Posted on 04-15-2015 07:01 PM
Just wondering if anyone knows the command to add the Administrators group for Remote Login
I've googled my pants off, I can allow the Admin but can't allow the Administrators group.
Any input would be greatly appreciated.
Posted on 04-15-2015 07:03 PM
@dsmetham I believe you just need to add them to the ard access group. A simple Google search on adding a group to ard access should do it.
Posted on 04-15-2015 08:09 PM
@dsmetham You will need to create the group first, then you will be able to add users to the group.
You can create the group either from the GUI or command line.
Posted on 04-16-2015 02:42 AM
Are you talking about SSH access?
If it is SSH, you used to use a group called com.apple.access_ssh. Not sure if thats still the case but if it is you should be able to use
dseditgroup -o create -q com.apple.access_ssh
# Create the group
dseditgroup -o edit -a admin -t group com.apple.access_ssh
# Add the admin group to it
Posted on 03-29-2016 05:47 PM
Thanks for this @davidacland !
Posted on 03-31-2016 07:00 AM
@davidacland your Terminal commands worked for me on a Yosemite test machine, but doesn't seem to work on my machine running 10.11.4. The first command does create the com.apple.access_ssh group, but then does not add the local Administrators group to the remote login panel like I was seeing on Yosemite.
Posted on 03-31-2016 11:39 AM
I just double checked the commands and the man pages. All the options look to be the same so I'm not sure why they wouldn't be working.
When I tried them, creating the groups was fine, and adding a user to a group seemed to work intermittently.
Posted on 04-01-2016 06:14 AM
Thanks for checking @davidacland . Looking at things more closely, it seems that the commands are working in that the com.apple.access_ssh group gets created, enables remote login (systemsetup -setremote login on
), and sets remote login to "only these users". But no users or user groups are listed.
When I try and manually add the Administrators group it appears as added, but when I quit Sys Prefs and reopen it it no longer is shown as listed.
If confirmed that I can ssh into the machine from different accounts with admin privileges but cannot connect with standard users.
So, it appears to be working but not properly showing the Administrators group as the user group with privileges to ssh.
Posted on 04-01-2016 06:45 AM
I can confirm the above is happening on both 10.10.4 and 10.11.4
Posted on 04-04-2016 08:39 AM
@aporlebeke Even though nothing shows in the "remote login" list, try running in the Terminal:
/usr/bin/dscl . -read /Groups/com.apple.access_ssh
If your user shows there, you're golden. My JAMF management user does not show in the remote login list but it shows in that command. Also showing are "nested groups," one of which should be "ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050", the admin group.
Posted on 04-04-2016 09:12 AM
Something I realized, I was misentering the command posted further up the thread, the "T" needs to be capitalized, not lowercase:
dseditgroup -o create -q com.apple.access_ssh
# Create the group
dseditgroup -o edit -a admin -T group com.apple.access_ssh
# Add the admin group to it
However, when I do these commands together now, it adds just the local admin user to the Remote Login specified users rather than the Administrators group ... Any other thoughts?
Posted on 04-04-2016 09:40 AM
Did you run /usr/bin/dscl . -read /Groups/com.apple.access_ssh ?
Anything under "NestedGroups"?
Posted on 04-04-2016 09:55 AM
@tony.schaps Nothing about nested groups after running the command. As I mentioned in my post above, the command changed from a lowercase "t" to an uppercase in the second command, but that change just adds our local admin user to the remote login user list, not the Administrators group.
Posted on 04-04-2016 10:10 AM
OK - so I started from scratch again. Running the original commands (with lowercase t) and then doing the dscl . read /Groups/com.apple.access_ssh
reveals that there is in fact a nested group - the admin group with the UID you specified previously in the com.apple.access_ssh group.
Although the Administrators group is still not showing up in the listed remote login account list.
Posted on 08-07-2019 01:37 PM
Just in case anyone is browsing for other solutions. This my script for granting the local "Administrators" group ssh access. Jamf removes the "Administrators" group from the Remote Login list when a machine is enrolled and replaced with the jamfadmin account. The script below grants the local "Administrators" group ssh access and it will show in the list again after you logoff and log back in:
#!/bin/sh
#Add Administrators group to Remote Login access list
dseditgroup -o edit -n /Local/Default -a admin -t group com.apple.access_ssh
exit 0
Posted on 07-28-2020 09:41 PM
@jamaya77 is this a one time fix or does it need to be run from time to time?
Posted on 08-06-2020 09:33 AM
@clint.arndt We've always enabled remote login as part of a series of post-enrollment policies and never had to rerun / reactivate.