Skip to main content
Solved

Enabling Remote Management via script not working quite right

K
Forum|alt.badge.img+2

We're new to Jamf and I've been putting together a policy that's triggered by prestage enrollment on a clean installation of High Sierra (10.13.3) to get everything all set up in a convenient, hands-off way. Everything works beautifully except for giving the Administrator account full privileges to remotely manage the Mac.

I'm using this script:
https://www.jamf.com/jamf-nation/third-party-products/files/217/enableard-sh-enable-ard-and-configure-remote-management-settings
I've tried hard-coding the Target Username and using parameter 4.

I know the script is running since Remote Management is getting enabled, but the "Allow Access for: Only these users: Box" remains empty. I thought maybe those commands just don't populate that box but sure enough, screen sharing doesn't work for the administrator account unless I manually add it to that Box.

I've tried with various accounts, running the script while logged in, at login, and at startup.

Everything I've found so far on Jamf Nation simply points me toward those same commands and similar scripts.

Was hoping someone could point out some tiny thing I'm missing here.

Thanks!

Best answer by easyedc

So it used to be that Apple Remote Desktop would create an .pkg to set all your settings with remote access. After I started looking into it, I found it was broken and with a support case with Apple they had no plans to fix it. They did work with me to create my needs, though, and I came up with this:

#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes 
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'Put,Your,Users,ShortName,Here' -access -on -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu
/usr/sbin/systemsetup -setremotelogin on
exit 0
setmenuextra

puts the Remote sharing icon in the menu. The other settings assign the actual users who get rights and then we grant all rights to those users. Works for us as an policy triggered by Enrollment.

View original
Did this topic help you find an answer to your question?

17 replies

C
Forum|alt.badge.img+7
  • Cornoir
  • Contributor
  • 98 replies
  • February 16, 2018

After installing the QuickAdd.pkg I also have to run this shell script afterwards to make sure Casper Remote works just for Casper (VNC will only recognize Casper Remote not regular VNC connections), might help might not:

!/bin/bash

Turn ScreenSharing on

sudo defaults write /var/db/launch.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -setreqperm -reqperm yes -restart -agent
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

K
1 person likes this
  • K
    kbrister
easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 623 replies
  • Answer
  • February 16, 2018

So it used to be that Apple Remote Desktop would create an .pkg to set all your settings with remote access. After I started looking into it, I found it was broken and with a support case with Apple they had no plans to fix it. They did work with me to create my needs, though, and I came up with this:

#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes 
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'Put,Your,Users,ShortName,Here' -access -on -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu
/usr/sbin/systemsetup -setremotelogin on
exit 0
setmenuextra

puts the Remote sharing icon in the menu. The other settings assign the actual users who get rights and then we grant all rights to those users. Works for us as an policy triggered by Enrollment.

J
K
howie_isaacks
3 people like this
  • J
    jonathand_Welch
  • K
    kbrister
  • howie_isaacks
    howie_isaacks
K
Forum|alt.badge.img+2
  • kbrister
  • Author
  • New Contributor
  • 1 reply
  • February 16, 2018

Thank you both so much for your quick responses! Easyedc, I tried your script and it worked wonderfully, exactly what I was looking for. Thank you so much!

easyedc
1 person likes this
  • easyedc
    easyedc
D
Forum|alt.badge.img+4
  • diegogut90
  • Contributor
  • 17 replies
  • September 17, 2018

@easyedc for that script you posted up, does this work even though my admin account is hidden?

easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 623 replies
  • September 17, 2018

@diegogut90 Yes. In my script, when using the -users flag, it's just added to one of the list of accounts to enable. Our JAMF management account is hidden, but it's seen by the system. If you run a 

dscl . list /Users | grep -v '^_'

You should see your management account listed, and so if it's on that list, you're fine.

D
Forum|alt.badge.img+4
  • diegogut90
  • Contributor
  • 17 replies
  • September 17, 2018

@easyedc will the admin show up under the sharing options in sys pref?

easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 623 replies
  • September 17, 2018

@diegogut90 My hidden service account does not show up in that list, even if remote access is enabled for it.

D
Forum|alt.badge.img+4
  • diegogut90
  • Contributor
  • 17 replies
  • September 17, 2018

@easyedc reason why i asked is because i get errors for both screen sharing and jamf remote, when trying to remote it.

easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 623 replies
  • September 17, 2018

@diegogut90 try adding another user and see if that works. We enable a user for our frontline tech guys and the service account.

D
Forum|alt.badge.img+4
  • diegogut90
  • Contributor
  • 17 replies
  • September 19, 2018

@easyedc do you think its a problem with the secure token that is not allowing the admin user to log in?

C
Forum|alt.badge.img+7
  • Cornoir
  • Contributor
  • 98 replies
  • September 19, 2018

diegogut90

please post errors you are getting with details of steps taken to remote in.

D
Forum|alt.badge.img+4
  • diegogut90
  • Contributor
  • 17 replies
  • October 11, 2018

@Cornoir
thats the error i get sorry for it being late.

C
Forum|alt.badge.img+7
  • Cornoir
  • Contributor
  • 98 replies
  • October 11, 2018

Try updating (or re-typing) the Management account username and password under the Computer info for that Mac in the JSS, see if that works. I will try and do more testing. What version of JAMF are you using also?

D
Forum|alt.badge.img+4
  • diegogut90
  • Contributor
  • 17 replies
  • October 11, 2018

@Cornoir JAMF V 10.7.1

S
Forum|alt.badge.img+15
  • sshort
  • Valued Contributor
  • 301 replies
  • October 11, 2018

If any one is using this method in Mojave, be sure to whitelist with a PPPC profile: https://support.apple.com/en-us/HT209161

C
1 person likes this
  • C
    cwaldrip
A
Forum|alt.badge.img+3
  • aks
  • New Contributor
  • 6 replies
  • October 15, 2018

I am having a similar problem. I have about 10 out of 600+ computers that are in ARD, and authenticated... but when I try to view remotely, they say they are not authenticated. Each of these computers show that I am not allowed to run reports on them. I am assuming that maybe the user turned remote management off, but 're-enable ARD' policy in the JSS seems to do nothing. They are all picking up the correct prestage settings. This is happening afterwards. I can delete them from ARD, and easily add them back with the correct name/password. But I still can't view them. I am wondering if I sent the above script as a policy if that would correct these few laptops?

L
Forum|alt.badge.img+4
  • ldelancy
  • New Contributor
  • 3 replies
  • January 10, 2019

@easyedc I am getting the same error message as @diegogut90 when I try to observe, control, or view reports. I have tried retyping the admin creds in the iMac get info. Any guidance would be appreciated. Thanks

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings