- Jamf Nation Community
- Products
- Jamf Pro
- Need help - enable all users for remote management
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Need help - enable all users for remote management
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-19-2020 05:57 AM
We have about 40 lab computers that due to covid-19 we are going to allow people to remote into them. Previously they were set to only allow the management account to remote.
I don't see a configuration profile that will just let me override the user enrollment (these aren't dep macs), that says only allow management account.
Is there an easy script or something I can push out to change these remote management settings?
We've previously just went with the default jamf settings that turns on remote login but under remotemanagement only the jamf management was allowed.
I do know we can manually go in and change this, but I was really hoping to just push a policy out. But I don't see that as an immediate option in JAMF
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-19-2020 07:16 AM
You could unlock Mac's native Screen Sharing app for all users with this script:
#!/bin/bash
# Enable ARD & VNC
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -restart -agent -menu
# Enable SSH
systemsetup -setremotelogin onIt would allow them to remote on by going to "Connect to Server" then inputting "vnc://<ipaddress>"
Just a warning, please be cautious with opening these ports as it would allow any user access to view any machine they've been logged into.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-19-2020 11:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-19-2020 03:36 PM
Good Afternoon,
I've been working on something like this as well. I've got a script set to open Remote Management to all, and that works great - in a non-lab environment. My tests have concluded the following, which pertains to my Mac Labs:
If a user has already logged into the Mac in the past and their account is still there, they are able to login just fine. If the account is not there (we run scripts that delete users after so many days of inactivity), they are not able to login. Has anyone seen this behavior?
Thanks,
John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-19-2020 03:59 PM
Hi @john-hsu,
Could you please provide a little more info as to what your goal is.
The tests you've described seemed like the ideal behavior to me. I don't see the benefit in allowing deleted users access back on the machines.
Is it that you'd like to give active directory user's the able to rejoin the machine?
Also note, with the above settings, any user would have access to view the machine. This would open the risks for snooping on shared machines.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2020 07:54 AM
The script provided by shaquir worked great. Though, I did have someone with some extra time log onto these machines and just confirm.
In regards to Jon-hsu, I experienced the same behavior. If an account is already on the machine, changing to all users lets the person remote in via vnc or apple remote desktop. If an account is not on the computer, at least in the case of vnc://IPaddress, it will not pass through to the desktop. It'll just do the little screen shake.
As soon as an account is on the computer, VNC will let the pass through to the desktop.
The student issue we had, is nobody knows which student logged into what computer. So, student 1 might have an account on computer 1 but not computer 2. So, there is some behind the scenes figuring out going on there.
Alternatively, we put a local account (or many local accounts depending on machines). VNC will then pass through to the desktop and while there isn't anything stopping a student from just using that local account on the desktop, our recommendation is for them to at that point, use their previously provided netids to complete logon.
I don't like all users, nor do I like local accounts, but the reality is we don't have a lot of time to plan. It would've been best to assign accounts to students before kids were sent off campus. Just doing what needs to be done so kids can complete their semesters in a new not previously online world.
Adobe really helped out with their Adobe CC for shared. But things like final cut Pro X requires we either pay for a students license (with no money available) or otherwise provide access. Remote desktop to labs from off campus, is our immediate solution.
