Jamf Nation Community

You can config from the Terminal using the kickstart command:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
-activate -configure -access -on -users arduser,admin -privs -all -restart
-agent -menu

That will set the users arduser and admin to have all access to Remote
Management.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Oh, and you do not need to set this before making the user hidden. I use
the following in a post image script:

dscl . create /users/arduser
dscl . create /users/arduser name arduser
dscl . create /users/arduser passwd "*"
dscl . create /users/arduser uid 499
dscl . create /users/arduser gid 499
dscl . create /users/arduser home /usr/var
dscl . create /users/arduser home /var
dscl . create /users/arduser shell /bin/bash
dscl . merge /groups/admin users arduser

# now set the passwd for the arduser user

dscl . -passwd /Users/arduser password

# now add arduser to the sudoers file

echo "arduser ALL=(ALL) ALL" >> /etc/sudoers

# now hide the arduser user from the loginwindow process

mkdir /var/temp/
cp /Library/Preferences/com.apple.loginwindow.plist
/var/temp/com.apple.loginwindow.bak
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList
-array-add arduser

# now Activate Remote Desktop Sharing, enable access privileges for the
users "arduser", grant full privileges for the users "arduser", restart
arduser Agent and Menu extra:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
-activate -configure -access -on -users arduser,admin -privs -all -restart
-agent -menu

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

I do compiled configurations and post image shell scripts for this
stuff, here is the snip from my script that does this

######################################## # This is a post image script for student laptops # This script will do post configurations # # This is for the 2009-10 school year # Kansas City, KS Public schools # # By # # Thomas Larkin # http://tlarkin.com # #########################################

#!/bin/bash

# set all variables here, these are hardcoded for the rest of the script

# will use echo for logging and debugging

# # WARNING!!!!! THIS SCRIPT REQUIRES THE JAMF BINARY # # Local admin accounts # only edit the variables of this script for future usage

admin1_long="Hidden Administrator" admin1_short="hadmin" admin1_passwd="mypassword ( mailto:Kckm at cbk$ )"

/usr/sbin/jamf createAccount -username "$admin1_short" -realname
"$admin1_long" -password "$admin1_passwd" –home
/private/var/$admin1_short –shell “/bin/bash” -hiddenUser -admin

# info for local admin account 2

admin2_long="ARD Viewer" admin2_short="ardview" admin2_passwd="mypassword2"

/usr/sbin/jamf createAccount -username "$admin2_short" -realname
"$admin2_long" -password "$admin2_passwd" –home
/private/var/$admin2_short –shell “/bin/bash” -hiddenUser -admin

# now enable root, set the password below inside the quotes

root_passwd="mypassword3"

/usr/sbin/dsenableroot -u $admin1_short -p $admin1_passwd -r
$root_passwd

/bin/echo "done creating local accounts"

# # Now we will move any applications we don't want users to have access
to from # the applications folder to /Applications/Utilties and have MCX
disallow apps to # run from /Applications/Utilies on managed user accounts # # put full app paths in here spaces are allowed if you stay inside the
quotes

app_list=( /Applications/AppleScript/

/Applications/Microsoft AutoUpdate.app

/Applications/Automator.app

/Applications/Time Machine.app )

# now move those apps

for file in "${app_list[@] ( mailto:app_list[@] )}" ; do

if [[ -e $file ]]

then /bin/mv $file /Applications/Utilities/

else /bin/echo "$file already moved" fi

/bin/echo "done moving apps"

# # Now set some network preferences #

# require admin rights for ad_hoc creation

/usr/libexec/airportd en1 -ibss_admin 1

/bin/echo "adhoc networks require admin set"

# ensure that airport and ethernet are set to DHCP & set IPv6 off

/usr/sbin/networksetup -setv6off Ethernet

/usr/sbin/networksetup -setv6off Airport

/usr/sbin/networksetup -setdhcp Ethernet on

/usr/sbin/networksetup -setdhcp Airport on

# enable remote log in, ssh

/usr/sbin/systemsetup -setremotelogin on

# enforce clear text passwords in AFP

/usr/bin/defaults write com.apple.AppleShareClient "afp_cleartext_allow"
1

# now install the wifi network

/usr/sbin/jamf policy -trigger addwireless

/bin/echo "network configuration complete"

# # ensure remote desktop is enabled for our local admin accounts #

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
-activate

# now set access to remote desktop, refer to admin 1 and admin 2 from
above

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
-configure -users $admin1_short,$admin2_short -access -on -privs -all

/bin/echo "ARD client configured"

The script is in the red color text. It is not the whole script just
the part that creates the account and configures remote management

Ug let me try that again... There was a formatting issue since I used
the @ symbol in the script....so sending this in plain text this time

######################################## # This is a post image script for student laptops # This script will do post configurations # # This is for the 2009- 10 school year # Kansas City, KS Public schools # # By # # Thomas Larkin # http://tlarkin.com # #########################################

#!/bin/bash

# set all variables here, these are hardcoded for the rest of the
script # will use echo for logging and debugging

# # WARNING!!!!! THIS SCRIPT REQUIRES THE JAMF BINARY # # Local admin accounts # only edit the variables of this script for future usage

admin1_long="Hidden Administrator" admin1_short="hadmin" admin1_passwd="mypassword"

/usr/sbin/jamf createAccount - username "$admin1_short" - realname
"$admin1_long" - password "$admin1_passwd" –home
/private/var/$admin1_short –shell “/bin/bash” - hiddenUser - admin

# info for local admin account 2

admin2_long="ARD Viewer" admin2_short="ardview" admin2_passwd="mypassword2"

/usr/sbin/jamf createAccount - username "$admin2_short" - realname
"$admin2_long" - password "$admin2_passwd" –home
/private/var/$admin2_short –shell “/bin/bash” - hiddenUser - admin

# now enable root, set the password below inside the quotes

root_passwd="mypassword3"

/usr/sbin/dsenableroot - u $admin1_short - p $admin1_passwd - r
$root_passwd

/bin/echo "done creating local accounts"

# # Now we will move any applications we don't want users to have access
to from # the applications folder to /Applications/Utilties and have MCX
disallow apps to # run from /Applications/Utilies on managed user accounts # # put full app paths in here spaces are allowed if you stay inside the
quotes

app_list=( /Applications/AppleScript/

/Applications/Microsoft AutoUpdate.app

/Applications/Automator.app

/Applications/Time Machine.app )

# now move those apps

for file in "${app_list[@] }" ; do

if [[ - e $file ]]

then /bin/mv $file /Applications/Utilities/

else /bin/echo "$file already moved" fi

done

/bin/echo "done moving apps"

# # Now set some network preferences #

# require admin rights for ad_hoc creation

/usr/libexec/airportd en1 - ibss_admin 1

/bin/echo "adhoc networks require admin set"

# ensure that airport and ethernet are set to DHCP & set IPv6 off

/usr/sbin/networksetup - setv6off Ethernet

/usr/sbin/networksetup - setv6off Airport

/usr/sbin/networksetup - setdhcp Ethernet on

/usr/sbin/networksetup - setdhcp Airport on

# enable remote log in, ssh

/usr/sbin/systemsetup - setremotelogin on

# enforce clear text passwords in AFP

/usr/bin/defaults write com.apple.AppleShareClient
"afp_cleartext_allow" 1

# now install the wifi network

/usr/sbin/jamf policy - trigger addwireless

/bin/echo "network configuration complete"

# # ensure remote desktop is enabled for our local admin accounts #

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
- activate

# now set access to remote desktop, refer to admin 1 and admin 2 from
above

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
- configure - users $admin1_short,$admin2_short - access - on - privs -
all

/bin/echo "ARD client configured"

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351
chown -R us /.base

Hi All,  In the past this has worked fine for me (Catalina and older we skipped Big Sur), but now in Monterey it doesn't seem to work anymore with a hidden account.  I tested the same command with a non hidden account and it works.  I was just on the phone with Apple support but they hung up on me after putting me on hold for like 20 minutes, hopefully they call back lol 

This is my two lines i use

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart -agent

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu

 

and i also send out the MDM command before or after those, doesn't seem to make a difference except if i dont send the MDM command i cant control or observer, after the MDM command i can control and observer but no advanced functions.

 

Has anybody else seen this issue?