We are having some issues remote screen sharing into unattended labs of iMacs running 10.8.2. The machines will generally be sitting at the login window. When we connect to them with Casper Remote, we see the login window. We authenticate as the local admin (which is also the casper administrator account) but rather than logging in, it prompts us to either share the screen (with no user at the other end to approve) or log in as the casper screen share user - neither of which are successful. Requesting permission times out as there is no-one in the lab to click "approve" and the screen share user times out as well. The casper user accounts we are using have all options selected which I thought would grant the necessary permissions and the remote login option has access for all admins enabled. Is there something I am missing here or does anyone have any suggestions?
Does the user logging into Casper Remote have the permission set for "Screen Share with Remote Computers Without Asking" checked in the JSS? (Edit: I see you say all options are checked on second read. I still wonder if you have group memberships that may not have that checked?)
That is one that I never check because I don't want anyone in our office to be able to screen share without explicit approval from users.
This is a limitation of Apples own Remote Desktop software that JAMF utilizes. You are currently unable to remotely control an unattended box without someone being at the helm to authenticate or approve, for newer versions of OS X. It SUCKS, and I was going to do a feature request so they have a method that does allow you to do so in ANY version of OS X. It is terrible as a lab administrator to not be able to remotely check boxes.
We have found that in both 10.7 and 10.8, having only Remote Login enabled is not enough to allow us to screenshare machines that are logged in and not prompt the user. We can get around this by enabling Remote Management, and checking the two top options for Observe and Control. Once this is set, we can now screenshare machines that are logged in and it will no longer prompt the user. Hopefully this information will help in your environments.
So whether ARD is enabled (with or without ACL)...Casper Remote is unable to even initiate Screen Sharing on a 10.7/10/8 Mac that is at the login window.
We definitely WANT users to be prompted, but we also need to connect if nobody is on the Mac, and if nobody is there but someone is logged in we need to connect under another account.
Yeah, this has been a problem for as long as JAMF's been using Apple's built in Screen Sharing protocol. In most environments where its required to request for screen sharing permission if any user is logged in, it means you can't control an unattended Mac even when sitting at the login screen, despite the JSS permissions on the account. As soon as you log in you lose the connection and the logged in account gets a prompt to authorize the screen sharing session, but obviously no-one's there, so you're left holding the bag. Totally useless as far as I'm concerned.
We don't even bother attempting to control unattended Macs. The client must be there or we wait for them to be present.
Though it's an old post, I though someone like me might bump in it and this info could be useful.
As a workaround, I use two accounts. One having full privilege to JSS and the other one having custom privilege where "Screen Share with Remote Computers Without Asking" is disabled.
While remote controlling an un-attended Computer, I simply use my full privileged account in Casper Remote.
It comes with some pain like, I don't have my credentials saved in keychain for Casper Remote so that I get prompted. Need to quit Casper remote to switch between account. And not suitable for AD groups.
But it is essential for us admins here because we have both attended and un-attended machines and our users doesn't like anyone logging in their computer without being prompted. Hope it helps.