Firstly, don't worry about the radio button as it's a graphical bug which I see as well, depending on which version of macOS i'm looking at. Doesn't effect the end result.
Are you deploying a privacy preference for the screen sharing service? as kickstart alone won't do anymore.
Finally, take a look at this rather long thread which I guarantee will cover everything you will need to get this working. Even just comparing against all our scripts may give you an idea in the right direction.
Good luck!
https://community.jamf.com/t5/jamf-pro/ard-screen-sharing-issue-m1-macs-and-monterey/m-p/258010
Oh no, nothing to do with the filevault / firewall comments, more profile / settings / script towards the end. It's hard to comment when I'm not looking at how you have pieced it together and am just guessing but resetting your privacy preferences should not have any effect.
At first glance, that error you saw was appearing for people that had not enabled remote control via MDM / API after apple made the system changes in macOS 12.1. Have you test your workflow by manually enabling remote desktop using the button in Jamf for that device instead of api?
I would also see if a device profile assigned with the following restrictions payload helps. I run but haven't gone back to see if removing makes a difference.
If using Kickstart to specify a user and privs, are you doing this on seperate lines as apple's docs show;
https://support.apple.com/en-au/HT201710
Also for testing, you can delete all settings which may help if you are deploying a range of settings on machines. My kickstart function in my script looks like;
localUserName="$5"
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
SetAppleRemoteDesktopViaKickstart () {
# https://support.apple.com/en-au/HT201710
# $kickstart -targetdisk / -verbose -uninstall -settings -prefs
/usr/bin/defaults write /Library/Preferences/com.apple.RemoteManagement allowInsecureDH -bool TRUE
$kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all
$kickstart -targetdisk / -configure -access -on -users $localUserName -privs $privs -clientopts -setmenuextra -menuextra no -setwbem -wbem yes
$kickstart -targetdisk / -activate -restart -agent -console -menu
}
Resetting privacy preferences should not have any effect, but it does:
I manually activate the remote management through the management tab of the computer informations in Jamf or I activate it with the script below. When I control the computer and do a tccutil reset All, the connection is lost: the screen of the remote management is fix, I can't see the mouse moving inside the window. If I quit ARD and start it back, when I want to control the computer, the connection window still shows that it's connecting, but nothing happens. And once I reboot the computer, the severUnableToReadScreenMessage error dialog box appears. If I run the script (I have it in Self service for this in my test lab) or activate it with the button in the management tab, it then works again until I do another tccutil reset All. Believe me, it happens every time with Monterey and Ventura.
For the configuration profile, I have it, except that I didn't checked the third box. Do I have to check it ?
And here is the script that I found somewhere on the net.
#!/bin/bash
jamf_User="myuser"
jamf_Pass="mypassword"
# Get the Jamf instance URL from the computer
jss_Url=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
#Kick start command
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
echo "Enabling ARD..."
# generate base64 ecnrypted password
encoded_creds=$(printf "$jamf_User:$jamf_Pass" | iconv -t ISO-8859-1 | base64 -i -)
# generate an auth token. tr truncates and removes all line feeds
authToken=$( /usr/bin/curl -s "${jss_Url}api/v1/auth/token" -H "authorization: Basic ${encoded_creds}" -X POST | tr -d "\n" )
# parse token, remove expiration date
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$authToken\`).token" )
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
#echo "Jamf ID: $JAMF_ID"
#Send MDM command to enable remote desktop for this mac
/usr/bin/curl --header "Authorization: Bearer $token" "${jss_Url}JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -allowAccessFor -specifiedUsers
$KICK_START_BINARY -configure -users myadminuser -access -on -privs -all -restart -agent -menu
# expire the auth token
/usr/bin/curl "${jss_Url}uapi/auth/invalidateToken" --silent --request POST --header "Authorization: Bearer $token"
exit 0I just noticed that you run 3 commands for the kickstart. I'll change that later today.
Maybe should I remove all remote management configs then set them back ? But as it happens in out-of-the-box macs, I'm not sure that it's the problem. For the radio button, I'll check that when it will happen again and see if it's just a bug like you said. I may try to activate the remote management with the API call after the kickstart commands. Anyway, this script works fine most of the time.
A last question: what is that option "allowInsecureDH in the Library/Preferences/com.apple.RemoteManagement ? And what does that defaults write command ? It's already at 1 (true)
