"kickstart" command lines on fresh Monterey machines now give us black screens on connection.
Turning it off and back on in the GUI fixes the problem.
Trying to figure out how to use a Profile instead of command lines but ProfileCreator has no Sharing and it isn't a Privacy thing so PPPC Utility won't help.
Any detailed steps appreciated.
@mfcfadmin You can't just use kickstart as of macOS Monterey 12.1. See https://support.apple.com/en-us/HT209161 for the new mechanism. (This is kind of buried in paragraph 4 of https://support.apple.com/guide/remote-desktop/enable-remote-management-apd8b1c65bd/mac )
sdagley is correct, so I use Jamf API to send the EnableRemoteDesktop command to the mac
sdagley is correct, so I use Jamf API to send the EnableRemoteDesktop command to the mac
I only started having this problem this year with Monterey fresh installs.
I've looked at most of those pages already.
I need specifics.
I only started having this problem this year with Monterey fresh installs.
I've looked at most of those pages already.
I need specifics.
@mfcfadmin As described in the 1st link in my previous response - Enable Remote Management (you can use the API call that @junjishimazaki mentions or by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record) and deploy a Configuration Profile with a PPPC payload with the described settings to enable control.
You just started seeing this behavior because macOS Monterey 12.1 was when Apple made the change to require this.
@mfcfadmin As described in the 1st link in my previous response - Enable Remote Management (you can use the API call that @junjishimazaki mentions or by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record) and deploy a Configuration Profile with a PPPC payload with the described settings to enable control.
You just started seeing this behavior because macOS Monterey 12.1 was when Apple made the change to require this.
Sorry but I need specifics. I haven't use API calls before.
I've got over 700 machines ... I can't be manually clicking in every record.
I've looked at PPPC and it deals with Privacy settings not Sharing settings.
Sorry but I need specifics. I haven't use API calls before.
I've got over 700 machines ... I can't be manually clicking in every record.
I've looked at PPPC and it deals with Privacy settings not Sharing settings.
did you figure out a way to deploy this to all your machines? most of our machines now are on 12.1
Try this script:
#!/bin/bash
#Pass a Jamf admin that allows to send API commands to modify computers
jamf_User=$4
jamf_Pass=$5
jss_Url=$6
KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"
# Get ID of the Mac from Jamf
JAMF_ID=$(curl -sku "${jamf_User}:${jamf_Pass}" "${jss_Url}/JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
echo "Jamf ID: $JAMF_ID"
/usr/bin/curl -su "${jamf_User}:${jamf_Pass}" "${jss_Url}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST
## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers
exit 0
I was already doing kickstart as part of the enrollment script, it's no longer an option
By adding the API call to enable remote management and then sending the kickstart. This worked for me.
By adding the API call to enable remote management and then sending the kickstart. This worked for me.
Having a clear text password is such a bad option.
There is only 1 way I know of to access Jamf via curl and that's to pass username/password. So, it's up to you if you want to use it.
PPPC payload would be preferable but I don't see how to accomplish that.
Couldn't see anything in Profile Creator either.
Having a clear text password is such a bad option.
@mfcfadmin Your options for enabling Remote Management on 12.1 require either the API or manually clicking the Enable Remote Desktop button for each computer in your JSS console. You can always, and really should, re-write @junjishimazaki 's script to avoid sending the password in clear text (there are multiple examples of techniques to do that posted here on Jamf Nation). Note that there's nothing that says the endpoints themselves need to run that script, you could modify it to use a list of serial numbers and run it from your own Mac (Jamf definitely discourages calling the API from arbitrary endpoints)
The client and server already have an established trust due to enrolment.
Truly bizarre that that can't be leveraged.
So if this works
by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record
that means it can be enabled from the server side. It would be nice if the server could be told the default behaviour for new clients just like I can tell it not to display the Siri dialog during the Setup Assistant.
If there isn't any mechanism, it should be possible to run database commands to get the list of clients without and turn it on for those.
If this could be explained step by step
deploy a Configuration Profile with a PPPC payload with the described settings to enable control.
I had a machine that I upgraded to 11.6.3 that was giving me the black screen and using the button in the computer's Jamf Pro record didn't seem to help so I did an ssh to the machine,
tccutil reset ScreenCapture
followed by reboot worked
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.