- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2014 01:11 PM
Guys, we usually set Remote Management settings on our builds.
Im trying to use the pre enrollment feature. Is there an easy way to set this with say a configuration profile? Or maybe with a composer package.
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2014 02:00 PM
I use a payload-free package to set these options. You can also use ARD Admin to generate your kickstart script options for you, which is handy if you have a complex config. I have a post on how to do that available here:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2014 01:52 PM
Do you just want to enable Remote Desktop when imaging or once a machine is under management with Casper?
Just use the kickstart command in a shell script:
You can run it with just the -help flag to get all options (sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart)
But here is an example of a run where it turns on all remote management options and gives access to all users on the system.
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -allowAccessFor -allUsers -privs -all
We enabled ARD this way in a script in the JSS that runs in our thin imaging policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2014 02:00 PM
I use a payload-free package to set these options. You can also use ARD Admin to generate your kickstart script options for you, which is handy if you have a complex config. I have a post on how to do that available here:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2014 02:15 PM
Im looking to enable Remote Desktop once its managed by Casper. We already have it set on our thin image.
This is mainly for PreStage out of the box deployments. Im going to use the ARD Admin to generate the kickstart.
Thanks for the help!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2014 02:28 PM
We have a script that run at reboot after image. Works like a champ!!!
#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users administrator,Administrator -access -on -privs -all -restart
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-04-2017 09:18 AM
ARD 3.9 no longer supports the solution in @rtrouton's post.
I think it's going to have to be done with a script (like @mojo21221 suggested) from now on....
This article explains how it works.
The mask bitmap for the privs is thus from the kickstart perl source:
#define kPrivSTUserHasAccess 0x80000000
#define kPrivSTTextMessages 0x00000001
#define kPrivSTControlObserve 0x00000002
#define kPrivSTSendFiles 0x00000004
#define kPrivSTDeleteFiles 0x00000008
#define kPrivSTGenerateReports 0x00000010
#define kPrivSTOpenQuitApps 0x00000020
#define kPrivSTChangeSettings 0x00000040
#define kPrivSTRestartShutDown 0x00000080
#define kPrivSTObserveOnly 0x00000100
#define kPrivSTShowObserve 0x40000000
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2017 10:37 PM
Hi,
Also going through the process of setting up our pre-stage enrolment. We currently enable remote management for our local admin account only, and I'd like to keep it that way.
I have seen a bunch of scripts that give all access to all users, but I want to customise that a bit. I only want our local admin account to have remote management access, and only these privs:
-DeleteFiles
-ControlObserve
-TextMessages
-OpenQuitApps
-GenerateReports
-RestartShutDown
-SendFiles
-ChangeSettings
I've run this command on a couple of machines:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings -users localadmin
Which appears to work fine, but I want to double-check that it will actually do what I am expecting? That is, that the only account with remote management will be our localadmin, yeah?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-26-2017 08:07 AM
@mojo21221 sorry for the late jump in, but in reading this post, we were wondering if anyone knows of a way to script the Computer Settings part in Sharing > Remote Management. We need the Anyone may request... checked and the VNC viewers may control... checked with password. We've searched high and low with no avail. Any help would be appreciated if its even possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2017 10:42 AM
@a.holley Did you ever find out if the script works for local admin only?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2018 02:56 AM
Now that it has been announced that the kickstart command cannot enable Remote Management beyond "observe" mode, is there a way to achieve this with a custom configuration profile?
For details on the changes in Mojave, see:
https://support.apple.com/en-us/HT209028
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2018 04:35 AM
There's nothing in the MDM profile reference... but maybe someone found a valid workaround?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 08:05 AM
@grahamrpugh I was poring over Profile Manager in 10.13.6 this morning after I saw that support doc, and don't see anything. Anyone running the latest Mojave beta + latest macOS Server beta to see if this is provided?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 09:12 AM
All the above ways are overkill. Check out these 4 lines of code. They grant remote management for our local administrator account.
#!/bin/sh
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers -users Administrator
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no -setvnclegacy -vnclegacy yes -setvncpw -vncpw <supersecurepassword>
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate
Works in high sierra 10.13.6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 11:38 AM
@tnielsen That isn't going to work for Mojave, as @grahamrpugh mentioned above.
Perhaps this approach from @rtrouton will work, however:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2018 09:14 PM
Bummer, I missed that.
What is Apple doing here? It seems as though they are making it harder and harder to manage their macs in an Enterprise every release. This makes no sense. What's the benefit here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-03-2018 02:26 PM
@tnielsen They are locking down security in macOS. Too much adware/malware doing things like installing MDM profiles, or enabling remote management. However, when they take away the kickstart functionality, without a subsequent addition to the MDM spec to allow a UAMDM to enable remote management - that's what I have an issue with.
Please file a Radar, an AppleCare Enterprise case, and either AppleSeed or Public Beta feedback, and contact your SE giving them those numbers as well as number of impacted systems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2018 11:32 PM
I modified DerFlounder's script and have been using it for High Sierra. Don't know yet if it will work for Mojave. Main difference is I'm mapping OD groups to the local ARD groups and using my OD to manage users in the ARD groups. I assume this would work for AD as well.
#!/bin/bash
error=0
# To use this script to assign Apple Remote Desktop permissions, define the following:
#
# The username of the account that needs to be assigned Apple Remote Desktop permissions.
# The name of the Apple Remote Desktop management group which assigns the right permissions.
#
# The Apple Remote Desktop group permissions are defined below:
#
# Name: com.apple.local.ard_admin
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
# Delete and replace items, Send messages, Restart and Shut down, Control,
# Observe, Show being observed
#
# Name: com.apple.local.ard_interact
# Assigned rights: Send messages, Control, Observe, Show being observed
#
# Name: com.apple.local.ard_manage
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
# Delete and replace items, Send messages, Restart and Shut down
#
# Name: com.apple.local.ard_reports
# Assigned rights: Generate reports
#
# Fill in the names of the Open Directory groups below:
ardLocalAdmin="administrator"
ardOdGroup_admin="ardadmin"
ardOdGroup_interact="ardinteract"
ardOdGroup_manage="ardmanage"
ardOdGroup_reports="ardreports"
# Do not edit below this line.
CreateGroups(){
# This function will create groups as needed using the dseditgroup tool.
/usr/sbin/dseditgroup -n /Local/Default "$groupname"
if [ $? != 0 ]; then
echo "$groupname group does not exist. Creating $groupname group."
/usr/sbin/dseditgroup -n /Local/Default -o create "$groupname"
else
echo "$groupname group already exists."
fi
}
CreateAppleRemoteDesktopGroups(){
# This function will use the CreateGroups function to create the local groups used by
# Apple Remote Desktop's directory-based permissions management.
# To create the com.apple.local.ard_admin group
groupname=com.apple.local.ard_admin
CreateGroups
# To create the com.apple.local.ard_interact group
groupname=com.apple.local.ard_interact
CreateGroups
# To create the com.apple.local.ard_manage group
groupname=com.apple.local.ard_manage
CreateGroups
# To create the com.apple.local.ard_reports group
groupname=com.apple.local.ard_reports
CreateGroups
}
AddUsersToAppleRemoteDesktopGroups(){
# This function will add users/groups to the groups used by
# Apple Remote Desktop's directory-based management:
/usr/sbin/dseditgroup -o edit -a "$ardLocalAdmin" -t user "com.apple.local.ard_admin"
echo "Added $ardLocalAdmin to com.apple.local.ard_admin"
/usr/sbin/dseditgroup -o edit -a "$ardOdGroup_admin" -t group "com.apple.local.ard_admin"
echo "Added $ardOdGroup_admin to com.apple.local.ard_admin"
/usr/sbin/dseditgroup -o edit -a "$ardOdGroup_interact" -t group "com.apple.local.ard_interact"
echo "Added $ardOdGroup_interact to com.apple.local.ard_interact"
/usr/sbin/dseditgroup -o edit -a "$ardOdGroup_manage" -t group "com.apple.local.ard_manage"
echo "Added $ardOdGroup_manage to com.apple.local.ard_manage"
/usr/sbin/dseditgroup -o edit -a "$ardOdGroup_reports" -t group "com.apple.local.ard_reports"
echo "Added $ardOdGroup_reports to com.apple.local.ard_reports"
}
EnableAppleRemoteDesktopDirectoryManagement(){
ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
# Turn on Apple Remote Desktop by activating
# the Apple Remote Desktop management agent
$ardkickstart -activate
# Allow Apple Remote Desktop accesss only for specified users
$ardkickstart -configure -allowAccessFor -specifiedUsers
# Enable Apple Remote Desktop management groups
$ardkickstart -configure -clientopts -setdirlogins -dirlogins yes
# Restart the Apple Remote Desktop agent process
$ardkickstart -restart -agent &
}
# Create Apple Remote Desktop management groups
# and add the specified user account to the
# specified management group.
CreateAppleRemoteDesktopGroups
AddUsersToAppleRemoteDesktopGroups
# Turn on Apple Remote Desktop and configure
# it to use Apple Remote Desktop's directory-based
# management to assign permissions.
EnableAppleRemoteDesktopDirectoryManagement
exit $error