Remote desktop can be disabled with CLI. For JAMF to be able to turn Remote Desktop off after a period of time, JAMF would need to know time has passed since it was abled. I am not aware of a way to see when Remote Desktop was enabled, but that does not mean you could not create a way.
- Create a smart group to read if Remote Desktop is enabled.
- Create a policy to run on check in targeting all devices with Remote Desktop enabled, to place a "flag file" somewhere on the disk and echo the date in to that file.
- Make an extension attribute to read for the presense of that file and if exists read the date.
- Make a smart group targeting devices with that file and so many days past the given date.
- Target a policy to disable Remote Desktop and remove the flag at the smart group created in step 4.
Note, a flag file is just a text document you are placing on a device for JAMF to look for. Its like the device raising a flag.To make life easier do not reuse flag files for multiple purposes.
The work flow.
- Your tech or anyone enables Remote Desktop
- Recon runs at some point and sees Remote Desktop is enabled
- Your smart group adds the Mac to the smart group seeing Remote Desktop is enabled
- Your policy will run to drop the flag because the Mac is now in the scope because its in that Remote Desktop group
- XYZ days pass the Mac will be added to the smart group for the flag file being so old
- Policy will run to disable Remote Desktop and remove the flag because it was added to the scope
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate
You could also do this with JAMF API, but its probably best not to.
Disable Remote Desktop | Apple Developer Documentation
