Set Remote Management User and Permissions via Terminal/Script


We have some Broadcasting Lab Computers, our Teacher wants to access via Apple Remote Desktop (ARD). I am looking for a terminal command or script to add him to Remote Management and set the permissions.

I have attempted the following:

sudo /System/Library/CoreServices/RemoteManagement/ -activate -configure -access -on -users michael ellson -privs -all -restart -agent -menu

Result: No such file or Directory Exists

sudo /System/Library/CoreServices/RemoteManagement/ -activate -configure -users short,usernames,seperated,by,commas -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers

Result: -- User set but with no permissions
-- Tried on another computer - did not add user to Remote Management

Read the following JAMF Discussion:


Tried @mojo21221 script - no dice

Anyone have a terminal command or script?

Thanks in advance!



Here's the script I've been using for several years. Still works as expected on 10.11. For consistency, it resets all the remote management options and then procedurally re-sets them. The end result is a single account configured for remote access with all options enabled.

View GitHub Gist



echo "Configuring Remote Management"
if id -u $LOCALADMIN >/dev/null 2>&1; then
    echo "Defined local admin account exists"
    # Deactivate ARD agent, deny all access
    echo "Deactivating ARD agent"
    $kickstart -deactivate -configure -access -off
    echo "Turning off default AllLocalUsers remote management setting"
    defaults write /Library/Preferences/ ARD_AllLocalUsers -bool FALSE
    # Remove 'naprivs' key from users configured by ARD's -specifiedUSers flag
    echo "Removing naprivs key from local users"
    RemoteManagementUsers=$(dscl . list /Users naprivs | awk '{print $1}')
        for EnabledUser in $RemoteManagementUsers; do
            echo "--- naprivs removed from $EnabledUser"
            dscl . delete /Users/$EnabledUser naprivs
    # Turn ARD back on and enable only the specified LOCALADMIN
    echo "Reconfiguring ARD for only specified users"
    $kickstart -configure -allowAccessFor -specifiedUsers
    echo "Setting specified local admin account as sole ARD user"
    $kickstart -configure -users $LOCALADMIN -access -on -privs -all
    echo "Restarting ARD agent"
    $kickstart -activate -restart -agent
    echo "--- Remote management reset; user ${LOCALADMIN} configured for access"
    exit 0
    echo "--- ERROR: The specified local admin account does not exist."
    exit 1


@bmwarren Thank you for such a quick response. Thank you for the script!

I performed the following:
- Created script in Casper under Settings -> Computer Management -> Scripts
- Created Policy and Scoped one machine to Policy
- logged into a lab computer
- launched terminal - ran command sudo jamf policy -verbose

Result: ERROR: The specified local admin account does not exist.

Further Notes:
- The teacher is set as Administrator "Allow Administration by" under System Preferences -> Users & Groups -> Login Options -> Edit -> Open Directory Utility -> Active Directory -> Administrative -> Allow Administration by:
- He has logged into the computer with his creds. His account says Managed, Mobile


I suppose I should have mentioned this script is geared toward having a known local administrator account on the box. Line 3, LOCALADMIN="username" should be updated to reflect the username of your known local account.

If you're trying to execute this as a particular, variable user you will need to make some changes. The policy must be scoped to 'login' so that the JSS receives the username of the user running the policy, AND/OR via Self Service where you've configured Self Service to require login. Else wise the JSS won't know who to run the policy "as."

Additionally you will need to change line 3 of the script to


To utilize the username parameter the script is passing.

Does that make sense?


Hey @bmwarren !

I apologize for not responding sooner. The past few days have been a little busy.

No worries mentioning about the script being geared towards a local admin account. I figured it was but hoping it would work.

I understand the concept of what you explained above. However, implementing it will be a different story. When I get a chance, I will give this a try and let you know the results. THANKS!