Posted on 02-16-2018 06:14 AM
We're new to Jamf and I've been putting together a policy that's triggered by prestage enrollment on a clean installation of High Sierra (10.13.3) to get everything all set up in a convenient, hands-off way. Everything works beautifully except for giving the Administrator account full privileges to remotely manage the Mac.
I'm using this script:
https://www.jamf.com/jamf-nation/third-party-products/files/217/enableard-sh-enable-ard-and-configure-remote-management-settings
I've tried hard-coding the Target Username and using parameter 4.
I know the script is running since Remote Management is getting enabled, but the "Allow Access for: Only these users: Box" remains empty. I thought maybe those commands just don't populate that box but sure enough, screen sharing doesn't work for the administrator account unless I manually add it to that Box.
I've tried with various accounts, running the script while logged in, at login, and at startup.
Everything I've found so far on Jamf Nation simply points me toward those same commands and similar scripts.
Was hoping someone could point out some tiny thing I'm missing here.
Thanks!
Solved! Go to Solution.
Posted on 02-16-2018 10:45 AM
So it used to be that Apple Remote Desktop would create an .pkg to set all your settings with remote access. After I started looking into it, I found it was broken and with a support case with Apple they had no plans to fix it. They did work with me to create my needs, though, and I came up with this:
#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'Put,Your,Users,ShortName,Here' -access -on -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu
/usr/sbin/systemsetup -setremotelogin on
exit 0
setmenuextra
puts the Remote sharing icon in the menu. The other settings assign the actual users who get rights and then we grant all rights to those users. Works for us as an policy triggered by Enrollment.
Posted on 02-16-2018 08:47 AM
After installing the QuickAdd.pkg I also have to run this shell script afterwards to make sure Casper Remote works just for Casper (VNC will only recognize Casper Remote not regular VNC connections), might help might not:
sudo defaults write /var/db/launch.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -setreqperm -reqperm yes -restart -agent
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
Posted on 02-16-2018 10:45 AM
So it used to be that Apple Remote Desktop would create an .pkg to set all your settings with remote access. After I started looking into it, I found it was broken and with a support case with Apple they had no plans to fix it. They did work with me to create my needs, though, and I came up with this:
#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'Put,Your,Users,ShortName,Here' -access -on -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu
/usr/sbin/systemsetup -setremotelogin on
exit 0
setmenuextra
puts the Remote sharing icon in the menu. The other settings assign the actual users who get rights and then we grant all rights to those users. Works for us as an policy triggered by Enrollment.
Posted on 02-16-2018 11:08 AM
Thank you both so much for your quick responses! Easyedc, I tried your script and it worked wonderfully, exactly what I was looking for. Thank you so much!
Posted on 09-17-2018 07:55 AM
@easyedc for that script you posted up, does this work even though my admin account is hidden?
Posted on 09-17-2018 08:14 AM
@diegogut90 Yes. In my script, when using the -users flag, it's just added to one of the list of accounts to enable. Our JAMF management account is hidden, but it's seen by the system. If you run a
dscl . list /Users | grep -v '^_'
You should see your management account listed, and so if it's on that list, you're fine.
Posted on 09-17-2018 10:42 AM
@easyedc will the admin show up under the sharing options in sys pref?
Posted on 09-17-2018 11:24 AM
@diegogut90 My hidden service account does not show up in that list, even if remote access is enabled for it.
Posted on 09-17-2018 11:43 AM
@easyedc reason why i asked is because i get errors for both screen sharing and jamf remote, when trying to remote it.
Posted on 09-17-2018 12:29 PM
@diegogut90 try adding another user and see if that works. We enable a user for our frontline tech guys and the service account.
Posted on 09-19-2018 06:55 AM
@easyedc do you think its a problem with the secure token that is not allowing the admin user to log in?
Posted on 09-19-2018 12:49 PM
diegogut90
please post errors you are getting with details of steps taken to remote in.
Posted on 10-11-2018 07:56 AM
@Cornoir
thats the error i get sorry for it being late.
Posted on 10-11-2018 10:26 AM
Try updating (or re-typing) the Management account username and password under the Computer info for that Mac in the JSS, see if that works. I will try and do more testing. What version of JAMF are you using also?
Posted on 10-11-2018 10:47 AM
@Cornoir JAMF V 10.7.1
Posted on 10-11-2018 11:18 AM
If any one is using this method in Mojave, be sure to whitelist with a PPPC profile: https://support.apple.com/en-us/HT209161
Posted on 10-15-2018 10:04 AM
I am having a similar problem. I have about 10 out of 600+ computers that are in ARD, and authenticated... but when I try to view remotely, they say they are not authenticated. Each of these computers show that I am not allowed to run reports on them. I am assuming that maybe the user turned remote management off, but 're-enable ARD' policy in the JSS seems to do nothing. They are all picking up the correct prestage settings. This is happening afterwards. I can delete them from ARD, and easily add them back with the correct name/password. But I still can't view them. I am wondering if I sent the above script as a policy if that would correct these few laptops?
Posted on 01-10-2019 08:10 AM
@easyedc I am getting the same error message as @diegogut90 when I try to observe, control, or view reports. I have tried retyping the admin creds in the iMac get info. Any guidance would be appreciated. Thanks