Posted on 10-08-2014 06:48 AM
I'm working to get a bunch of OS X machines discoverable on my work network so that they can be managed by SCCM/Parallels SCCM Plug-In.
So far the best solution i have is to physically touch each machine and enable remote mgmt, vnc, and ssh. I have a shell script using kickstart that will do the remote management and vnc configuration, but i can't figure out what command in there would also enable ssh.
Here's what I have so far:
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw ** -restart -agent" password "" with administrator privileges
So...
Thanks in advance!
Solved! Go to Solution.
Posted on 10-08-2014 07:23 AM
Posted on 10-08-2014 08:04 AM
Heres how I enable ARD, Remote Management and remote login for one user/group (Local administrator account)
# Enable ARD, Remote Management, and Remote Login (SSH) - 1. Removes Administrators Group from Remote login, 2 & 3. Creates xxxxxxxxx Membership, 4 & 5. Adds xxxxxxxxx User to Remotelogin then activates.
sudo dseditgroup -o edit -d admin -t group com.apple.access_ssh
sudo dscl . append /Groups/com.apple.access_ssh user xxxxxxxxx
sudo dscl . append /Groups/com.apple.access_ssh GroupMembership XXXXXX
sudo dscl . append /Groups/com.apple.access_ssh groupmembers `dscl . read /Users/xxxxxxxxx GeneratedUID | cut -d " " -f 2`
sudo systemsetup -setremotelogin on
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users xxxxxxxxx -access -on -privs -all
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -activate -restart -console
Posted on 10-08-2014 07:13 AM
We use the following command to enable SSH this is strictly for our management and service accounts though not all users.
#!/bin/bash /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users (Account name for SSH) -privs -all -restart -agent -menu
Posted on 10-08-2014 07:23 AM
This command will enable ssh:
systemsetup -setremotelogin on
Posted on 10-08-2014 07:50 AM
thanks! I knew it was something like that but unfortunately everything I guessed at wouldn't work.
I don't see how that would enable ssh specifically? In my experience with that syntax it only enables Remote Management. Unless it DOES enable SSH but the GUI doesn't reflect it maybe?
Posted on 10-08-2014 08:04 AM
Heres how I enable ARD, Remote Management and remote login for one user/group (Local administrator account)
# Enable ARD, Remote Management, and Remote Login (SSH) - 1. Removes Administrators Group from Remote login, 2 & 3. Creates xxxxxxxxx Membership, 4 & 5. Adds xxxxxxxxx User to Remotelogin then activates.
sudo dseditgroup -o edit -d admin -t group com.apple.access_ssh
sudo dscl . append /Groups/com.apple.access_ssh user xxxxxxxxx
sudo dscl . append /Groups/com.apple.access_ssh GroupMembership XXXXXX
sudo dscl . append /Groups/com.apple.access_ssh groupmembers `dscl . read /Users/xxxxxxxxx GeneratedUID | cut -d " " -f 2`
sudo systemsetup -setremotelogin on
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users xxxxxxxxx -access -on -privs -all
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -activate -restart -console
Posted on 10-08-2014 08:29 AM
Thank you, that's helpful! Maybe you answer my next questions:
Do you have that as a shell script? How do you execute that set of commands? If you look at my OP, can i just append the existing script with the sudo systemsetup -setremotelogin on above or below it?
Sorry for the noob questions, in this field I'm a noob of the highest order. Trying to figure out the difference between running command line operations, turning them into shell scripts, and whether or not i even NEED AppleScript at all...
Thanks again.
Posted on 10-08-2014 08:36 AM
This is a bash/shell script that runs during imaging a workstation at our company (at reboot). Casper can auto enable SSH when imaging however I always find to have a redundant command put in place to ensure it will take affect. If you asking on how to enable SSH on a machine that doesn't have it enabled, there a few ways mention above you can do it (If you have local access to that workstation) if not, ARD from Apple Inc is a good tool to have it you have remote access enabled but do not have SSH access enable.
Posted on 10-08-2014 08:47 AM
@kepgnar you mentioned in your OP that you were trying to get these machines into SCCM. Do you have them in Capser already and you're just trying to add them to SCCM? Or are they only in SCCM?
If the machines are in Casper already, you can simply create a script in your JSS to enable ARD/VNC/SSH:
#!/bin/sh
# Enable ARD & VNC
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw ******** -restart -agent
# Enable SSH
systemsetup -setremotelogin on
Then just set that in a Policy to run once against all of your machines.
If, however, these machines are not in Casper or SCCM, you'll most likely need to either visit each machine, or use AppleScript to create an app that your users can run. I haven't messed with AppleScript in quite a few years, so I'm not certain what the exact syntax is.
Posted on 10-08-2014 09:12 AM
we do not have Casper, or OS X server or anything like that. I've been running ARD from my own machine and building up a collection of computers as best I can, but we are really in the beginning stages of being able to manage Macs remotely.
I believe our end goal is to use SCCM and Parallels' SCCM Plug-In for Mac in conjunction with OS X server (maybe).
Thanks for all your help
Posted on 10-08-2014 12:15 PM
Added tidbit:
You may discover for some hosts that ssh is already turned on, but the allowed users list is limited to the End User, and not to your administration account. In such cases the following command is useful (where xxxxxxxx is the name of your desired administrator account:
sudo dscl . -append /Groups/com.apple.access_ssh GroupMembership xxxxxxxxx
Posted on 10-09-2014 06:18 AM
@drheiner or anyone else,
would it be overkill to add these script items as a launchd process? would it harm anything? my thinking is that if i add it to our base image as a launchd, then it would lessen the probability that it gets turned off or stops working, since it would run on reboot.
thoughts?
Posted on 10-09-2014 10:07 AM
I worked this out a few years ago, before we got Casper. Although in retrospect, you would probably want to edit to provide access for just your admin user instead of all. I didn't bother with SSH, since if we have guaranteed full access with ARD, we could always use it to turn SSH back on.
For making sure ARD stays on:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.YOURCOMPANY.ard</string>
<key>Program</key>
<string>/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart</string>
<key>ProgramArguments</key>
<array>
<string>kickstart</string>
<string>-activate</string>
<string>-configure</string>
<string>-allowAccessFor</string>
<string>-allUsers</string>
<string>-privs</string>
<string>-all</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/private/etc/RemoteManagement.launchd</string>
</array>
</dict>
</plist>
For making sure they do not limit "Allowed accounts" to no one, or deselect ARD options:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.YOURCOMPANY.ardargs</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>-c</string>
<string>/usr/libexec/PlistBuddy -c "Set :ARD_AllLocalUsersPrivs 1073742079" /Library/Preferences/com.apple.RemoteManagement.plist;/usr/libexec/PlistBuddy -c "Set :ARD_AllLocalUsers true" /Library/Preferences/com.apple.RemoteManagement.plist</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/Library/Preferences/com.apple.RemoteManagement.plist</string>
</array>
</dict>
</plist>
Posted on 10-09-2014 01:25 PM
Thank you very much! that is extremely helpful!
for the second script you have (restricting users from making changes) will that persist even if the end user has Admin privileges?
Posted on 10-09-2014 01:40 PM
Yes.... but of course if one has admin privileges, you really can't make it fool proof. Only really works against people who either don't know how daemons are run or aren't really committed to finding a way around it. It's really why a management suite like Casper is the bee's knees. You can't even keep Casper running against someone with admin privs if they are determined, (people even go so far as to re-image a computer after it is turned over to them), so but what you CAN do is provide them with services and goodies that they can only get with Casper. Carrot instead of stick. I believe that Facebook works this way. "Sure you can choose to uninstall Casper, but wouldn't you like to use the company's VPN? 'cause you're locked out without it."
The insidious thing about the second daemon is it isn't obvious that it is subverting their edits. They go in and uncheck all the options or Allow Only [no one] and as soon as they close the System Preferences window, it reverts back.
Posted on 10-09-2014 01:46 PM
At some point the person in charge of setting up Macs here (they are no longer with the company) decided the best option was to make every end user an Admin. Since there was no management tools, it really wasn't a horrible idea, but obviously not best practice. So I'm trying to fix all that and get us up to snuff. However I don't think Casper is something we will use, unless we really NEED something else besides SCCM and the Parallels Mac Mgmt tool.
Insidious? I'm fine with that ;)
I realize this forum is really for Casper users, but so far this has been the most helpful place I've tried in getting answers to Mac-related questions. So, thanks to everyone, and I hope my breaking the rules isn't bumming anybody out too bad.
Posted on 05-27-2015 09:00 AM
Hi there,
Couple of quick questions about this, I like it a lot, I want to use a plist converter to turn it into a xml for Casper to use as a config profile. If I want to add multiple users can I add them in the same string or do I have to make another line for each one i.e. allowAccessFor followed up by user then allowAccessFor and then followed by next user or can I put the users in one line separated by commas? i.e....
"<string>-allowAccessFor<string>"
"<string>-User1<string>"
"<string>-allowAccessFor<string>"
"<string>-User2<string>"
Next question does the "privs" and "all" part enable everything in the remote management options? If I want to exclude stuff would you know how I would do that? or Again would I have to pass "privs" for each access I would like to enable? i.e.
"<string>-privs<string>"
"<string>-DeleteFiles<string>"
"<string>-privs<string>"
"<string>-ControlObserve<string>"
Hoping you are still on here and thanks in advance!
Posted on 05-27-2015 09:04 AM
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app//Contents/Resources/kickstart -help
Posted on 05-27-2015 09:13 AM
Ahh thanks, that makes a bit more sense now in the terminal as opposed to looking at it through a text editor.
Posted on 05-27-2015 10:30 AM
Incidentally, (and not entirely off thread, since it activates these services on demand) I recently posted a way I worked out to set up ARD and SSH access to assets not on the corporate network and posted my methods to a thread requesting that feature from JAMF. It assumes a proxied JSS, so that the user can request help through Self Service when not on the network. If you are interested, you can find it here:
Casper Remote over the Internet
It does much the same thing as TeamViewer, but since it leverages ScreenSharing.app it benefits from drag and drop file transfers, since it sets up services on an SSH tunnel through a proxy, it also gives you command line access to the box. It emails you per support incident the necessary info to use the same connection on Apple Remote Desktop.app instead... I just couldn't find a way to automate that. And perhaps best of all, it's free of charge (or free of guilt, if you are currently using TeamViewer unlicensed).
If anyone has suggestions for improving the script, I would appreciate it. I am at best a distracted hack on scripting, and it could use some advice on making the connection more robust and secure.