Here's the script I've been using for several years. Still works as expected on 10.11. For consistency, it resets all the remote management options and then procedurally re-sets them. The end result is a single account configured for remote access with all options enabled.

View GitHub Gist

#!/bin/bash



LOCALADMIN="username"

kickstart=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart



echo "Configuring Remote Management"

if id -u $LOCALADMIN >/dev/null 2>&1; then

    echo "Defined local admin account exists"

    # Deactivate ARD agent, deny all access

    echo "Deactivating ARD agent"

    $kickstart -deactivate -configure -access -off

    echo "Turning off default AllLocalUsers remote management setting"

    defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers -bool FALSE

    # Remove 'naprivs' key from users configured by ARD's -specifiedUSers flag

    echo "Removing naprivs key from local users"

    RemoteManagementUsers=$(dscl . list /Users naprivs | awk '{print $1}')

        for EnabledUser in $RemoteManagementUsers; do

            echo "--- naprivs removed from $EnabledUser"

            dscl . delete /Users/$EnabledUser naprivs

        done

    # Turn ARD back on and enable only the specified LOCALADMIN

    echo "Reconfiguring ARD for only specified users"

    $kickstart -configure -allowAccessFor -specifiedUsers

    echo "Setting specified local admin account as sole ARD user"

    $kickstart -configure -users $LOCALADMIN -access -on -privs -all

    echo "Restarting ARD agent"

    $kickstart -activate -restart -agent

    echo "--- Remote management reset; user ${LOCALADMIN} configured for access"

    exit 0

else

    echo "--- ERROR: The specified local admin account does not exist."

    exit 1

fi

@bmwarren Thank you for such a quick response. Thank you for the script!

I performed the following:
- Created script in Casper under Settings -> Computer Management -> Scripts
- Created Policy and Scoped one machine to Policy
- logged into a lab computer
- launched terminal
- ran command sudo jamf policy -verbose

Result: ERROR: The specified local admin account does not exist.

Further Notes:
- The teacher is set as Administrator "Allow Administration by" under System Preferences -> Users & Groups -> Login Options -> Edit -> Open Directory Utility -> Active Directory -> Administrative -> Allow Administration by:
- He has logged into the computer with his creds. His account says Managed, Mobile

I suppose I should have mentioned this script is geared toward having a known local administrator account on the box. Line 3, LOCALADMIN="username" should be updated to reflect the username of your known local account.

If you're trying to execute this as a particular, variable user you will need to make some changes. The policy must be scoped to 'login' so that the JSS receives the username of the user running the policy, AND/OR via Self Service where you've configured Self Service to require login. Else wise the JSS won't know who to run the policy "as."

Additionally you will need to change line 3 of the script to

LOCALADMIN=$3

To utilize the username parameter the script is passing.

Does that make sense?

Hey @bmwarren !

I apologize for not responding sooner. The past few days have been a little busy.

No worries mentioning about the script being geared towards a local admin account. I figured it was but hoping it would work.

I understand the concept of what you explained above. However, implementing it will be a different story. When I get a chance, I will give this a try and let you know the results. THANKS!