Jamf Nation Community

MacConsultant · ‎07-17-2020

We are implementing a "home made" solution so our AD students can login into specific Macs on specific time remotely using Screen Sharing.
In order to complete our solution, we thought on activating Screen Sharing (not ARD) on specific hours by sending scripts to activate/deactivate Screen Sharing.
We haven't found the command lines to add users/groups to the "only these users" menu.
Yes, it is easy to do it with ARD (ARDAgent / kickstart), but we need to use Screen Sharing.
Anyone knows the commands to set specific users to use Screen Sharing ?

MacConsultant · ‎07-20-2020

Ok, so...

Need to set Screen Sharing permissions to Only these users , which will create the access group com.apple.access_screensharing . You can do it using the graphic interface, or, with
```
dseditgroup -o create -q com.apple.access_screensharing
```
Add members to the access group com.apple.access_screensharing

Local user:

dseditgroup -o edit -a *LocalUserName* -t user com.apple.access_screensharing

Local group:

dseditgroup -o edit -a *LocalUserGroup* -t group com.apple.access_screensharing

Domain group:

dseditgroup -o edit -a "*DomainName**DomainGroupName*" -t group com.apple.access_screensharing

Domain user:

dseditgroup -o edit -a "*DomainName**DomainUserName*" -t user com.apple.access_screensharing

Also, if you want to check what are the members of com.apple.access_screensharing

dscl -f "/var/db/dslocal/nodes/Default" localonly -read /Local/Target/Groups/com.apple.access_screensharing

Set Screen Sharing back to All users , delete de group com.apple.access_screensharing

dseditgroup -o delete -t group com.apple.access_screensharing  > /dev/null

View solution in original post

dan-snelson · ‎07-17-2020

@MacConsultant Sounds like you already know the ARD commands:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -RestartShutDown -SendFiles -ChangeSetting -users adminShortName1,adminShortName2 -setmenuextra -menuextra no -restart -agent

MacConsultant · ‎07-20-2020

Hi Dan, thank you for the help.
However, what we need is to set rights to Screen Sharing, not Remote Management (as shown in picture).
Our users are not local, but Network accounts (AD), so we can't add them to Remote Management.

mschroder · ‎07-20-2020

We do this for network groups, not individual users. Our script looks like this:

#!/bin/sh
# set access permissions for the AD network groups passed in $4 to $11 
# 
# The initial idea was to accept one group name (in $4) and call the same script several times. 
# But Jamf does not allow this. In 9.101 it calls the script twice, but both times with 
# the argument passed in the first case listed :(
#
# check if Mac is bound to domain
domain=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
if [ "$domain" != "OurDomain" ]; then
    echo "Problem with AD binding, domain = $domain"
    exit 2
fi

# global settings

# enable sshd ("remote login")
echo "Enabling 'Remote Login'"
systemsetup -f -setremotelogin on

# enable screen sharing
echo "Enabling 'Screen Sharing'"
defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

i=4
# treat all arguments from $4 on...
for userGroup in "${@:4}"; do

    # make sure we have a value
    if [ "$userGroup" != "" ]; then
        echo "handling parameter $i,  $userGroup"
        for accessGroup in "com.apple.loginwindow.netaccounts" "com.apple.access_ssh" "com.apple.access_screensharing" "admin"; do
            echo "Adding group $userGroup to $accessGroup"
            # check whether group exists, if not create it
            /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
            /usr/sbin/dseditgroup -o edit -a ${userGroup} -t group ${accessGroup}
        done

        # And now we still have to add this
        userGroup="com.apple.loginwindow.netaccounts"
        accessGroup="com.apple.access_loginwindow"
        echo "Adding group $userGroup to $accessGroup"
        # would be surprising if it did not exist, but...
        /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a ${userGroup} -t group ${accessGroup}
    fi
    i=$(($i+1))
done
exit

MacConsultant · ‎07-20-2020

Thank you @msschroder In a complementary matter, I have found this on the forum.
I will dig a little more and post my solution once I've found it.

MacConsultant · ‎07-20-2020