- Jamf Nation Community
- Products
- Jamf Pro
- Re: Set Remote Management User and Permissions via...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Set Remote Management User and Permissions via Terminal/Script
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2015 06:40 AM
We have some Broadcasting Lab Computers, our Teacher wants to access via Apple Remote Desktop (ARD). I am looking for a terminal command or script to add him to Remote Management and set the permissions.
I have attempted the following:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users michael ellson -privs -all -restart -agent -menu
Result: No such file or Directory Exists
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users short,usernames,seperated,by,commas -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers
Result:
-- User set but with no permissions
-- Tried on another computer - did not add user to Remote Management
Read the following JAMF Discussion:
- https://jamfnation.jamfsoftware.com/discussion.html?id=11021
Tried @mojo21221 script - no dice
Anyone have a terminal command or script?
Thanks in advance!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2015 06:58 AM
Here's the script I've been using for several years. Still works as expected on 10.11. For consistency, it resets all the remote management options and then procedurally re-sets them. The end result is a single account configured for remote access with all options enabled.
#!/bin/bash
LOCALADMIN="username"
kickstart=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
echo "Configuring Remote Management"
if id -u $LOCALADMIN >/dev/null 2>&1; then
echo "Defined local admin account exists"
# Deactivate ARD agent, deny all access
echo "Deactivating ARD agent"
$kickstart -deactivate -configure -access -off
echo "Turning off default AllLocalUsers remote management setting"
defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers -bool FALSE
# Remove 'naprivs' key from users configured by ARD's -specifiedUSers flag
echo "Removing naprivs key from local users"
RemoteManagementUsers=$(dscl . list /Users naprivs | awk '{print $1}')
for EnabledUser in $RemoteManagementUsers; do
echo "--- naprivs removed from $EnabledUser"
dscl . delete /Users/$EnabledUser naprivs
done
# Turn ARD back on and enable only the specified LOCALADMIN
echo "Reconfiguring ARD for only specified users"
$kickstart -configure -allowAccessFor -specifiedUsers
echo "Setting specified local admin account as sole ARD user"
$kickstart -configure -users $LOCALADMIN -access -on -privs -all
echo "Restarting ARD agent"
$kickstart -activate -restart -agent
echo "--- Remote management reset; user ${LOCALADMIN} configured for access"
exit 0
else
echo "--- ERROR: The specified local admin account does not exist."
exit 1
fiOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2015 07:35 AM
@bmwarren Thank you for such a quick response. Thank you for the script!
I performed the following:
- Created script in Casper under Settings -> Computer Management -> Scripts
- Created Policy and Scoped one machine to Policy
- logged into a lab computer
- launched terminal
- ran command sudo jamf policy -verbose
Result: ERROR: The specified local admin account does not exist.
Further Notes:
- The teacher is set as Administrator "Allow Administration by" under System Preferences -> Users & Groups -> Login Options -> Edit -> Open Directory Utility -> Active Directory -> Administrative -> Allow Administration by:
- He has logged into the computer with his creds. His account says Managed, Mobile
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2015 08:25 AM
I suppose I should have mentioned this script is geared toward having a known local administrator account on the box. Line 3, LOCALADMIN="username" should be updated to reflect the username of your known local account.
If you're trying to execute this as a particular, variable user you will need to make some changes. The policy must be scoped to 'login' so that the JSS receives the username of the user running the policy, AND/OR via Self Service where you've configured Self Service to require login. Else wise the JSS won't know who to run the policy "as."
Additionally you will need to change line 3 of the script to
LOCALADMIN=$3To utilize the username parameter the script is passing.
Does that make sense?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2015 06:20 PM
Hey @bmwarren !
I apologize for not responding sooner. The past few days have been a little busy.
No worries mentioning about the script being geared towards a local admin account. I figured it was but hoping it would work.
I understand the concept of what you explained above. However, implementing it will be a different story. When I get a chance, I will give this a try and let you know the results. THANKS!
