I've done some work with this again. El Cap made the email function fail, and rather than find a way to rebuild that, I decided to scrap it for a more TeamViewer-esque experience.
On the JSS side, the "Help Desk Helper" policy installs three files:
remotetemp.plist is a standard user. The end user gets to choose during the session whether or not to elevate its privileges, and it gets torn down after the session ends. Very much like TeamViewer... you cannot admin without the user's cooperation. The id_rsa is necessary for the port forwarding, and the graphic is for use with jamfhelper. (the code below assumes you already have a 'corplogo.png in the same place, as we do)
Here is the script as it currently runs after the package installation:
#!/bin/bash
######################################
# Script generates random number to use as password and seed
# unused forward ports in the unregistered range for RemoteARD.app
######################################
# Variables
declare -i passport
go_between= # Set this variable to the URL of the host that acts as the relay
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
jhelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfhelper"
######################################
# Functions
######################################
# Set a trap to clean up after the fact
cleanup() {
# The /tmp/hdh and the remotetemp user were both packaged and installed prior to this script running
# as part of the overall policy. The script also generates a pp file under /tmp with the passport number
rm -Rf /tmp/hdh
rm /tmp/pp
rm "/private/var/db/dslocal/nodes/Default/users/remotetemp.plist"
mv /Library/Preferences/com.apple.RemoteManagement.plist_bak /Library/Preferences/com.apple.RemoteManagement.plist
if [[ $ard_was_off == True ]]; then
rm "/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd"
fi
ssh_portf=($(ps -ax | grep [s]sh
| grep portf
| awk '{print $1}'))
for ssh_proc in "$ssh_portf"; do
kill $ssh_proc
done
}
######################################
# Generates potential integer for use both as password and seeding forwarding ports
seed_port() {
passPort=`jot -r 1 10000 14409`
vport=$((5900 + $passPort))
sport=$((22 + $passPort))
}
######################################
# Given a port number, returns "" if available, "False" if not
isportavail() {
local portsiu=$(netstat -nat
| egrep 'udp|tcp'
| awk '{print $4}'
| egrep -o 'w+$'
| sort -n | uniq)
local isitinuse=$(echo "$portsiu"
| egrep -o "$1" 2> /dev/null)
if [ -z "$isitinuse" ]; then
echo ""
else
echo "False"
fi
}
######################################
# Keep generating seeds until a range of unused ports are found
gen_ports() {
seed_port
until [ -z "$(isportavail "$vport")" ] && [ -z "$(isportavail "$sport")" ]
do
seed_port
done
echo "$passPort" > /tmp/pp
}
######################################
# Turn on services
turn_on_svcs() {
/usr/sbin/systemsetup -setremotelogin on & > /dev/null 2>&1
if [[ ! $(/usr/bin/dscl . list /Groups | grep com.apple.access_ssh-disabled) ]]; then
if [[ ! $(/usr/bin/dscl . read /Groups/com.apple.access_ssh | grep remotetemp) ]]; then
/usr/bin/dscl . -append /Groups/com.apple.access_ssh GroupMembership remotetemp
fi
fi
# Test ARDs existing state before mucking about, so we can set things back later.
if [ ! $(cat "/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd" 2> /dev/null) ]; then
ard_was_off=True
printf "enabled" > "/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd"
fi
mv /Library/Preferences/com.apple.RemoteManagement.plist /Library/Preferences/com.apple.RemoteManagement.plist_bak
$kickstart -configure -allowAccessFor -allUsers -privs -all -restart -agent -menu
$kickstart -restart -agent
}
######################################
# Set up tunnel to go-between server
ssh_go_between_client_end() {
/usr/bin/ssh -NTCf -i /private/tmp/hdh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
-o ConnectTimeout=6 -R $vport:localhost:5900 -R $sport:localhost:22 portf@$go_between & > /dev/null 2>&1
disown
sleep 3
}
######################################
# Messaging to employee - Pop up window with connection specifics
passport_prompt() {
desc="Read the following number to the person helping you:"
"$jhelper" -windowType utility -windowPosition lr -title "Temp Remote Access Pass"
-description "$desc" -button1 "${passPort}" -alignDescription center
-icon "/Library/Application Support/JAMF/bin/LNEIT.png" -iconSize 80
}
######################################
# Messaging to employee - Pop up window with option to end session
permission_prompt() {
desc="Click 'End' to turn off remote access"
"$jhelper" -windowType hud -windowPosition lr -title "HDH Controller: ${passPort}"
-description "$desc" -button1 "End" -alignDescription center
-icon "/Library/Application Support/JAMF/bin/hardatwork.png" -iconSize 80
}
######################################
# Logic starts here
######################################
trap cleanup INT EXIT
gen_ports
turn_on_svcs
ssh_go_between_client_end
passport_prompt
permission_prompt
exit 0The end user sees:
The second window appears after the first one is dismissed, and suspends the policy, keeping the ssh reverse tunnel open and giving the end user the ability to terminate the session at will.
On the admin's side, my code no longer involves a GUI app explicitly for the purposes of managing remote connections. Instead, it is a routine in a larger app that I am using for aggregating information about the person and the person's computer with whom/which I'm interacting. The ability to negotiate a remote connection using the passport variable is one of many options offered on the menu of the admin app:
Contact Info:
Real Name: Apple Test
Job Title: QA Instance
Phone Number: 415.555.1212
Email Address: Apple.Test@mycompany.com
City [ST] Country: San Francisco CA US
JSS Info:
Computer Name: LNM_Loaner_2
Last Check-in: 1d:22h:12m:22s ago
Computer Model: 13-inch_MacBook_Pro_(2011)
OS Version: 10.10.4
IP Address: 10.90.4.84
AD Status: Not_Bound
HD Percent Full: 40
FV Status: Encrypted
AD Stats:
Account expires: Never
Password expires: in 76 days
Lockout status: locked out
e] email user u] unlock account
c] call user p] password reset
g] show groups j] open computers in JSS
r] remote into host t] ticket creation
d] data refresh n] new user
q] quit
How may I be of service:Although I'm not yet prepared to post the full application (will post to bitbucket as soon as I'm satisfied with it) Here is the routine that it runs when someone either types r in the interactive menu, or simply calls the program with hdh -r [passport number]:
hdh_remote() {
local unqName="$(date +%s)"
local vport=$((5900 + $1))
local sport=$((22 + $1))
local go_between= # URL to host acting as the relay
mkdir -p /tmp/hdh
/usr/bin/ssh -qNTCf -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
-L $vport:localhost:$vport -L $sport:localhost:$sport portf@$go_between
-i "/Library/Application Support/JAMF/bin/hdh_rsa" & > /dev/null 2>&1
disown
sleep 3
open vnc://remotetemp@127.0.0.1:$vport
echo "ssh remotetemp@localhost -p ${sport} -o StrictHostKeyChecking=no"
> /tmp/hdh/rsadmin_$unqName.command
chmod +x /tmp/hdh/rsadmin_$unqName.command & > /dev/null 2>&1
open /tmp/hdh/rsadmin_$unqName.command & > /dev/null 2>&1
}NOTE: the $go_between variable in the above routine was set in the parent script. You'll want to define that variable on your own. The id_rsa referenced in the routine is the same file as is installed on the client machine. For admins running the hdh program, I've just installed it under /Library/Application Support/JAMF/bin
EDIT: On Southwest in-flight wifi right now and it helped me take care of some inconsistency. This script was occasionally erroring and on a hunch i added -o ConnectTimeout=6 to the ssh command on my end ( I should add it on the client end too ) to keep the initial port forward from timing out before a successful connection on low bandwidth networks. Seemed to help reliability a great deal.
