remember the good old days where I could just a schedule re-image an entire lab without any intervention... sigh... Apple really needs DEP to catch up with their security policies they keep rolling out...

121 REPLIES 121

CorpIT_eB
Contributor II

@jared_f I am curious how you used PPPC to do this could you explain a bit on what you did and what your overall results where. Currently I am In the early stages of JAMF but unable to control any of the machines put on it via JAMF Remote.

jared_f
Valued Contributor

@CorpIT_eB The first thing is to create the PPPC to allow the kickstart command.
e9cf1e5647274662b51d783a9dc20831

Second, I have an extension attribute that checks to see if remote management is enabled on enrolled machines. Note: Devices will need to update inventory to show a status if you set this up.

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
Status=$( sudo -u $loggedInUser launchctl list | grep com.apple.RemoteDesktop.agent  | awk '{ print $1 }')
echo $Status

if [[ $Status == "-" ]] ; then
    echo "<result>Off</result>"
else
    echo "<result>On</result>"
fi

Then I have a smart group setup with devices that have the kickstart profile, are in a computer group (I scope to all computers), and Remote Management Status is "Off".
c16e7d9a13f6455e91e341912f7f2b10

Lastly, I have a policy setup with the attached script scoped to that smart group. I have it set to ongoing @ login, enrollment complete, and recurring check-in. I can set it to ongoing as that smart group is re-calculated after running the kickstart policy.

#!/bin/bash

## Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes

## Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

exit 0

CorpIT_eB
Contributor II

@jared_f That's outstanding, thank you I will give this a shot today.

@jared_f UPDATE: This works flawlessly.

Thanks Again.

jared_f
Valued Contributor

No problem @CorpIT_eB... glad it is working.

impressivegol
New Contributor

i think this is an appropriate location for my question, forgive me if it isnt

I'm simply attempting to log into MacBook A from MacBook B.

On MacBook A, I've gone to Sharing, and enabled screen sharing and remote log in. Screen Sharing/Remote login both showing as enabled, and even says "other users can access at vnc://10.7.89.8"

On MacBook B, I do not see anything in the Finder Sidebar. And when i go to Go-->Connect to Server..., and type in the above vnc address, i get a message saying "Connection failed to "10.7.89.8" Make sure screen sharing or Remote mgmt is enabled"

Everything is enabled/green lit, any idea what could be going wrong? both machines are on the same network.

Chuey
Contributor III

@impressivegol What macOS Versions are you running? Mojave?

CorpIT_eB
Contributor II

@jared_f I have not been able to get any reports on knowing which machine has it Enabled / Disabled despite it running "Update Inventory" on a daily basis.

I just want to know if its "On" or "Off"

28a9f89ebd9d43c38ae4ba9aec83ed9a
37cf42f456ac4ab8b0a317502ee51b2c

UPDATE: Never-mind I figured it out like a NOOB was using your Profile name instead of the one I am using for Criteria.

michaelhusar
Contributor II

@Gascolator In reference to the MDM-approach:@Sandy

/usr/bin/curl -s -u $apiUser:$apiPass https://yourmdm.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/$machineID -X POST

Gascolator
New Contributor III

Thanks @michaelhusar, I'll give that a try. I was looking for a solution other than the Kickstart command as I had seen posts about Apple deprecating that in the future. If that's actually going to happen, I guess only time will tell.

michaelhusar
Contributor II

You are very welcome @Gascolator Here a little script you can run on the machine where you want to enable Remote Desktop by using MDM command:

#!/bin/bash
############
#
apiURL="https://yourjamf.com:8443/JSSResource/computers/"
apiUser="APIUser"
apiPass="Secret"

# Get the Serial Number of the Machine
sn=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
#echo $sn
####
#Get ID by looking up Serial Number
answer=$(/usr/bin/curl -s -H "Content-Type: text/xml" -u ${apiUser}:${apiPass} https://yourjamf.com:8443/JSSResource/computers/serialnumber/$sn/subset/general )
jamfID=$(echo $answer | xpath '/computer/general/id/text()' 2>/dev/null)
#
#echo $jamfID
#Send MDM command to Enable Remote Desktop
/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/$jamfID -X POST
##########################################
#This would be the counterpart: Send MDM command to Disable Remote Desktop
#/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/DisableRemoteDesktop/id/$jamfID -X POST

kwoodard
Contributor II

@michaelhusar Forgive the probably dumb question, but the apiUser/apiPass, are those our Jamf user/pass credentials or do we leave what you have in your script as is?

allanp81
Valued Contributor

@kwoodard they will be the credentials for your api user account. You would typically create a separate account for api access as you can control exactly what the account can see or do.

a_holley
Contributor

@szultzie I just want to say that we see the same thing here.
We have been deploying Mojave machines for a while now, and are still using the same kickstart command we always have been. No PPPC config profile being used either.
My boss has decided to jump straight ahead to the 10.15.1 beta and is only now experiencing issues. I will set up the config profile and scope it to his new machine and see if that fixes anything.

beeboo
Contributor

@jared_f

firstly thank you for the fix, its been working in our environment so far!

only issue i have noticed is grepping the status.

i have verifibly (either actually doing a screen share and/or looking at the system preferences to see) that screenshare and remote management is set to ALL.

however, on my personal machine when i grep for status i actually get a number.
on another test machine (also mojave) and a catalina machine, i get no number as a status, so technically 90% or more of the population is reporting no ARD even though it works as expected.

Any insight?

jared_f
Valued Contributor

@jcheLC I looked at our environment and it is grabbing "On" and "Off" as expected. I would double check the EA, here is what we are using:
98d9d8a9275f40fbb90622ca310537ac

Remember your devices need to Update Inventory to grab the state once you update the EA.

beeboo
Contributor

wierd, iono why i had this:

if [[ -z $Status ]] ; then echo "<result>Off</result>"
else echo "<result>On</result>"
fi

the update inventory is auto right, as long as it recons in?

jared_f
Valued Contributor

@jcheLC Yes. Update Inventory / Recon are basically the same thing.

page_229
New Contributor II

Just in case anyone is trying to do this in Catalina, there is a bug that does not set the VNC password correctly if you are using that feature. I have a ticket open with Apple Support about the issue. 101002627882

scottlep
Contributor

We have no issues getting the screen sharing (observe/control) part of ARD working with the proper script and PPPC profile. The issue we are having is getting Send UNIX Command, reports, etc working. So basically anything that is port 3283 based seems not to work, but port 5900 works. When the computers are added to ARD the Current Status shows as "Screen Sharing Available" and we can observe/control....but we cannot send unix commands. As a test we have manually enabled remote management on test machines and all ARD tasks, observe/control, send unix command, etc work so we know that this isn't a network or firewall or security tool issue. Anyone have a similar problem and or have any suggestions in this scenario?

Thanks!

GregE
Contributor

@page.229 Thanks for putting that there as I couldn't work out what was going on while trying to sort out a black screen issue when remoting in (manually entering the password gave access but scripting it wouldn't). Nice to find the answer randomnly on a Jamf forum...

naschenbrenner
New Contributor III

@jared_f I have my EA set up identical to yours but it just shows a blank space. I've ran sudo jamf policy and I see multiple computers checking in, but it's still not giving me a yes or no on any of them. Anything else I can try?

Update: I honestly don't know what happened but it all of a sudden started working, sorry for jumping the gun, and thank you for having such a detailed comment on how to set this up, you rock!

ef7fbfafd86242f6a21a52278784372e

5e12717fcfa34ed780fe9cdcc1652358

michaelhusar
Contributor II

Little full summary for what's at the moment working for our 10.14 and 10.15 machines:

  1. PPPC profile for kickstart https://support.apple.com/en-us/HT209161

  2. Send MDM command to activate (otherwise you could end up with only "observe" )

#!/bin/bash
############
#
apiURL="https://yourjamf.com:8443/JSSResource/computers/"
apiUser="APIUser"
apiPass="Secret"

# Get the Serial Number of the Machine
sn=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
#echo $sn
####
#Get ID by looking up Serial Number
answer=$(/usr/bin/curl -s -H "Content-Type: text/xml" -u ${apiUser}:${apiPass} https://yourjamf.com:8443/JSSResource/computers/serialnumber/$sn/subset/general )
jamfID=$(echo $answer | xpath '/computer/general/id/text()' 2>/dev/null)
#
#echo $jamfID
#Send MDM command to Enable Remote Desktop
/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/EnableRemoteDesktop/id/$jamfID -X POST
##########################################
#This would be the counterpart: Send MDM command to Disable Remote Desktop
#/usr/bin/curl -s -u $apiUser:$apiPass https://yourjamf.com:8443/JSSResource/computercommands/command/DisableRemoteDesktop/id/$jamfID -X POST

For the following commands simply use policy with "execute command"

3.Reset RD

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -verbose -uninstall -settings -prefs && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -verbose -restart -agent -console

4. Activate RD e.g for all users that have accounts on machine

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers && nutzer=$(dscl . list /Users | grep -v '^_' -v | grep -v 'daemon'|grep -v 'nobody'| grep -v 'root' | paste -s -d, - | paste -s -d, -) && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $nutzer -access -on && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings -verbose && /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent -verbose

My bad: wrong sequence: After the MDM command you look at "all users" enabled - so access rights have to be shaped afterwards.Updated that.

mani2care
Contributor

@michaelhusar Really great work it's nice

But I have one question is this will support for the older version Highsierra to kikstart this.
If any pls share us

michaelhusar
Contributor II

@mani2care Thank you.
Yes, it works and you shouldn't need the PPPC and MDM part. So only steps 3 and 4 remain.

One more thought: Often the machine is asleep...maybe a

systemsetup -setcomputersleep Never

makes sense if the machine has to be reachable
Had to update that because MDM command changes kickstart settings.

GregE
Contributor

Thanks @michaelhusar that's a great script. We added in -setvnclegacy -vnclegacy yes -setvncpw -vncpw psswrd so we can use DameWare from Windows as well.

Worth noting that your API user account in the JSS will need:
Jamf Pro Server Objects -> Computers: Create & Read.
Jamf Pro Server Actions -> Send Computer Remote Desktop Command

kwoodard
Contributor II

This is the script I use with my computers that are enrolled in Jamf (doesn't seem to matter if they are DEP enrollments or not). This works up to current Catalina. If I am watching when the script runs, I see the message about this might not work in 10.14 and up, but up to now, it has worked properly. I cobbled this together from a couple different sources, so I don't know who to give attribution too.

#!/bin/bash

error=0

# To use this script to assign Apple Remote Desktop permissions, define the following:
#
# The username of the account that needs to be assigned Apple Remote Desktop permissions.
# The name of the Apple Remote Desktop management group which assigns the right permissions.
#
# The Apple Remote Desktop group permissions are defined below:
#
# Name: com.apple.local.ard_admin
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
#                  Delete and replace items, Send messages, Restart and Shut down, Control,
#                  Observe, Show being observed
#
# Name: com.apple.local.ard_interact
# Assigned rights: Send messages, Control, Observe, Show being observed
#
# Name: com.apple.local.ard_manage
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
#                  Delete and replace items, Send messages, Restart and Shut down
#
# Name: com.apple.local.ard_reports
# Assigned rights: Generate reports
#
# For example, to assign all Apple Remote Desktop permissions to an account named
# "administrator", the user and group variables should appear as shown below:
#
# arduser="administrator"
# ardgroup="com.apple.local.ard_admin"
# 
# To assign only the permissions to screenshare and send messages to an account
# named "helpdesk", the user and group variables should appear as shown below:
#
# arduser="helpdesk"
# ardgroup="com.apple.local.ard_interact"
# 

arduser="insertAdminNameHere"
ardgroup="com.apple.local.ard_admin"

# Do not edit below this line.

CreateGroups(){

# This function will create groups as needed using the dseditgroup tool.

/usr/sbin/dseditgroup -n /Local/Default "$groupname"
  if [ $? != 0 ]; then
      echo "$groupname group does not exist.  Creating $groupname group."
      /usr/sbin/dseditgroup -n /Local/Default -o create "$groupname"
  else
      echo "$groupname group already exists."
  fi
}

CreateAppleRemoteDesktopGroups(){

# This function will use the CreateGroups function to create the local groups used by 
# Apple Remote Desktop's directory-based permissions management.

# To create the com.apple.local.ard_admin group

groupname=com.apple.local.ard_admin

CreateGroups

# To create the com.apple.local.ard_interact group

groupname=com.apple.local.ard_interact

CreateGroups

# To create the com.apple.local.ard_manage group

groupname=com.apple.local.ard_manage

CreateGroups

# To create the com.apple.local.ard_reports group

groupname=com.apple.local.ard_reports

CreateGroups

}

AddUsersToAppleRemoteDesktopGroups(){

   # This function will add users to the groups used by Apple Remote Desktop's directory-based management:

    /usr/sbin/dseditgroup -o edit -a "$arduser" -t user "$ardgroup"
    echo "Added $arduser to $ardgroup"
}

EnableAppleRemoteDesktopDirectoryManagement(){

ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

# Turn on Apple Remote Desktop by activating
# the Apple Remote Desktop management agent 

$ardkickstart -activate

# Allow Apple Remote Desktop accesss only for specified users

$ardkickstart -configure -allowAccessFor -specifiedUsers

# Enable Apple Remote Desktop management groups

$ardkickstart -configure -clientopts -setdirlogins -dirlogins yes

# Restart the Apple Remote Desktop agent process

$ardkickstart -restart -agent &

}

VerifyUser(){

/usr/bin/id "$arduser"
if [ $? != 0 ]; then
   echo "Unable to set specified Apple Remote Desktop permissions!"
   echo "$arduser account not found on this Mac."
   error=1
   exit "$error"
else
   echo "$arduser account verified as existing on this Mac. Proceeding..."
fi

}


if [[ -n "$arduser" ]] && [[ -n "$ardgroup" ]]; then

   # Verify that the specified user account exists.

   VerifyUser

   # Create Apple Remote Desktop management groups
   # and add the specified user account to the
   # specified management group.

   CreateAppleRemoteDesktopGroups
   AddUsersToAppleRemoteDesktopGroups

   # Turn on Apple Remote Desktop and configure
   # it to use Apple Remote Desktop's directory-based 
   # management to assign permissions.

   EnableAppleRemoteDesktopDirectoryManagement

else
   echo "Unable to set specified Apple Remote Desktop permissions!"
   echo "arduser variable is set to: $arduser"
   echo "ardgroup variable is set to: $ardgroup"
   error=1
fi

exit $error

jhatem
New Contributor II

@kwoodard This script looks great! Two questions- I'm only trying to use Jamf Remote, not the Apple RD client, does this script still apply? If yes, then how would I go about adding two or more admins to the remote desktop permitted group?

Do I define multiple like this,

arduser1="adminusername1" 
arduser2="adminusername2"

then add them all to the group with

/usr/sbin/dseditgroup -o edit -a "$arduser1" -t user "$ardgroup"
    echo "Added $arduser to $ardgroup"

/usr/sbin/dseditgroup -o edit -a "$arduser2" -t user "$ardgroup"
    echo "Added $arduser to $ardgroup"

But that seems like I'll break the VerifyUser pieces? Appreciate the guidance.

kwoodard
Contributor II

I don't use Jamf Remote, so I don't know for sure.

cagarcia
New Contributor

@ryan.ball Your instructions worked for me. Thanks for the help.

dstranathan
Valued Contributor II

@page.229 Do you know if the VNC password issue was resolved in 10.15.4?

cbd4s
Contributor

@dstranathan I don't think so. But there is another way to set the VNC password: /Library/Preferences/com.apple.VNCSettings.txt. Set the password and Composer this file into a package.

Also you can use command line to decrypt the password from this file:

$ sudo cat /Library/Preferences/com.apple.VNCSettings.txt
7F513D02E4A8C5E2FF1C39567390ADCA
$ sudo cat /Library/Preferences/com.apple.VNCSettings.txt | perl -wne 'BEGIN { @k = unpack "C*", pack "H*", "1734516E8BA8C5E2FF1C39567390ADCA"}; chomp; @p = unpack "C*", pack "H*", $_; foreach (@k) { printf "%c", $_ ^ (shift @p || 0) }; print "
"'
hello

Source: Manage the VNC / screen sharing password remotely

dstranathan
Valued Contributor II

@cbd4s Thanks. I just figured this out after pounding my head into my desk for a couple days. I documented all my attempts/failures here: https://www.jamf.com/jamf-nation/discussions/35352/enable-configure-legacy-vnc-via-jamf

Creating a "master VNC password file" will work, but its not optimal - but it works! Thanks!

EDIT: The Perl code in the above post does NOT work. The source post for this tip is located HERE

AVmcclint
Valued Contributor III

For some reason I'm still having an impossible time with this. Currently on 10.15.3 (and tested on 10.15.4). But I have created the PPPC profile exactly as Apple has suggested and confirmed by others' exact same configurations posted here. I have the following script created:

#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

When I run this script or even the exact same kickstart commands many of you are via policy, I get the following:

Executing Policy enable ARD
Running script enableARD.sh...
Script exit code: 0
Script result: Starting...
Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.
Activated Remote Management.
Setting allow all users to YES.
Setting all users privileges to 1073742079.
Done.
Starting...
Stopped ARD Agent.
Done.

After that I go to check System Preferences > Sharing and while Remote Management is enabled, absolutely zero privileges have been enabled. I cannot for the life of me figure out how to make this work.

chadlawson
Contributor
Contributor
Creating a "master VNC password file" will work, but its not optimal - but it works! Thanks! EDIT: The Perl code in the above post does NOT work. The source post for this tip is located HERE

Hi @dstranathan,
The code on that page to create the password is missing two important characters: "-n"

The 'echo "hello"' part should read 'echo -n "hello"' which suppresses adding a newline to the end of the string.

I wish I could say I hadn't made that mistake a gazillion times myself, but that's how I knew it at a glance.

I tried it several times with and without the "-n" flag and I am 100% sure of it now.

#justanotherperlhacker
#okaytechnicallytheminusnbitisbashnotperl

cbd4s
Contributor

@AVmcclint I think all you are missing is the "-access -on" bit. This is what we have in the script:

#!/bin/sh
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -ShowObserve -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername

Source: enableARD.sh

jcarr
Contributor III

@AVmcclint rather than using the PPPC profile and a script, a simpler solution might be to use a script to configure remote access (so that is isn't on for all users when enabled), and then send the MDM command to enable remote management.

Create a smart group to identify devices that don't have your remote user and run a policy to create that user and run this script:

#!/bin/sh

# ARD User short named passed to this script from Jamf Pro policy as parameter $4

logger "$0: Configure Apple Remote Desktop access for $4."

# Hide ARD user from login window

dscl . create /Users/$4 IsHidden 1

# Configure Apple Remote Desktop access only for specified users

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers

# Configure Apple Remote Desktop Agent for ARD user specified by parameter $4

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $4 -access -on -privs -all -clientopts -setmenuextra -menuextra yes

# Hide 'Other' from Login Window

defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false

exit 0

Once that is done, set up a smart search to find devices that have the user and do not have remote management enabled and send the command to enable it.

kwoodard
Contributor II

Well, whatever the last security update that just happened has messed up Remote Management on half of my computers that I manage. It appears to have emptied out all the check boxes inside the options of Remote Management. What is the most annoying is that even with physical access to the computers, I can remove Jamf and re-enroll and RM won't actually turn on now. The checkbox next to RM will check, but none of the options will get set. What doubly sucks is that Remote Login also gets unchecked, so I can't SSH in to do anything. I now have several hundred computers that I have to go to, one by one, to fix.

Anyone have any ideas? This has turned into a nightmare for me. Does anyone know where the plist file for RM lies? On a few machines that I have had access too, I have been able to manually toggle RM off, then on, then going into Options and cycle the options on/off/on to get it to work again.

kwoodard
Contributor II

Let me add to my previous comment... This seems to be affecting High Sierra machines mostly, I do have a few Mojave computers with this issue though. 99% seem to be High Sierra though.

kwoodard
Contributor II

OK, here is an updated script that seems to be working. Also included is the Jamf trigger to enable Remote Login, in case it somehow got unchecked. Came up with this working with Jamf Support on a few things. There are a few things still in the script that I left in there for when my school is no longer working from home. Mainly the privs line with the remote management options.

#!/bin/bash

error=0

# To use this script to assign Apple Remote Desktop permissions, define the following:
#
# The username of the account that needs to be assigned Apple Remote Desktop permissions.
# The name of the Apple Remote Desktop management group which assigns the right permissions.
#
# The Apple Remote Desktop group permissions are defined below:
#
# Name: com.apple.local.ard_admin
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
#                  Delete and replace items, Send messages, Restart and Shut down, Control,
#                  Observe, Show being observed
#
# Name: com.apple.local.ard_interact
# Assigned rights: Send messages, Control, Observe, Show being observed
#
# Name: com.apple.local.ard_manage
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
#                  Delete and replace items, Send messages, Restart and Shut down
#
# Name: com.apple.local.ard_reports
# Assigned rights: Generate reports
#
# For example, to assign all Apple Remote Desktop permissions to an account named
# "administrator", the user and group variables should appear as shown below:
#
# arduser="administrator"
# ardgroup="com.apple.local.ard_admin"
# 
# To assign only the permissions to screenshare and send messages to an account
# named "helpdesk", the user and group variables should appear as shown below:
#
# arduser="helpdesk"
# ardgroup="com.apple.local.ard_interact"
# 

arduser="user1"
arduser2="user2"
ardgroup="com.apple.local.ard_admin"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"

# Do not edit below this line.

CreateGroups(){

# This function will create groups as needed using the dseditgroup tool.

/usr/sbin/dseditgroup -n /Local/Default "$groupname"
  if [ $? != 0 ]; then
      echo "$groupname group does not exist.  Creating $groupname group."
      /usr/sbin/dseditgroup -n /Local/Default -o create "$groupname"
  else
      echo "$groupname group already exists."
  fi
}

CreateAppleRemoteDesktopGroups(){

# This function will use the CreateGroups function to create the local groups used by 
# Apple Remote Desktop's directory-based permissions management.

# To create the com.apple.local.ard_admin group

groupname=com.apple.local.ard_admin

CreateGroups

# To create the com.apple.local.ard_interact group

groupname=com.apple.local.ard_interact

CreateGroups

# To create the com.apple.local.ard_manage group

groupname=com.apple.local.ard_manage

CreateGroups

# To create the com.apple.local.ard_reports group

groupname=com.apple.local.ard_reports

CreateGroups

}

AddUsersToAppleRemoteDesktopGroups(){

   # This function will add users to the groups used by Apple Remote Desktop's directory-based management:

    /usr/sbin/dseditgroup -o edit -a "$arduser" -t user "$ardgroup"
    echo "Added $arduser to $ardgroup"
    /usr/sbin/dseditgroup -o edit -a "$arduser2" -t user "$ardgroup"
    echo "Added $arduser2 to $ardgroup"

}

EnableAppleRemoteDesktopDirectoryManagement(){

ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

# Turn on Apple Remote Desktop by activating
# the Apple Remote Desktop management agent 

$ardkickstart -activate

# Allow Apple Remote Desktop accesss only for specified users

$ardkickstart -configure -allowAccessFor -allUsers -privs -all

# Enable Apple Remote Desktop management groups

$ardkickstart -configure -clientopts -setdirlogins -dirlogins yes

# Restart the Apple Remote Desktop agent process

$ardkickstart -restart -agent

}
# NOTES $ardkickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes


VerifyUser(){

/usr/bin/id "$arduser"
if [ $? != 0 ]; then
   echo "Unable to set specified Apple Remote Desktop permissions!"
   echo "$arduser account not found on this Mac."
   error=1
   exit "$error"
else
   echo "$arduser account verified as existing on this Mac. Proceeding..."
fi

/usr/bin/id "$arduser2"
if [ $? != 0 ]; then
    echo "Unable to set specified Apple Remote Desktop permissions!"
    echo "$arduser2 account not found on this Mac."
    error=1
    exit "$error"
else
    echo "$arduser2 account verified as existing on this Mac. Proceeding..."
fi

}

StartSSH(){

    /usr/local/jamf/bin/jamf startSSH -background

}

if [[ -n "$arduser" ]] && [[ -n "$arduser2" ]] && [[ -n "$ardgroup" ]]; then

   # Verify that the specified user account exists.

   VerifyUser

   # Create Apple Remote Desktop management groups
   # and add the specified user account to the
   # specified management group.

   CreateAppleRemoteDesktopGroups
   AddUsersToAppleRemoteDesktopGroups

   # Turn on Apple Remote Desktop and configure
   # it to use Apple Remote Desktop's directory-based 
   # management to assign permissions.

   EnableAppleRemoteDesktopDirectoryManagement
   StartSSH

else
   echo "Unable to set specified Apple Remote Desktop permissions!"
   echo "arduser variable is set to: $arduser"
   echo "ardgroup variable is set to: $ardgroup"
   error=1
fi

exit $error

Tildo
New Contributor II

@kwoodard

Hi there, I have tried your script on macOS 10.15.6 and it does work but it sets the All Users to have full access to the Remote managed section but is there a way of just specifying the 'Only these users'

This is the output from the script. ladmin@mac-01 ~ % sudo /Users/ladmin/Downloads/EnableARD.sh uid=502(ladmin) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),705(com.apple.sharepoint.group.5),702(com.apple.sharepoint.group.2),704(com.apple.sharepoint.group.4),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh-disabled),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),707(com.apple.sharepoint.group.7),706(com.apple.sharepoint.group.6),703(com.apple.sharepoint.group.3)
ladmin account verified as existing on this Mac. Proceeding...
uid=502(ladmin) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),705(com.apple.sharepoint.group.5),702(com.apple.sharepoint.group.2),704(com.apple.sharepoint.group.4),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh-disabled),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),707(com.apple.sharepoint.group.7),706(com.apple.sharepoint.group.6),703(com.apple.sharepoint.group.3)
ladmin account verified as existing on this Mac. Proceeding...
dsAttrTypeStandard:GeneratedUID - AC8BFEA5-DBFD-4D1A-AB14-69F2A93164BF
dsAttrTypeStandard:PrimaryGroupID - 501
dsAttrTypeStandard:RecordName - com.apple.local.ard_admin
dsAttrTypeStandard:RecordType - dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation - /Local/Default
com.apple.local.ard_admin group already exists.
dsAttrTypeStandard:GeneratedUID - 25D80698-F180-4969-A0C0-6E9746FB4EDD
dsAttrTypeStandard:PrimaryGroupID - 502
dsAttrTypeStandard:RecordName - com.apple.local.ard_interact
dsAttrTypeStandard:RecordType - dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation - /Local/Default
com.apple.local.ard_interact group already exists.
dsAttrTypeStandard:GeneratedUID - 5653F237-3B29-46AE-92FF-0427F4624370
dsAttrTypeStandard:PrimaryGroupID - 503
dsAttrTypeStandard:RecordName - com.apple.local.ard_manage
dsAttrTypeStandard:RecordType - dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation - /Local/Default
com.apple.local.ard_manage group already exists.
dsAttrTypeStandard:GeneratedUID - BC780899-7FDB-49D4-8294-7061B6677BC1
dsAttrTypeStandard:PrimaryGroupID - 504
dsAttrTypeStandard:RecordName - com.apple.local.ard_reports
dsAttrTypeStandard:RecordType - dsRecTypeStandard:Groups
dsAttrTypeStandard:AppleMetaNodeLocation - /Local/Default
com.apple.local.ard_reports group already exists.
Added ladmin to com.apple.local.ard_admin
Starting...
Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.
Activated Remote Management.
Done.
Starting...
Setting allow all users to YES.
Setting all users privileges to 1073742079.
Done.
Starting...
Set the client options.
Done.
Starting...
Stopped ARD Agent.
Done.