Jamf Nation Community

That's what I was curious about, as I actively use remote desktop to see if students are on task or not. If I set remote login as off, that would disable it for the remote desktop correct?

That is correct, another option would be to only enable ssh for an administrator account that you use to access the machine.
* @ddcdennisb Thank you correcting this statement, please see post below (regarding remotelogin, remotemanagement)

in /etc/ssh/ you can modify the file 'ssh_config' and allow your Admin User with the AllowUsers flag below Host*, the addition of this line will look like the following

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   AllowUsers ADMINACCOUNTHERE

There is a difference between Remote Login and Remote Management. ARD uses the Remote Management settings. Disabling Remote Login would turn off SSH access, but you would still be able to use ARD to Remote in to Control/Observe the machines.

@ddcdennisb that was the key to shutting it down. I am no longer able to access the testing device. Now to figure out how to remotely uncheck that option for all 330 devices.....

In a similar vein to @Hugonaut's comment above, there is a macOS local directory group you can modify membership over.

The guts of the command are:

dseditgroup -o edit -n /Local/Default -a "$sshUser" -t user com.apple.access_ssh

In addition to the other great ideas above, you could lock the user permission down to a white list of users/groups. Maybe one that does not exist on the computer?

I wrote a Jamf compatible script you can use to run in a policy with parameters here: https://github.com/fauxserve/Casper-Scripts/blob/master/Policy%20Scripts/sshUsersByPolicy.sh

@Hugonaut , although the sudo systemsetup -f -setremotelogin off script worked great, completely turned off the remote option, I set up a policy for ongoing and login through jamf, I can not access the device through terminal, hyper, etc. (perfect) the minute the device is restarted that policy is no longer in effect. Which is strange because I have the policy set to login, ongoing.????

@nhubbard

instead of running the disable script itself as a policy, have you considered running the disable remote login script locally from a launchagent plist? This way if you need to enable you can always run that from a policy, then if the computer boots, upon logging in, regardless of policy, it will guarantee login is off.