Jamf Nation Community

@rcorbin, yes I would say there is. We are a small IT Department (5 individuals) that need to service over 3500 machines across 15 different locations. The more we can control, upgrade, and troubleshoot remotely the better.

I found that sometimes it may take a while before computers will see any software update right after they come out. What I did was to make a check-in policy to just run softwareupdate -d -a and then a subsequent command to install the update. HOWEVER, a more consistent method would be to download the pkg from here https://support.apple.com/kb/DL1909?locale=en_US and push it out to all Macs with a command to run after the installation to restart the kickstart process.

As far as the scope... instead of making an EA, I just added /System/Library/CoreServices/RemoteManagement to the Software Inventory collection. As Macs do their daily inventory they report the version of the ARDagent.app and I scope accordingly. One thing I discovered is if you have a Mac running El Capitan and install ARD agent 3.9, THEN at a later time upgrade to Sierra, the ARD agent will get downgraded and you'll have to upgrade the agent again.

@Ricky @rcorbin We were in the exact same boat. Shop of 4 techs with 5100 machines. We found the option that rcorbin suggested, clicked it and haven't looked back. Everything runs great now. Actually had less issues with my machine upgraded and the others that aren't. Hopefully that works for you.

A positive side effect of checking on the “Allow communications with older clients” box was that it greatly sped up the amount of time it takes to open a remote window. Before I checked that box it took a very long time to open a window on a remote system, if it was even successful at all. This problem was for all versions of the OS, regardless of being eligible for the 3.9 client.

Apple's KB HT207526 covers enabling that box.

Can be set/managed using defaults or Config Profile, accompanying the Jamf policy, although I wonder if the "less secure" mantra means there are new security capability in 3.9 that wasn't there for older versions, making the warning only relevant to 3.9 clients. The key would be ignored if its not expected by older versions of ARD to be there:

/usr/bin/defaults write /Library/Preferences/com.apple.RemoteManagement allowInsecureDH -bool TRUE

An EA to determine major.minor version of Apple Remote Desktop, if installed, or report NotInstalled if not installed:

#!/bin/sh
if [ -d /Applications/Remote Desktop.app ]; then
    echo "<result>$( defaults read /Applications/Remote Desktop.app/Contents/version.plist CFBundleVersion | cut -f1-2 -d"." )</result>"
else
    echo "<result>NotInstalled</result>"
fi

Then a Smart Computer Group (SmCG) to scope to anyone who has Apple Remote Desktop 3.9x (the whole range 3.9 through 3.9.9 since it only looks at the major.minor parts of the version) installed:

Leveraging semantic versioning using granular Extension Attributes gives you a much greater level of scoping control than using built in fuzzy logic where more precise logic isn't available.

That's what we do, right...control stuff? :D