Posted on 06-24-2013 10:31 AM
I created a quickadd package that used an existing local admin account. After deploying with ARD, I know have access denied on all my machines in ARD.
It seems that I can run things on Casper Remote though.
What do I do?
Posted on 06-24-2013 12:07 PM
I use this script from the Resource Kit to allow ARD access to an account named macadmin.
#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more
# information or support for the Resource Kit, please utilize the following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# enableARD.sh -- Enable ARD and Configure Remote Management Settings
#
# SYNOPSIS
# sudo enableARD.sh
# sudo enableARD.sh <mountPoint> <computerName> <currentUsername> <targetUsername>
#
# If the $targetUsername parameter is specified (parameter 4), this is the account that will be
# granted access to ARD.
#
# If no parameter is specified for parameter 4, the hardcoded value in the script will be used.
#
# DESCRIPTION
# This script enables and configures remote management settings for a user. There are a number
# of options that the script is capable of configuring, which should be specified in the privs
# string. Please see the kickstart man page for more information.
#
# The following options are available in the kickstart application:
#
# -DeleteFiles
# -ControlObserve
# -TextMessages
# -ShowObserve
# -OpenQuitApps
# -GenerateReports
# -RestartShutDown
# -SendFiles
# -ChangeSettings
# -ObserveOnly
# -mask
#
# ARD access is granted and priviliges are assigned to an individual account on computers running
# Mac OS X 10.3 and later. It can be used with a hardcoded value in the script, or read in as a
# parameter. Since the Casper Suite defines the first three parameters as (1) Mount Point,
# (2) Computer Name and (3) username, we are using the forth parameter ($4) as the passable
# parameter. We do not use $3 since it may not match up to the username that we want to grant
# access for.
#
####################################################################################################
#
# HISTORY
#
# Version: 1.1
#
# - Created by Tedd Herman on August 5th, 2008
# - Modified by Nick Amundsen on August 5th, 2008
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################
# HARDCODED VALUE FOR "USERNAME" IS SET HERE
targetUsername="macadmin"
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "USERNAME"
if [ "$4" != "" ] && [ "$targetUsername" == "" ];then
targetUsername=$4
fi
# DEFINE WHICH PRIVILEGES WILL BE SET FOR THE SPECIFIED USER
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
if [ "$targetUsername" != "" ]; then
echo "Enabling Apple Remote Desktop Agent..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
echo "Setting Remote Management Privileges for User: $targetUsername ..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername
else
echo "Error: The parameter 'targetUsername' is blank. Please specify a user."
fi
Posted on 06-24-2013 12:18 PM
I didn't see this in the installation instructions.
I created a quickadd and then used an existing local admin account. I pushed out the package and then lost all remote functions. I can't even log into the account locally. I am totally locked out.
Does quickadd change the password?
Posted on 06-24-2013 01:03 PM
Unless I'm mistaken the Quickadd should have used the credentials you built into it. DId you check the box to only allow SSH from that account?
Do you see the machines in your JSS Inventory? If so, you could add the script to a policy to reactivate ARD access for the admin user (this is how I use it).