Screen Sharing, Remote Management, and ARD

mstydel
Contributor

We are having issues connecting to Monterey Macs with ARD suddenly.  We enable Remote Management during setup with a script (down below) that uses the kickstart command to activate, set access to specified users, specify the local Administrator account that is on all machines, and finally allow that account all privileges.  This allows us (IT) to remote into machines while they are in one of our buildings/on our network to work on them or help users.  Some of our machines run a second script that allows another local account on them for teachers to access but with fewer privileges (basically observe and message only).  When connecting to a machine, ARD will give the following error:

Screenshot 2023-01-17 at 2.11.09 PM.png

Screen Sharing is grayed out in System Preferences as usual, but unchecked.  We're not really sure what caused this sudden change.  We do get the occasional 'black screen with mouse only' issue, which we resolve by sending the Disabled Remote Desktop command from the Mac's management page in Jamf as many times as it takes to make the button switch to Enable, then sending the Enable Remote Desktop command.  I did just try doing this to the computer I was connecting to so I could get a screenshot for above and it did let ARD connect after doing that, however Screen Sharing is still unchecked.  I have noticed doing the Disable then Enable commands in Jamf usually causes Remote Management's "Allow access for:" setting to change back to All users, so in the past after doing the Disable/Enable I've flushed the policy with the script that enables Remote Management so it switches back to specified users when that policy is triggered next (at next check-in).  Here is the script we are running at setup to enable:

#!/bin/sh

# adminUser = Admin User Name for Remote Access

adminUser="administrator"

##################################
# Do Not Modify Below This Line #
##################################

if [ "$4" != "" ] && [ "$adminUser" == "" ];then
adminUser=$4
fi

# DEFINE CONTROL SETTINGS

privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"

# Do Not Modify Below This Line

if [ "$adminUser" != "" ]; then
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $adminUser
fi

I'm not quite sure why the script has the if statement right under the "Do Not Modify", this was how the script was written long before me and it's always worked so I haven't modified it.  A value is always specified for 'adminUser', so it never continues into the if statement anyways.  I'm guessing at some point years ago this script was copied from someone else.

 

I'm wondering if we need to send a disable/activate remote desktop command to all of our devices with a mass action, then after waiting a bit for that to cycle through most of them flush our script above to make sure they all stay set to specific users?  I know I've read that using the kickstart command is somewhat frowned upon now and the MDM command should be used but we are not wanting it to allow access for all users, which seems to be the default unless set otherwise either by hand or by terminal/script.  To clarify, we do have "Allow screenshots and screen recording" and "Allow AirPlay, View Screen by Classroom, and Screen Sharing" checked as enabled in a config profile on all of our Macs.

3 REPLIES 3

dlondon
Valued Contributor

Sometimes I see this too.  I have been able to fix it by physically toggling the Remote Management Off then On in System preferences > Sharing

Screen Shot 2023-01-18 at 12.17.38 pm.png

I would love to know how to check and toggle it back with a script

AJPinto
Honored Contributor III

Check your configuration profiles. Make sure you don't have Allow AirPlay, View Screen by Classroom, and Screen Sharing (macOS 10.14.4 or later, enrolled via a PreStage enrollment) unchecked. This got us last month.

 

AJPinto_0-1674048995199.png

 

 

On a side note, use MDM commands to enable screen sharing. Apple retired the ability to kickstart screen sharing with Catalina. If its somehow still working for you guys, don't expect it to work well for much longer.

AJPinto_1-1674049120038.png

 

Qwheel
Contributor II

Check out this.
https://community.jamf.com/t5/jamf-nation/disabling-re-enabling-remote-desktop-via-jamf-pro/m-p/2723...

I talked about how I'm managing it within our organisation.

I flatten a computer lab, during DEP enrolment, I send a mass action to enable remote desktop via MDM, recons run during DEP enrollment to deploy PPPCs as required... but this also updates the extension attribute for the device to say the device has "remote desktop active, but without permissions set", device gets added to a different smart group then runs our standard ARD script via trigger at the end of DEP enrollment.

An unusual work around... but it does work... :D