Jamf Nation Community

@Lhsachs I would be careful with that Sharing > VNC password feature...it's insecure. Anyone with the password can view/control the computer without the user being prompted. We use Remote Management instead, so any Mac on 10.5 or later can connect using local credentials (not the VNC password). This way each user has to use their account password.

Thanks guys.

VPN set allowing ports 5900 and 5901 only
Macs to mac only
No Dns for security they know their working reserved ip before they go home
they have a 15 page instruction manual They get training sessions.

As stated I cannot use remote management with specific user in my environment. It doesnt work with mobile accounts and I don't have an OD set up plus kickstart dirlogins won't work with ADmitMac.

In my test Screen sharing enabled for specified user works but I just need to know how to set this up via the command line. I don't want to go down the manual route.

This works to enable Screen Sharing on 10.6.8 but no ideas about setting access for specified users.

sudo sh -c /bin/echo -n enabled > 
/private/etc/ScreenSharing.lauchd

For now I can get remote management to work at the moment on 10.6.8 using a script and the jamf binary to create a local vnc account, and then using Casper remote I get the user over and get them to change the user vnc password.

Problem is I am thinking later down the road about 10.7 + where a vnc legacy password doesn't work anymore anyway and the vnc virtual desktop confusion/nightmare. I'd like them to authenticate as themselves and not log in as the local account vnc.

For Remote Managemet to work I think I need to create the ard groups using discl

This would be com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_report

Here is what I looked at but it says to create them with WGM locally. Does anyone know how to create these from the command line using dscl?

http://tinyurl.com/cjvf5y

I answered my own question lol.

1. I created the group com.apple.local.ard_interact using WGM in the local node and added myself

2. I found i had to add this to my ard script

   /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes

3. I found i also still had to specify my access

# GETTING THE CURRENT CONSOLE USER
consoleuser=ls -l /dev/console | cut -d " " -f4

# Allow tkimpton account access
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs -ControlObserve -ShowObserve -users ${consoleuser}

1. I can now vnc authenticate using my mobile cached account from my home mac to my work laptop :)

Please can someone help me how to create the following groups using dscl in a script

com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_report

My idea to help automate it as much as possible is to just using a command to add a user to the com.apple.local.ard_interact group when needed :)

so far i have below but need to work out how to exclude a local admin account when quering the console user. hmmmmmmmm...

#!/bin/bash
# GETTING THE CURRENT CONSOLE USER
consoleuser=ls -l /dev/console | cut -d " " -f4

# SEE IF THE GROUP EXISTS
if
dscl . list /groups | grep com.apple.local.ard_interact
then
echo "Group already exists"

# CREATE THE GROUP IF DOESN'T EXIST
else
dscl . -create /groups/com.apple.local.ard_interact
dscl . -create /groups/com.apple.local.ard_interact PrimaryGroupID 1025
fi

# SEE IF CONSOLE USER IS IN THE GROUP
if
dscl . read /groups/com.apple.local.ard_interact | grep ${consoleuser}
then
echo "Console user is already in the group"

#ADD THE CONSOLE USER IF NOT IN THE GROUP
else
dscl . -append /groups/com.apple.local.ard_interact GroupMembership ${consoleuser}
fi