IT Department will not allow On site Remote Access to Mac

economicsguy
New Contributor II

As an end-user I am looking for some guidance from the experts where on JAMF Nation

The Issue:
I frequently have a need to run data-intensive statistical software demos at our site.

- I would like to simply have remote access so I can pull up my office computer to run the demo.

- The "Sharing" System Preferences icon is greyed out preventing me form enabling remote access myself.

My IT department tells me that their use of JAMF's Casper to administer Macs makes it impossible to allow remote access to the iMac in my office from a Windows 10 computer down the hall.

- My colleagues who use Windows 10 are allowed to use remote access without restriction to pull up their desktops anywhere on-site.

My Questions:
1) Does their claim that the use of JAMF's Casper to administer Macs makes it impossible to allow me to have remote access on-site make any sense?

- I have a feeling after some significant turnover that they may simply lack the "know-how" or desire to sort the problem out.

2) If it is possible to enable remote access for a user when using JAMF Casper, what specifically do I need to ask them to do in order to enable access for me.

- Is there documentation that I could point to in order to help them make the necessary changes.

I apologize if I make some mistakes with the terminology, please correct me when needed. In fact, one of the things I need help with is knowing the correct terminology so I can communicate effectively with my IT department here.

The inability to use my own desktop down the hall imposes a significant time cost on me and introduces a great deal of frustration for me and the people I am running the demos for.

Thank you for any help or guidance you can give me.

14 REPLIES 14

mschroder
Valued Contributor

The Sharing preference can be managed from JAMF. I use a script to enable Remote Login and Screen Sharing where needed. It might also be possible to do this via a Configuration Profile.

I assume your IT is simply not too keen to make an exception for your Mac, they probably prefer to apply the same setting for all, and thus have disabled the Sharing Pref Pane.

I have no idea how comfortable it is to access a Mac from a windows PCs.

boberito
Valued Contributor

Screen Sharing won't enable you to be able to share the screen from a Mac to a PC.

If you're able to edit or access "Remote Management" from the Sharing System Preference then you can edit Computer Settings and maybe edit the VNC setting there. But I don't remember if Apple uses a special VNC implementation or not that may or may not allow you to use any VNC client. Also VNC isn't that great of a protocol so there's that.

mschroder
Valued Contributor

Well Screen Sharing is just another implementation of VNC. The problem with connecting using another implementation is to get the proper settings, in particular to make sure you transfer your credentials encrypted. I have connected from a linux box to my Macs using TigerVNC, but I have no experience with connecting from a Windows box.

PaulHazelden
Contributor III

We use a VNC client to connect across platform. On the Mac a separate VNC password can be set for sharing its screen, and also on the Windows 10 PC VNC can be set up to share its screen.
Our Windows developer technician uses a Mac on his desk, from this he connects to Windows and Linux boxes. One of our other technicians uses Windows, and he remotes in to Macs from there.
In System Preferences / Sharing / Remote Management there is a Computer Settings button. In there you can set a VNC password. You can also set this with a script.

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw <PASSWORD> -restart -agent -privs -all

Which means that in theory it is possible to send a script with a password set to any Mac, even individually.
They should also be able to restrict your access by restricting port access in the network, to prevent external access. We have Access control lists in place to restrict this internally and externally.

alexjdale
Valued Contributor III

I'll give you what is probably the real answer. Windows devices use the RDP protocol, which can be well-secured for safe remote access. Apple devices use VNC, which is decidedly not secure and cannot be secured in any meaningful way.

For that reason, most security orgs will ban VNC and allow properly-configured RDP. So your Windows colleagues can connect to other Windows systems (since it is a built-in app), but not Macs. To connect to a Mac from Windows you would need to use additional VNC software, which isn't secure. You can easily use Microsoft's RDP app to connect to Windows from Mac, however, since it's also secure.

So yes, Jamf is preventing you from enabling VNC on your Mac, but technically it's an organizational security policy and not some arbitrary fixable issue that we'd help you resolve.

FritzsCorner
Contributor III

While we largely have the same restriction of not allowing remote access to a Mac, we do use NuoRDS for very specific use cases to allow a controlled/managed method of remotely accessing Macs. In my experience, this product seems to offer the best user experience for removing into a Mac. There may be others like this outside of VNC and ARD.. but I haven't seen or tested them.

https://www.nuords.com/products/nuords/

mroe
New Contributor III

Sounds like you want remote desktop and not screen sharing which may be why they don't want to give it to you, as other have said VNC is not secure. They could give you the Microsoft Remote Desktop app off the regular app store though, you'd have a secure RDP connection working the same way it would between two windows devices and they most likely wouldn't have to mess with any profile settings.

sdagley
Honored Contributor II

Microsoft Remote Desktop does not provide the capability of controlling a Mac via RDP.

FritzsCorner
Contributor III

@sdagley Natively it doesn't but It does if you are using NuoRDS.. of course it's a paid app and not free.

mm2270
Legendary Contributor II

What @alexjdale said. Back when I was administering a large number of Macs in an enterprise setup, we made extra efforts to ensure VNC was never turned on. It uses a static password, and there's simply no way to ensure it's using either a rotating password or one that meets a certain passcode requirement. So it could use something as simple as "password123" and with that enabled, anyone with the IP address of the Mac and that password would be able to get in and control the Mac. So as he said, it's really insecure.
So that in fact may be why they do not want to allow VNC to be used. The only other "built-in" Mac remote control is Apple Remote Desktop, otherwise known as "Remote Management" in the Sharing Preference Pane. But it's not likely they would allow you to use that. Plus, there's no way I know of to use ARD from a Windows machine to control a Mac. It's a Mac to Mac thing only.

There is a product out there called Remotix that you may want to look at to see if your IT dept is willing to help you get that set up. It basically enables Microsofts RDP protocol on a Mac and allows Windows to Mac remote control using that system, which is more secure. It's not free, but if it's something you really need for your work and your IT folks are amenable to it, it might be worth spending the money on.

sdagley
Honored Contributor II

@FritzsCorner Thanks for the NuoRDS reference, that could potentially be useful. Can you make any comments on stability? Their latest beta release notes are from April and talk about 10.14.4 compatibility.

tnielsen
Valued Contributor

Your IT department is full of it.

FritzsCorner
Contributor III

@sdagley I am using it on 10.14.6 without any issues. I can't speak for future OS compatibility and I haven't tested it against the Catalina 10.15 Betas yet either.

Here are some of the install notes for the product that may be of interest. https://docs.nuords.com/kb/post-install-adjustments/

As @mm2270 suggested, Remotix is another option. We tested this product a few years ago but ultimately never purchased any licenses for it. It seemed pretty solid though.

spalmer
Contributor III

I use Remotix at home to connect to my personal Mac from my iOS devices and previous descriptions are slightly off. All Remotix clients can connect to Macs using the built-in Screen Sharing or connect to Windows using the RDP protocol, regardless of what platform you are running the client on. So you can use the Windows version of Remotix to connect to your Mac using the built-in Screen Sharing protocol (with all features like encryption, adaptive quality and login with macOS credentials) if you wanted. Remotix can also utilize its own NEAR protocol which I have not tried.

FYI, Screen Sharing and Remote Management are both technically using VNC but with full encryption, adaptive quality and login via your macOS credentials layered on top. They are only insecure if you enable the option for "VNC viewers may control screen with password" which is only needed for compatibility with pure VNC clients. And even if you are granted access to "Remote Management" you can still connect for Observe/Control purposes using the Screen Sharing client (the full Apple Remote Desktop Admin client is not needed).

In addition, your IT department can utilize scripting to enable Screen Sharing/Remote Management even if the icon is disabled for you. Enabling it does not interfere with Jamf Pro.

Remote Management can even be enabled for directory based logins, for example if your Mac is bound to Active Directory. See https://derflounder.wordpress.com/2018/08/22/using-directory-membership-to-manage-apple-remote-deskt.... Using a script similar to what is posted at the URL above, I have it set up so that user's can enable it via a Self Service policy, by request only, which just adds the currently logged in Active Directory user. Although I have to say I am getting far fewer requests from my end users to enable their accounts for Remote Management (Observe/Control only) access because more and more people are getting MacBook Pros as their primary or secondary computer.