Enable Remote Management with Managed Preference

EightQuarterBit
New Contributor III

Anyone here know how to enable Remote Management (and only for one user) via a managed preference?

1 ACCEPTED SOLUTION

Matt
Valued Contributor

Why not just make a login script?

#!/bin/sh

# adminUser = Admin User Name for Remote Acces

adminUser="youruser"

##################################
# Do Not Modify Below This Line  #
##################################

if [ "$4" != "" ] && [ "$adminUser" == "" ];then
    adminUser=$4
fi

# DEFINE CONTROL SETTINGS

privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"

# Do Not Modify Below This Line

if [ "$adminUser" != "" ]; then
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $adminUser
fi

View solution in original post

15 REPLIES 15

Matt
Valued Contributor

Why not just make a login script?

#!/bin/sh

# adminUser = Admin User Name for Remote Acces

adminUser="youruser"

##################################
# Do Not Modify Below This Line  #
##################################

if [ "$4" != "" ] && [ "$adminUser" == "" ];then
    adminUser=$4
fi

# DEFINE CONTROL SETTINGS

privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"

# Do Not Modify Below This Line

if [ "$adminUser" != "" ]; then
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $adminUser
fi

EightQuarterBit
New Contributor III

Worked like a charm. Many thanks, good sir!

JimAllsop
New Contributor

How would I do this for several users? (Ie I only want my tier 3 help desk techs to be able to remote into the senior execs computers. So enabling the standard administrator account won't work. Can't do it via AD either cause only systems and myself as the help desk manager are domain admins. So I need to be able to add 4 users to remote access.

chriscollins
Valued Contributor

@JimAllsop, in his script, at the adminUser variable, just add more usernames separated with commas.

adminUser="user1,user2,user3"

JimAllsop
New Contributor

Thanks!! I'm new to writing scripts! Thanks once again.

asd_alozano
New Contributor

Hi.

I am new to this Casper Suite and I would appreciate any help that i can get.

How do i go about turning off remote login and remote management for all local/domain users and only enable it for localadmin? (admin account name = localadmin).

Can this be done in the background?

Thanks.

mjohnston
New Contributor

@chriscollins , So can user1, user2, user3 be AD users or do they have to already have a local profile on the machine I'm setting up?

Scenario: I have 6 Mac minis connected to 6 TV's used for monitoring for different teams. I'm trying to avoid using wireless keyboards and mice as they will get confused or misplaced etc...
I only want to allow members of each team to be able to remote to their corresponding mac mini / TV.
Would be anywhere between 2-6 people may need access to each mac mini.

Would be happy for any input anyone has.
Thanks,
Matt

slatert
New Contributor II

This script works perfectly to enable remote when using DEP imaging, Prestage with a payload of a hidden user. Thanks!

Garrett
New Contributor II

What would we enter in for adminUser if we want this script to just be installed for all users on the machine?

quedayone
Contributor

Yes I would like to add ad group "domain admins". That would be cool.

stephaniemm77
Contributor II

Does this script still work in 10.14?

maffettb
New Contributor III

@stephaniemm77 Yes, just tested this on a DEP machine running 10.14.5 and it seems to have worked for me.

blackholemac
Valued Contributor III

I would test that workflow thoroughly using every function of ARD. I once thought that something similar to this would work and later found that it would not. It would only allow observation. I do know that this workflow will work if you add in the following PPPC profile from my screenshot here.39af1d1e359545e082677482e9b3941c

maffettb
New Contributor III

Oh yes, sorry should have specified...I'm kind of lucky that the school I work for has ignored macs entirely until now. Annoying for me to figure out stuff and make it work with their windows network but I get to start from scratch. I do have that PPPC profile as part of my base config profile that is part of pre-stage enrollment.
So, DEP, PPPC, and then yes, that script is working on 10.14.5 for screen control and sharing. Jamf Remote is also following the JAMF user privileges in regards to asking end user permission before taking control or just giving control without prompt.
I started down this rabbit hole since JAMF Remote for some reason just failed to screen share on my network unless remote management was on.

mwiese1
New Contributor

This script is awesome and we still use it in our environment. Has anyone looked into / figured out how to accomplish this via Config Profile?