Jamf Remote Black screen On Catalina

AdamCraig
Contributor III

We are trying to use Jamf Remote on Catalina, we have a profile installed that enables Kickstart ARD, and a script linked to a self service policy to turn on Remote Login and Remote management in system preferences to so we can use Jamf remote to screen share and provide remote support to our users.

With the computers we're testing on Catalina we can remote screen share, but we only see a black screen. If we manually enable the options in system preferences everything works normally. However many of our users are not admins so they are unable to manually enable those options. Is there a way around this?

EDIT: For some reason the quoted script Bolds the lines that I commented.

#!/bin/bash

# script is designed to check the remote login and remote management boxes in System preferences>sharing
# this should enable jamf remote to log in.

# Referenced these links in creating this script
# https://www.jamf.com/jamf-nation/discussions/29233/enable-remote-management-full-control-in-mojave#responseChild184447
# https://www.jamf.com/jamf-nation/discussions/33575/jamf-+-pppc-+-catalina

## Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes

## Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh

# ensure SSH is back on
systemsetup -f -setremotelogin on

jamf startSSH

exit 0
12 REPLIES 12

GregE
Contributor

Came looking for a solution as well. We've been able to VNC from Windows DameWare to our Macs in 10.14 but are now hitting this black screen issue in 10.15.2. My guess is that something (vncagent) needs to be enabled in Security & Privacy -> Screen Recording in order for it to work.

I'm using:
Config Profile to enable "com.apple.screensharing.agent"
Then:

#!/bin/sh
#Enable Screensharing
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -access -on -privs -all -clientopts -setmenuextra -menuextra yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw passwordgoeshere
#Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

el2493
Contributor II

Did anyone figure this out? I'm having the problem myself in Catalina. If I use Jamf Remote to connect to a VM that's in Jamf I can only see a black screen with a mouse in the Screen Sharing window, but in the VM window I can see the mouse is being moved over the regular background. I had a similar issue with GoToAssist, and that definitely did require enabling screen recording and a few other options.

AdamCraig
Contributor III

We gave up on jamf remote when we got busy with other projects.

el2493
Contributor II

In case anyone else experiences this, I was able to resolve it by going to the computer I was trying to connect to and running the tccutil reset ScreenCapture command in Terminal. There was seemingly no reason why this should've worked (I hadn't denied access to any prompts, and even if I did I think the app should've appeared unchecked in System Preferences>Security>Privacy and there was nothing listed there as either approved or denied), but it did. When I tried to connect with Jamf Remote again it immediately worked, though it didn't prompt to allow Screen Recording and there was still nothing listed as approved for Screen Recording in System Preferences. I had opened a ticket with Jamf Support because they said something SHOULD be listed as approved under Screen Recording, but as of now it seems like something somehow got denied in PPPC even though after resetting it there was no way to either approve or deny it (it just worked).

prepapps
New Contributor

This really helped us-- but we're having the "black screen" issue in Apple Remote Desktop. We've gotten past the black screen issue with the help of el2493's tccutil reset ScreenCapture command...but now that we can see, we still can't control through ARD. Anyone have further thoughts? I might start a new thread...

el2493
Contributor II

@prepapps do you already have a PPPC profile created to approve the Screen Sharing application for PostEvent? If not, look at this thread https://www.jamf.com/jamf-nation/discussions/29233/enable-remote-management-full-control-in-mojave, and scroll down to 5/11/2019 (jared_f's post).

NoahRJ
Contributor II

I did some additional digging from the TCC.db when Remote Management is programmatically enabled (many thanks to @el2493 for the suggestion to reset ScreenCapture perms) and I can see corresponding entries for kTCCServiceScreenCapture + com.apple.screensharing.agent in the DB.

Sure enough, running a tccutil reset ScreenCapture removes that entry, but it seems like you can't target any combination of com.apple.screensharing.agent or com.apple.screensharing to specifically remove that entry. That's a problem if you're reenabling or reenforcing Remote Management on a machine where somebody may have already allowed Screen Capture access for Zoom, Skype, etc.

Probably nothing to be done outside of resetting all perms, since tccutil is the only option to modify perms in the DB, you can't allow Screen Capture with PPPC, and of course modifying the DB directly is protected under SIP.

Yet another terrific change from Apple...

ooshnoo
Valued Contributor

I just hit the Enter/Return button and black screen goes away

franton
Valued Contributor II

Basically the old CLI tools for enabling Screen Recording don't work as expected anymore. They actually give error messages to that effect when you run them.

The only way to avoid the black screen is either 1) enable by hand or 2) enable via Jamf MDM command. You can find that button in the computer inventory records.

You're running into the screen recording restrictions basically. The above two methods are the most effective way of dealing with this. Keep an eye for changes coming in Big Sur too.

GregE
Contributor

We've been fine since using an API to push the 'enable screen recording' option in Jamf.

cris_lehman
New Contributor II

@GregE Can you expand on this? How are yall doing that?

GregE
Contributor

Create a standard user account that has:
- Jamf Pro Server Objects -> Computers -> Create & Read
- Jamf Pro Server Actions -> Send Computer Remote Desktop Command

Then use the script to get your API to send the "Enable Screen Sharing" Management Command from Jamf (we've got it smart grouped for users who don't have screen sharing enabled).

#!/bin/bash
#
#Variables
apiURL="https://your.jamfcloud.com/JSSResource/computers/"
apiUser="yourAPIuser"
apiPass="yourAPIuserpassword"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -ShowObserve -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
#
# Get the Serial Number of the Machine
sn=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "Serial Number: $sn"
####
#Get ID by looking up Serial Number
echo "Getting computer information"
answer=$(/usr/bin/curl -s -H "Content-Type: text/xml" -u ${apiUser}:${apiPass} https://your.jamfcloud.com/JSSResource/computers/serialnumber/$sn/subset/general )
echo "Getting Jamf ID"
jamfID=$(echo $answer | xpath '/computer/general/id/text()' 2>/dev/null)
#
echo "Jamf ID $jamfID"
#Removing existing settings:
echo "Removing existing settings"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -verbose -uninstall -settings -prefs

#Send MDM command to Enable Remote Desktop
echo "Sending MDM command from JSS"
/usr/bin/curl -s -u ${apiUser}:${apiPass} https://your.jamfcloud.com/JSSResource/computercommands/command/EnableRemoteDesktop/id/$jamfID -X POST

#Preferences
echo "Enabling for specific users"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers 
echo "Limiting access to youradminaccount"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs -all -users youradminuser
echo "Setting option to show connection"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra yes
echo "Restarting the ARD Agent"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent -console
echo "Finished"