![]() ![]() It seems the other Apple-focused MDMs all support this command as a UI feature, and the API-driven open-source projects microMDM and nanoMDM support this command as well. The article now also explains the simplified (broad) scope of user permissions for Remote Desktop: Update, : Since originally publishing this article, it seems that the above KB has now been simplified (its last update as of today is January 26, 2022) to remove the details of to grant PostEvent permissions in a PPPC payload profile. ![]() ![]() That document also describes exactly what capabilities are enabled by the command, which match what I see from my experiments. Upon reading the aforementioned KB it took me some back and forth to understand that the actual command it is hinting at is EnableRemoteDesktop, as described in the developer documentation. Sending only the command, without any PPPC configuration profile, is sufficient to allow view and control. Usually these show up in the System Preference Privacy Pane, but Screen Sharing / Remote Management don’t seem to show up in this list.Īpple’s release notes point to this support document, which at the time of writing states that if your target machine is enrolled in MDM, then it is possible to send an MDM command to enable Remote Desktop, and optionally a PPPC payload configuration profile, granting PostEvent rights to the service, in order to allow control. These prevent a service from (for example) recording a machine’s screen without the user’s explicit permission. The underlying cause for this behaviour change, is that the Screen Sharing service is now fully gated behind the TCC mechanisms in macOS. What I experience as of macOS 12.1 (and this seems mostly echoed by others I talk with on the MacAdmins Slack) is that enabling Screen Sharing / Remote Management using either of the above methods leads to either a blank screen or a connection that just stalls forever, even though the target machine will display a popover from the menubar, with a message to the effect of “this screen is currently being observed.” $kickstart -configure -access -on -users admin -privs -allĬonfusingly, Apple did document that this would allow view-only as of macOS 10.14 Mojave, but this wasn’t what I observed. $kickstart -configure -allowAccessFor -specifiedUsers Kickstart =/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart Prior to 12.1, it was possible to enable Screen Sharing by simply running this: So, this post is both a recap of what I’ve been able to make sense of and some ideas/research that I hope clarifies things going forward. But, as I’m learning how to make use of MDM on headless build machines, what I dug up seems generally relevant for others leveraging Screen Sharing / Remote Desktop in their environments. The only macOS machines I manage are build servers used for continuous integration (CI), not for regular use, and so I am looking at this for this somewhat niche use-case. I came across multiple Slack threads where people were confused by Apple’s documentation not matching their observations about existing solutions involving kickstart and PPPC configuration profiles. Once you’ve done this you will be able to connect to the Mac remotely using ARD and customize the privileges to suit the environment.I spent the last several days being confused by (1) how the change would impact my environment, (2) Apple’s documentation, (3) mixed reports from others about whether their prior methods for enabling Screen Sharing / Remote Management were still working as usual for them on Monterey 12.1, and (4) disagreement over what components of their existing solutions were even required to have functional Screen Sharing. ![]() Typing in this command will enable Apple Remote Desktop privileges for all users on the Mac. Sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all Type in the following command or copy / paste: Ssh username is the Account name that has been set up and is the fully qualified name of the Mac or IP address. Type in the following command in to terminal: They will also need to enable SSH by going to System Preferences > Remote Login.Ĭonnect to the client via the VPN and log in via SSH Here’s how to enable ARD remotely on a Mac providing the client has already unboxed the Mac, plugged it in and created an account on it. If you have a client who has a Mac shop you’ll probably already be familiar with Apple Remote Desktop. As a Managed Service Provider sometimes you try to accomplish as many tasks remotely as possible to avoid the cost of travelling to site. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |