Posted on 01-12-2016 08:39 AM
I found a knowledgebase article for enabling SSH but it's from 2012 and the setting must have been moved. How do I enable SSH through Casper on managed clients?
Also, how do I enable VNC and configure the password?
Posted on 01-12-2016 08:53 AM
https://support.apple.com/en-us/HT201710
Good KB article to keep around
Posted on 01-12-2016 09:02 AM
You can build a setting into the QuickAdd package (normal one from Recon.app or the User enrollment version) that will ensure SSH is enabled on your Macs. There are also ways of enabling from the command line that you can use within a policy. (Ex: systemsetup -setremotelogin on
)
As for VNC, are you sure you want to enable that? We actively prevent that from being turned on because its a big security risk. There's no way to enforce strong passwords for it, no way to expire the password or force it to be rotated. The password into it could be as simple as "password" and can stay enabled indefinitely unless you have policies turning it back off later, allowing anyone with an IP address to control the machine with that password. Too risky to me. But hey, if you really want to do that, look into the RemoteManagement kickstart command. I think you can enable it from there.
Posted on 01-12-2016 10:15 AM
Thank you for the replies.
Regarding VNC, our corporate network is 95% Windows machines with 100% of the IT staff running Windows. We need to connect to these machines remotely and since Casper doesn't include a remote tool like SCCM, our only option seemed to VNC. If there is a better solution, I'm all ears. :)
Regarding enabling SSH, so it's correct to say that there is no longer a built in option of Casper to enable SSH? We have to build a package to do it or script to do it? :/
Posted on 01-12-2016 10:18 AM
Well, Casper DOES include Remote, which has screen sharing capabilities. The caveat is that unless Screen Sharing is explicitly enabled on 10.10/10.11, it wont work. Prior to 10.10/10.11, the JSS could initiate screen sharing with or without prompt (your choice) without any additional client-side configuration.
Posted on 01-12-2016 10:25 AM
So there is a Casper Remote viewer for Windows???
Posted on 01-12-2016 10:28 AM
@coreythomas There is not. It is the 11th more requested feature at the time of this post.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=187
Feel free to give feedback and vote up that feature request.
Posted on 01-12-2016 10:34 AM
@dgreening You may have missed the part where Corey mentioned their IT staff is 100% Windows. Since Casper Remote is a Mac only application, its not going to work for them.
@coreythomas You may want to at least take a look at Remotix, which others here have recommended as a Windows > Mac remote control tool. Its not free, so that may be a showstopper, but the advantage of it is it uses Apple's ScreenSharing protocol, which is more secure than straight VNC. As I mentioned, VNC uses a static password (and only a password, no username), whereas Screen Sharing can be configured to allow local accounts (names + password) to control the Mac, or cached AD accounts, or any AD accounts that have the ability to log into the Mac (if the Mac is joined to AD that is) So you definitely have more control over who can remotely log in, and options for disabling access and such. Its still not perfect, but definitely better than plain VNC.
As for SSH, I'm not sure what you mean exactly. Was it a simple built in policy option in the past? If so, I don't recall. I do know its an option to enable it at enrollment. Take a look at your enrollment process in the JSS and you'll see that you can set it to be turned on there.
Posted on 01-12-2016 10:34 AM
Ahhh sorry I missed that about you needing it for Windows. Should have read more closely. :)
Posted on 01-12-2016 11:25 AM
I have a similar question, where I am not quite understanding all the switches for SSH/Remote Management. Here is what we have in play currently:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users macadmin,admin -allowAccessFor -specifiedUsers -privs -all -clientopts -restart -agent
What I am seeing is that though I'm trying to set remote management access for "macadmin" and "admin" this doesn't seem to consistently enable both accounts. Normally "macadmin" is the only account I can use. Am I missing any obvious switches here? Or is there extra "junk" in the above command that is maybe not even necessary?