Enabling Remote Management via script not working quite right

kbrister
New Contributor

We're new to Jamf and I've been putting together a policy that's triggered by prestage enrollment on a clean installation of High Sierra (10.13.3) to get everything all set up in a convenient, hands-off way. Everything works beautifully except for giving the Administrator account full privileges to remotely manage the Mac.

I'm using this script:
https://www.jamf.com/jamf-nation/third-party-products/files/217/enableard-sh-enable-ard-and-configure-remote-management-settings
I've tried hard-coding the Target Username and using parameter 4.

I know the script is running since Remote Management is getting enabled, but the "Allow Access for: Only these users: Box" remains empty. I thought maybe those commands just don't populate that box but sure enough, screen sharing doesn't work for the administrator account unless I manually add it to that Box.

I've tried with various accounts, running the script while logged in, at login, and at startup.

Everything I've found so far on Jamf Nation simply points me toward those same commands and similar scripts.

Was hoping someone could point out some tiny thing I'm missing here.

Thanks!

1 ACCEPTED SOLUTION

easyedc
Valued Contributor II

So it used to be that Apple Remote Desktop would create an .pkg to set all your settings with remote access. After I started looking into it, I found it was broken and with a support case with Apple they had no plans to fix it. They did work with me to create my needs, though, and I came up with this:

#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes 
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'Put,Your,Users,ShortName,Here' -access -on -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu
/usr/sbin/systemsetup -setremotelogin on
exit 0
setmenuextra

puts the Remote sharing icon in the menu. The other settings assign the actual users who get rights and then we grant all rights to those users. Works for us as an policy triggered by Enrollment.

View solution in original post

17 REPLIES 17

Cornoir
Contributor II

After installing the QuickAdd.pkg I also have to run this shell script afterwards to make sure Casper Remote works just for Casper (VNC will only recognize Casper Remote not regular VNC connections), might help might not:

!/bin/bash

Turn ScreenSharing on

sudo defaults write /var/db/launch.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -setreqperm -reqperm yes -restart -agent
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

easyedc
Valued Contributor II

So it used to be that Apple Remote Desktop would create an .pkg to set all your settings with remote access. After I started looking into it, I found it was broken and with a support case with Apple they had no plans to fix it. They did work with me to create my needs, though, and I came up with this:

#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes 
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'Put,Your,Users,ShortName,Here' -access -on -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu
/usr/sbin/systemsetup -setremotelogin on
exit 0
setmenuextra

puts the Remote sharing icon in the menu. The other settings assign the actual users who get rights and then we grant all rights to those users. Works for us as an policy triggered by Enrollment.

kbrister
New Contributor

Thank you both so much for your quick responses! Easyedc, I tried your script and it worked wonderfully, exactly what I was looking for. Thank you so much!

diegogut90
New Contributor III

@easyedc for that script you posted up, does this work even though my admin account is hidden?

easyedc
Valued Contributor II

@diegogut90 Yes. In my script, when using the -users flag, it's just added to one of the list of accounts to enable. Our JAMF management account is hidden, but it's seen by the system. If you run a

dscl . list /Users | grep -v '^_'

You should see your management account listed, and so if it's on that list, you're fine.

diegogut90
New Contributor III

@easyedc will the admin show up under the sharing options in sys pref?

easyedc
Valued Contributor II

@diegogut90 My hidden service account does not show up in that list, even if remote access is enabled for it.

diegogut90
New Contributor III

@easyedc reason why i asked is because i get errors for both screen sharing and jamf remote, when trying to remote it.

easyedc
Valued Contributor II

@diegogut90 try adding another user and see if that works. We enable a user for our frontline tech guys and the service account.

diegogut90
New Contributor III

@easyedc do you think its a problem with the secure token that is not allowing the admin user to log in?

Cornoir
Contributor II

diegogut90

please post errors you are getting with details of steps taken to remote in.

diegogut90
New Contributor III

@Cornoir d6f10b629a1149819ddef06951d030f0
thats the error i get sorry for it being late.

Cornoir
Contributor II

Try updating (or re-typing) the Management account username and password under the Computer info for that Mac in the JSS, see if that works. I will try and do more testing. What version of JAMF are you using also?

diegogut90
New Contributor III

@Cornoir JAMF V 10.7.1

sshort
Valued Contributor

If any one is using this method in Mojave, be sure to whitelist with a PPPC profile: https://support.apple.com/en-us/HT209161

aks
New Contributor II

I am having a similar problem. I have about 10 out of 600+ computers that are in ARD, and authenticated... but when I try to view remotely, they say they are not authenticated. Each of these computers show that I am not allowed to run reports on them. I am assuming that maybe the user turned remote management off, but 're-enable ARD' policy in the JSS seems to do nothing. They are all picking up the correct prestage settings. This is happening afterwards. I can delete them from ARD, and easily add them back with the correct name/password. But I still can't view them. I am wondering if I sent the above script as a policy if that would correct these few laptops?

ldelancy
New Contributor II

@easyedc I am getting the same error message as @diegogut90 when I try to observe, control, or view reports. I have tried retyping the admin creds in the iMac get info. Any guidance would be appreciated. Thanks