2

I'm looking for a way to programatically enable Screen Sharing and Remote Login on macOS to help with automated provisioning of new machines.

I'm running the following code in a .sh script on the new machine:

    # Enable screensharing for remote management
    sudo defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
    sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
    # Enable remote login for remote management
    sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

Once run, the Screen Sharing and Remote Login Services are checked as On in the System Preferences > Sharing menu

However when I initiate a screen sharing session using Connect to Server (Cmd + K in Finder) and enter an administrator password, the screen sharing connects but the remote session only sees a black screen.

The screen is displayed through the Connect to Server screen sharing session when I go to the physical machine and uncheck/check "Screen Sharing". However I would like to avoid any manual set up steps if possible.

Has anyone had luck setting up Screen Sharing and Remote Login programatically using a different command/method?

monterey
  • 21
  • 1
  • 3

1 Answers1

1

Once I can ssh, I use this snippet:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users localadmin -access -on -privs -all

I can't recall where I learned it.

Edit July 26, 2023 I came across AdminRemoteControl from the outset project.

#!/bin/bash

# Turn on Remote Login System Prefs (ssh)
sudo /usr/sbin/systemsetup -setremotelogin on;

# Turn on Remote Apple Events System Prefs
sudo /usr/sbin/systemsetup -setremoteappleevents on;

# Turn on Remote Management System Prefs

error=0

# From Rich Trouton. Turning on ARD and setting access in Mojave

# To use this script to assign Apple Remote Desktop permissions, define the following:
#
# The username of the account that needs to be assigned Apple Remote Desktop permissions.
# The name of the Apple Remote Desktop management group which assigns the right permissions.
#
# The Apple Remote Desktop group permissions are defined below:
#
# Name: com.apple.local.ard_admin
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
#                  Delete and replace items, Send messages, Restart and Shut down, Control,
#                  Observe, Show being observed
#
# Name: com.apple.local.ard_interact
# Assigned rights: Send messages, Control, Observe, Show being observed
#
# Name: com.apple.local.ard_manage
# Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items
#                  Delete and replace items, Send messages, Restart and Shut down
#
# Name: com.apple.local.ard_reports
# Assigned rights: Generate reports
#
# For example, to assign all Apple Remote Desktop permissions to an account named
# "administrator", the user and group variables should appear as shown below:
#
# arduser="administrator"
# ardgroup="com.apple.local.ard_admin"
# 
# To assign only the permissions to screenshare and send messages to an account
# named "helpdesk", the user and group variables should appear as shown below:
#
# arduser="helpdesk"
# ardgroup="com.apple.local.ard_interact"
# 

arduser="admin"
ardgroup="com.apple.local.ard_admin"

# Do not edit below this line.

CreateGroups(){

# This function will create groups as needed using the dseditgroup tool.

/usr/sbin/dseditgroup -n /Local/Default "$groupname"
  if [ $? != 0 ]; then
      echo "$groupname group does not exist.  Creating $groupname group."
      /usr/sbin/dseditgroup -n /Local/Default -o create "$groupname"
  else
      echo "$groupname group already exists."
  fi
}

CreateAppleRemoteDesktopGroups(){

# This function will use the CreateGroups function to create the local groups used by 
# Apple Remote Desktop's directory-based permissions management.

# To create the com.apple.local.ard_admin group

groupname=com.apple.local.ard_admin

CreateGroups

# To create the com.apple.local.ard_interact group

groupname=com.apple.local.ard_interact

CreateGroups

# To create the com.apple.local.ard_manage group

groupname=com.apple.local.ard_manage

CreateGroups

# To create the com.apple.local.ard_reports group

groupname=com.apple.local.ard_reports

CreateGroups

}

AddUsersToAppleRemoteDesktopGroups(){

   # This function will add users to the groups used by Apple Remote Desktop's directory-based management:

    /usr/sbin/dseditgroup -o edit -a "$arduser" -t user "$ardgroup"
    echo "Added $arduser to $ardgroup"
}

EnableAppleRemoteDesktopDirectoryManagement(){

ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

# Turn on Apple Remote Desktop by activating
# the Apple Remote Desktop management agent 

$ardkickstart -activate

# Allow Apple Remote Desktop accesss only for specified users

$ardkickstart -configure -allowAccessFor -specifiedUsers

# Enable Apple Remote Desktop management groups

$ardkickstart -configure -clientopts -setdirlogins -dirlogins yes

# Restart the Apple Remote Desktop agent process

$ardkickstart -restart -agent &

}

VerifyUser(){

/usr/bin/id "$arduser"
if [ $? != 0 ]; then
   echo "Unable to set specified Apple Remote Desktop permissions!"
   echo "$arduser account not found on this Mac."
   error=1
   exit "$error"
else
   echo "$arduser account verified as existing on this Mac. Proceeding..."
fi

}


if [[ -n "$arduser" ]] && [[ -n "$ardgroup" ]]; then

   # Verify that the specified user account exists.

   VerifyUser

   # Create Apple Remote Desktop management groups
   # and add the specified user account to the
   # specified management group.
   
   CreateAppleRemoteDesktopGroups
   AddUsersToAppleRemoteDesktopGroups
   
   # Turn on Apple Remote Desktop and configure
   # it to use Apple Remote Desktop's directory-based 
   # management to assign permissions.
   
   EnableAppleRemoteDesktopDirectoryManagement

else
   echo "Unable to set specified Apple Remote Desktop permissions!"
   echo "arduser variable is set to: $arduser"
   echo "ardgroup variable is set to: $ardgroup"
   error=1
fi

exit $error
John Schmitt
  • 1,148
  • 17
  • 39
  • 2
    There seems to be a variant of `kickstart` documented by Apple [here](sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate) `sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate` However on the same documentation I notice that the `kickstart` command will be deprecated in macOS Monterey. > In macOS 12.1 or later, Screen Sharing can’t be enabled by the kickstart command-line tool. So I'll not rely on this as it seems like it won't be supported in future macOS versions. – monterey Feb 14 '22 at 03:33