- Jamf Nation Community
- Products
- Jamf Pro
- NoMachine Deployments - detect devices that need s...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NoMachine Deployments - detect devices that need screen recording permission + configuration
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2021 02:37 PM
Just any FYI for anyone else looking at noMachine for remote lab access. Here is an EA to detect (on +10.15, not tested on big sur yet) if the noMachine service has been permitted to do screen recording:
#!/bin/bash
ExtensionVersion=""
if [ -f /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg ]; then
ExtensionVersion=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT service,client,allowed from access" | grep nomachine | grep kTCCServiceScreenCapture | cut -d'|' -f3)
# This will identify clients that haven't even requested permissions yet.
if [ "$ExtensionVersion" == "" ]; then
ExtensionVersion=0
fi
fi
if [ "$ExtensionVersion" == "" ]; then
ExtensionVersion="Not Installed"
elif [ "$ExtensionVersion" == "1" ]; then
ExtensionVersion="Granted"
elif [ "$ExtensionVersion" == "0" ]; then
ExtensionVersion="Denied"
fi
echo "<result>$ExtensionVersion</result>"
exit 0After my major rollout, I'm going to create a smartgroup and get email alerts on changes for it, so I know if I need to go do something.
And here is part of the script I use to licenses and configure the software:
#!/bin/bash
# Get the NoMachine license file
Host=$(hostname -s)
if [ ! -d /Library/Application Support/My IT/ ]; then
mkdir -p /Library/Application Support/My IT/
fi
cd /Library/Application Support/My IT/
# I store my licenses files in an IIS directory where the names are associated with specific devices, which would aid in deploying the software automatically.
if [ ! -f /Library/Application Support/My IT/node-$Host.lic ]; then
curl -f -O "https://jss.my.com/NoMachine/node-$Host.lic"
if [[ $? -ne 0 ]]; then
# Because I'm going to try and name the license files by the computer name, if it fails, I want to know, so I can see why it failed
exit 1
fi
curl -f -O "https://jss.my.com/NoMachine/server-$Host.lic"
fi
if [ ! -d /Applications/NoMachine.app ]; then
exit 0
fi
cd /Applications/NoMachine.app/Contents/Frameworks/etc/
rm server.lic
rm node.lic
cp /Library/Application Support/My IT/node-$Host.lic node.lic
cp /Library/Application Support/My IT/server-$Host.lic server.lic
# The config for NoMachine is at /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
#
# Set the maximum number of concurrent connections.
#
#ConnectionsLimit 20
sed -i'' -e 's/#ConnectionsLimit 20/ConnectionsLimit 1/' /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
# 3: Silent. The server never notifies desktop owners about incoming
# users, incoming users are informed that the maximum number of
# allowed connections is reached.
#AutomaticDisconnection 0 -> 3
sed -i'' -e 's/#AutomaticDisconnection 0/AutomaticDisconnection 3/' /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
# 0: Disabled. This computer cannot be found on the local
# network but it's still reachable by providing its IP
# or hostname.
#
#EnableNetworkBroadcast 1
sed -i'' -e 's/#EnableNetworkBroadcast 1/EnableNetworkBroadcast 0/' /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
#
# Blanking the physical screen of the machine when somebody connects.
#
# 1: Enabled. The physical screen of this machine is blanked and the
# local user cannot interact with the desktop while somebody is
# connected.
#
# 0: Disabled. The physical desktop of this machine is not blanked
# when somebody is connected. All operations made from the remote
# user are visible to the local user and the local user can interact
# with the desktop. This is the default.
#
#EnableScreenBlanking 0 > 1
sed -i'' -e 's/#EnableScreenBlanking 0/EnableScreenBlanking 1/' /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
#
# Enable or disable the automatic logout of the user from the system
# upon disconnection of the NoMachine session.
#
# 1: Enabled. NoMachine will execute the forcelogout.sh script. The
# automatic logout can be effective only if the command set in
# script is appropriate for the system.
#
# 0: Disabled. When disconnecting the NoMachine session, the user is
# not automatically logged out of the system.
#
#LogoutOnDisconnect 0
sed -i'' -e 's/#LogoutOnDisconnect 0/LogoutOnDisconnect 1/' /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
#
#
# Delay the execution of the logout command when 'LogoutOnDisconnect'
# is enabled. By default timeout is set to 0, i.e. the forceLogout.sh
# script is executed immediately as soon as the user disconnects the
# session. Specify a delay in seconds, for example 600 to execute the
# logout after ten minutes.
#
#LogoutOnDisconnectTimeout 0
# 5 minute disconnect
sed -i'' -e 's/#LogoutOnDisconnectTimeout 0/LogoutOnDisconnectTimeout 300/' /Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg
###
# This is needed to allow 'first time users' to authenticate
###
#
# Specify a different path to the default, i.e. user's home, where
# the .nx directory has to be created to store session files. If it
# doesn't exist yet, node will try to create a sub-directory for
# each of the users starting a session there, named as username, and
# will create the .nx under that sub-directory. For example, if this
# key is set to /tmp/nxdir/, when user nxtest runs the first session,
# the node will try to create the /tmp/nxdir/nxtest/.nx directory.
# The directory specifed in the UserNXDirectoryPath key needs to
# have proper ownership and permissions set to ensure that the node,
# running as the user, can access it. I.e. the directory should be
# writeable for all users or alternatively, the administrator should
# create a directory with proper ownership and permissions, named as
# username, for each of the users who need to start sessions there.
#
#UserNXDirectoryPath ""
sed -i'' -e 's/#UserNXDirectoryPath ""/UserNXDirectoryPath "/tmp/nxdir"/' /Applications/NoMachine.app/Contents/Frameworks/etc/node.cfg
/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver --startup --startmode automatic
# Set permissions on the licenses and other files
chmod 400 node.lic
chmod 400 server.lic
chown nx:wheel ./*
/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver --restart
Labels:
- Labels:
-
Scripts
0 REPLIES 0
