Using Apple Remote Desktop Admin to help script ARD kickstart options
Apple Remote Desktop is a tool that just about every Mac admin uses at some point. The client is built into OS X and it’s usually straightforward to turn on. It also includes a command line tool called kickstart which can be used to configure the Apple Remote Desktop client. The kickstart tool is useful because you can use it to script your configuration. That said, if you have a complex ARD configuration, getting the kickstart options correct can be tricky.
One way to help with this is to have Apple Remote Desktop Admin do the kickstart configuration work for you. See below the jump for the details.
Apple Remote Desktop Admin contains the option to create an Apple Remote Desktop client installer. This is available under the File menu as the Create Client Installer… option. This option can be leveraged to create a customized installer that contains the needed kickstart configuration.
1. Launch Apple Remote Desktop Admin
2. Select File: Create Client Installer…
3. In the initial Create Client Installer window, select the Yes radio button under Would you like to customize?
4. Select the customization options you want
5. When finished customizing, save your installer somewhere convenient.
At this point, the kickstart configuration you need is buried deep inside the package in a file named postflight_kickstart_entries. Apple Remote Desktop Admin 3.6.1 saves its installers as a flat package, so you will need to use Pacifist or Apple’s pkgutil command-line tool to extract and access the postflight_kickstart_entries file. Here’s how to do this with pkgutil:
1. Open Terminal and run the following command to expand the contents of the Remote Desktop client installer into a new directory. In this example, I’m expanding the contents into a directory named ard
pkgutil –expand “/path/to/Custom Remote Desktop Installer.pkg” /path/to/ard
2. Run the following command to access the kickstart configuration stored in the postflight_kickstart_entries file:
pico /path/to/ard/RemoteDesktopClient.pkg/Scripts/Tools/postflight_kickstart_entries
3. Copy the contents into a convenient text editor and add the appropriate path for the kickstart utility. You will likely also have to add the -targetdisk configuration option. Here’s an example of how this may look:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes -configure -users 'administrator' -access -on -privs -TextMessages -GenerateReports -RestartShutDown -SendFiles -ChangeSettings -configure -allowAccessFor -specifiedUsers -privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings -restart -agent -menu
Note: The kickstart entries will be on multiple lines, but will need to be combined into one line.
4. Once you have the kickstart configuration options you need, you can put them into a script or payload-free package for deployment to your Macs.
Very crafty
The note in this article:
> Note: The kickstart entries will be on multiple lines, but
> will need to be combined into one line.
Differs from Apple KBase HT2370 with regards to the “allowAccessFor” option:
> Note: Unlike other kickstart options, you cannot combine the
> allowAccessFor options with other kickstart options. You
> must use it like one of the examples above (items 6 and 7
> above). This means you may have to call kickstart more than
> one time to completely configure a computer.
Additionally, this odd line in the above postflight_kickstart_entries:
-configure -allowAccessFor -specifiedUsers -privs -DeleteFiles…
seems to be an ARD Admin error, since it’s mixing the Remote Desktop “Allow access for all local users” and “Allow access for specified local users” (why set generic privileges if only specific users are allowed access?). It seems to be created during the following scenario when creating a client installer/configuration:
– Check the box to “Set Remote Desktop access mode”
– Click the “Privileges…” button
– Set privleges and click “OK”
– Change the Remote Desktop access mode to “Allow access for specified local users”
Further to what Patrick has dug up with -allowAccessFor, is there any reason why you can’t just add the kickstart path to the beginning of each line in postflight_kickstart_entries and run the resulting file as a shell script? Less elegant, perhaps, but it would seem to mimic what the Installer is doing and therefore might be more robust.
I’m having to reexamine our first boot ARD setup script due to some robustness issues (randomly fails to enable requesting permissions). My original script was exactly as you described–add the path to kickstart in front of the lines of postflight_kickstart_entries, but I eventually had to break out enabling dirlogins into a separate invocation of kickstart.
Given what I’m seeing now, I’m beginning to think I need to test invoking kickstart with each individual configuration command.
FWIW, I’ve now tested it (i.e. adding kickstart to each line) and it works for me, but I am exclusively using local accounts.
I’m using Remote Desktop version 3.8. The dialog boxes look a little different from what’s shown here, and the postflight_kickstart_entries file has only this:
-restart -agent
Am I doing something wrong? Or is 3.8 so different from 3.6?
The “Create Client Installer…” option seems to have been removed in ARD Admin 3.9. References to the functionality are gone from the latest ARD online guide https://help.apple.com/remotedesktop/mac/3.9/#/apd8B1C65BD-8808-4F03-A545-A1EF2AFD103B
I’ve not found it in any of the menus either. The writing has been on the wall about .pkg’s for a while now, I suppose. Was a handy and mostly bulletproof option, though