Help: How to enable SSH and VNC?

coreythomas
New Contributor III

I found a knowledgebase article for enabling SSH but it's from 2012 and the setting must have been moved. How do I enable SSH through Casper on managed clients?

Also, how do I enable VNC and configure the password?

9 REPLIES 9

millersc
Valued Contributor

https://support.apple.com/en-us/HT201710

Good KB article to keep around

mm2270
Legendary Contributor III

You can build a setting into the QuickAdd package (normal one from Recon.app or the User enrollment version) that will ensure SSH is enabled on your Macs. There are also ways of enabling from the command line that you can use within a policy. (Ex: systemsetup -setremotelogin on)

As for VNC, are you sure you want to enable that? We actively prevent that from being turned on because its a big security risk. There's no way to enforce strong passwords for it, no way to expire the password or force it to be rotated. The password into it could be as simple as "password" and can stay enabled indefinitely unless you have policies turning it back off later, allowing anyone with an IP address to control the machine with that password. Too risky to me. But hey, if you really want to do that, look into the RemoteManagement kickstart command. I think you can enable it from there.

coreythomas
New Contributor III

Thank you for the replies.

Regarding VNC, our corporate network is 95% Windows machines with 100% of the IT staff running Windows. We need to connect to these machines remotely and since Casper doesn't include a remote tool like SCCM, our only option seemed to VNC. If there is a better solution, I'm all ears. :)

Regarding enabling SSH, so it's correct to say that there is no longer a built in option of Casper to enable SSH? We have to build a package to do it or script to do it? :/

dgreening
Valued Contributor II

Well, Casper DOES include Remote, which has screen sharing capabilities. The caveat is that unless Screen Sharing is explicitly enabled on 10.10/10.11, it wont work. Prior to 10.10/10.11, the JSS could initiate screen sharing with or without prompt (your choice) without any additional client-side configuration.

coreythomas
New Contributor III

So there is a Casper Remote viewer for Windows???

bpavlov
Honored Contributor

@coreythomas There is not. It is the 11th more requested feature at the time of this post.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=187

Feel free to give feedback and vote up that feature request.

mm2270
Legendary Contributor III

@dgreening You may have missed the part where Corey mentioned their IT staff is 100% Windows. Since Casper Remote is a Mac only application, its not going to work for them.

@coreythomas You may want to at least take a look at Remotix, which others here have recommended as a Windows > Mac remote control tool. Its not free, so that may be a showstopper, but the advantage of it is it uses Apple's ScreenSharing protocol, which is more secure than straight VNC. As I mentioned, VNC uses a static password (and only a password, no username), whereas Screen Sharing can be configured to allow local accounts (names + password) to control the Mac, or cached AD accounts, or any AD accounts that have the ability to log into the Mac (if the Mac is joined to AD that is) So you definitely have more control over who can remotely log in, and options for disabling access and such. Its still not perfect, but definitely better than plain VNC.

As for SSH, I'm not sure what you mean exactly. Was it a simple built in policy option in the past? If so, I don't recall. I do know its an option to enable it at enrollment. Take a look at your enrollment process in the JSS and you'll see that you can set it to be turned on there.

dgreening
Valued Contributor II

Ahhh sorry I missed that about you needing it for Windows. Should have read more closely. :)

ryan_s
New Contributor II

I have a similar question, where I am not quite understanding all the switches for SSH/Remote Management. Here is what we have in play currently:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users macadmin,admin -allowAccessFor -specifiedUsers -privs -all -clientopts -restart -agent

What I am seeing is that though I'm trying to set remote management access for "macadmin" and "admin" this doesn't seem to consistently enable both accounts. Normally "macadmin" is the only account I can use. Am I missing any obvious switches here? Or is there extra "junk" in the above command that is maybe not even necessary?