Jamf Nation Community

mfcfadmin · ‎01-25-2022

"kickstart" command lines on fresh Monterey machines now give us black screens on connection.

Turning it off and back on in the GUI fixes the problem.

Trying to figure out how to use a Profile instead of command lines but ProfileCreator has no Sharing and it isn't a Privacy thing so PPPC Utility won't help.

Any detailed steps appreciated.

sdagley · ‎01-25-2022

@mfcfadmin You can't just use kickstart as of macOS Monterey 12.1. See https://support.apple.com/en-us/HT209161 for the new mechanism. (This is kind of buried in paragraph 4 of https://support.apple.com/guide/remote-desktop/enable-remote-management-apd8b1c65bd/mac )

junjishimazaki · ‎01-26-2022

sdagley is correct, so I use Jamf API to send the EnableRemoteDesktop command to the mac

mfcfadmin · ‎01-26-2022

I only started having this problem this year with Monterey fresh installs.

I've looked at most of those pages already.

I need specifics.

sdagley · ‎01-26-2022

@mfcfadmin As described in the 1st link in my previous response - Enable Remote Management (you can use the API call that @junjishimazaki mentions or by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record) and deploy a Configuration Profile with a PPPC payload with the described settings to enable control.

You just started seeing this behavior because macOS Monterey 12.1 was when Apple made the change to require this.

mfcfadmin · ‎01-26-2022

Sorry but I need specifics. I haven't use API calls before.

I've got over 700 machines ... I can't be manually clicking in every record.

I've looked at PPPC and it deals with Privacy settings not Sharing settings.

jallen241 · ‎01-26-2022

did you figure out a way to deploy this to all your machines? most of our machines now are on 12.1

junjishimazaki · ‎01-26-2022

Try this script:

#!/bin/bash
#Pass a Jamf admin that allows to send API commands to modify computers
jamf_User=$4
jamf_Pass=$5
jss_Url=$6

KICK_START_BINARY="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

# Get Mac serial number
mac_serial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`
echo "Mac serial: $mac_serial"

# Get ID of the Mac from Jamf
JAMF_ID=$(curl -sku "${jamf_User}:${jamf_Pass}" "${jss_Url}/JSSResource/computers/serialnumber/${mac_serial}" -X GET | xmllint --xpath '/computer/general/id/text()' -)
echo "Jamf ID: $JAMF_ID"

/usr/bin/curl -su "${jamf_User}:${jamf_Pass}" "${jss_Url}/JSSResource/computercommands/command/EnableRemoteDesktop/id/${JAMF_ID}" -X POST

## Enable ARD options using the kickstart command
$KICK_START_BINARY -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers

exit 0

mfcfadmin · ‎01-26-2022

I was already doing kickstart as part of the enrollment script, it's no longer an option

junjishimazaki · ‎01-26-2022

By adding the API call to enable remote management and then sending the kickstart. This worked for me.

mfcfadmin · ‎01-26-2022

Having a clear text password is such a bad option.

sdagley · ‎01-26-2022

@mfcfadmin Your options for enabling Remote Management on 12.1 require either the API or manually clicking the Enable Remote Desktop button for each computer in your JSS console. You can always, and really should, re-write @junjishimazaki 's script to avoid sending the password in clear text (there are multiple examples of techniques to do that posted here on Jamf Nation). Note that there's nothing that says the endpoints themselves need to run that script, you could modify it to use a list of serial numbers and run it from your own Mac (Jamf definitely discourages calling the API from arbitrary endpoints)

junjishimazaki · ‎01-26-2022

There is only 1 way I know of to access Jamf via curl and that's to pass username/password. So, it's up to you if you want to use it.

mfcfadmin · ‎01-26-2022

PPPC payload would be preferable but I don't see how to accomplish that.

Couldn't see anything in Profile Creator either.

mfcfadmin · ‎01-26-2022

The client and server already have an established trust due to enrolment.

Truly bizarre that that can't be leveraged.

mfcfadmin · ‎01-28-2022

So if this works

by clicking the Enable Remote Desktop button on the Management->Management Commands screen in the computer's Jamf Pro record

that means it can be enabled from the server side. It would be nice if the server could be told the default behaviour for new clients just like I can tell it not to display the Siri dialog during the Setup Assistant.

If there isn't any mechanism, it should be possible to run database commands to get the list of clients without and turn it on for those.

mfcfadmin · ‎01-28-2022

If this could be explained step by step

deploy a Configuration Profile with a PPPC payload with the described settings to enable control.

mfcfadmin · ‎01-28-2022

I had a machine that I upgraded to 11.6.3 that was giving me the black screen and using the button in the computer's Jamf Pro record didn't seem to help so I did an ssh to the machine,

tccutil reset ScreenCapture

followed by reboot worked

Jamf Nation Community

Screen Sharing and Remote Management in a Profile