Screen Sharing and Remote Management in a Profile

mfcfadmin
Contributor II

"kickstart" command lines on fresh Monterey machines now give us black screens on connection.

Turning it off and back on in the GUI fixes the problem.

Trying to figure out how to use a Profile instead of command lines but ProfileCreator has no Sharing and it isn't a Privacy thing so PPPC Utility won't help.

Any detailed steps appreciated.

17 REPLIES 17

sdagley
Honored Contributor III

@mfcfadmin You can't just use kickstart as of macOS Monterey 12.1. See https://support.apple.com/en-us/HT209161 for the new mechanism. (This is kind of buried in paragraph 4 of https://support.apple.com/guide/remote-desktop/enable-remote-management-apd8b1c65bd/mac )

junjishimazaki
Valued Contributor

sdagley is correct, so I use Jamf API to send the EnableRemoteDesktop command to the mac

I only started having this problem this year with Monterey fresh installs.

I've looked at most of those pages already.

I need specifics.

sdagley
Honored Contributor III

@mfcfadmin As described in the 1st link in my previous response - Enable Remote Management (you can use the API call that @junjishimazaki mentions or by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record) and deploy a Configuration Profile with a PPPC payload with the described settings to enable control.

You just started seeing this behavior because macOS Monterey 12.1 was when Apple made the change to require this.

Sorry but I need specifics. I haven't use API calls before.

I've got over 700 machines ... I can't be manually clicking in every record.

I've looked at PPPC and it deals with Privacy settings not Sharing settings.

did you figure out a way to deploy this to all your machines? most of our machines now are on 12.1

junjishimazaki
Valued Contributor

Try this script:

#!/bin/bash
#Pass a Jamf admin that allows to send API commands to modify computers
jamf_User=$4
jamf_Pass=$5
jss_Url=$6

KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"

# Get ID of the Mac from Jamf
JAMF_ID=$(curl -sku "${jamf_User}:${jamf_Pass}" "${jss_Url}/JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
echo "Jamf ID: $JAMF_ID"

/usr/bin/curl -su "${jamf_User}:${jamf_Pass}" "${jss_Url}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST

## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers

exit 0

mfcfadmin
Contributor II

I was already doing kickstart as part of the enrollment script, it's no longer an option 

junjishimazaki
Valued Contributor

By adding the API call to enable remote management and then sending the kickstart. This worked for me.

Having a clear text password is such a bad option.

sdagley
Honored Contributor III

@mfcfadmin Your options for enabling Remote Management on 12.1 require either the API or manually clicking the Enable Remote Desktop button for each computer in your JSS console. You can always, and really should, re-write @junjishimazaki 's script to avoid sending the password in clear text (there are multiple examples of techniques to do that posted here on Jamf Nation). Note that there's nothing that says the endpoints themselves need to run that script, you could modify it to use a list of serial numbers and run it from your own Mac (Jamf definitely discourages calling the API from arbitrary endpoints)

junjishimazaki
Valued Contributor

There is only 1 way I know of to access Jamf via curl and that's to pass username/password. So, it's up to you if you want to use it.

mfcfadmin
Contributor II

PPPC payload would be preferable but I don't see how to accomplish that.

Couldn't see anything in Profile Creator either.

 

mfcfadmin
Contributor II

The client and server already have an established trust due to enrolment.

Truly bizarre that that can't be leveraged.

mfcfadmin
Contributor II

So if this works


by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record

that means it can be enabled from the server side.  It would be nice if the server could be told the default behaviour for new clients just like I can tell it not to display the Siri dialog during the Setup Assistant.

If there isn't any mechanism, it should be possible to run database commands to get the list of clients without and turn it on for those.

mfcfadmin
Contributor II

If this could be explained step by step


deploy a Configuration Profile with a PPPC payload with the described settings to enable control.



mfcfadmin
Contributor II

I had a machine that I upgraded to 11.6.3 that was giving me the black screen and using the button in the computer's Jamf Pro record didn't seem to help so I did an ssh to the machine,

tccutil reset ScreenCapture

followed by reboot worked