Using directory membership to manage Apple Remote Desktop permissions
Apple Remote Desktop (ARD) is a screen sharing and remote administration tool that just about every Mac admin uses at some point. Configuring access permissions for it can be done in several ways:
- Using System Preferences’ Sharing preference pane to configure the Remote Management settings.
- Using the kickstart command line utility to grant permissions to all or specified users
- Using the kickstart command line utility to grant permissions to members of specified directories.
The last item may be the least-known method of assigning permissions, but it can be the most powerful because it allows ARD’s management agent to be configured once then use group membership to assign ARD permissions. For more details, please see below the jump.
As documented in the Apple Remote Desktop administrator guide, Apple’s directory-based permissions model looks like this:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name: ard_admin | |
| Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| Delete and replace items, Send messages, Restart and Shut down, Control, | |
| Observe, Show being observed | |
| Name: ard_interact | |
| Assigned rights: Send messages, Control, Observe, Show being observed | |
| Name: ard_manage | |
| Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| Delete and replace items, Send messages, Restart and Shut down | |
| Name: ard_reports | |
| Assigned rights: Generate reports |
In the past, these rights could be assigned via Apple’s Workgroup Manager using MCX, using a configuration like the one shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>mcx_application_data</key> | |
| <dict> | |
| <key>com.apple.remotedesktop</key> | |
| <dict> | |
| <key>Forced</key> | |
| <array> | |
| <dict> | |
| <key>mcx_preference_settings</key> | |
| <dict> | |
| <key>ard_interact</key> | |
| <array> | |
| <string>some_group</string> | |
| <string>staff</string> | |
| </array> | |
| <key>ard_manage</key> | |
| <array> | |
| <string>staff</string> | |
| </array> | |
| <key>ard_admin</key> | |
| <array> | |
| <string>my_admin_group</string> | |
| </array> | |
| <key>ard_reports</key> | |
| <array> | |
| </array> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </dict> | |
| </dict> | |
| </plist> |
However, this MCX-based method does not seem to work on macOS High Sierra. I have not yet been successful when assigning them using a management profile.
A secondary method using local groups on the Mac still works as of macOS High Sierra.
To configure ARD permission management via assignment to a local group, the following procedure should be used:
1. Create the following groups on your Mac:
com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_reports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name: com.apple.local.ard_admin | |
| Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| Delete and replace items, Send messages, Restart and Shut down, Control, | |
| Observe, Show being observed | |
| Name: com.apple.local.ard_interact | |
| Assigned rights: Send messages, Control, Observe, Show being observed | |
| Name: com.apple.local.ard_manage | |
| Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| Delete and replace items, Send messages, Restart and Shut down | |
| Name: com.apple.local.ard_reports | |
| Assigned rights: Generate reports |
2. Add the desired user(s) or groups to the relevant com.apple.local.ard_ group.
3. Configure ARD using the kickstart utility to recognize and use directory-based logins.
For example, the command shown below will enable the ARD management agent and configure it to use directory-based logins:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -clientopts -setdirlogins -dirlogins yes
Once configured, ARD permissions can be assigned by adding and removing from the relevant com.apple.local.ard_ groups. For example, adding a local user account named Administrator to the local com.apple.local.ard_admin group produces the following results.
Without any other configuration, the Administrator account now appears listed in the Remote Management settings.
The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:
- Generate reports
- Open and quit applications
- Change settings
- Copy Items
- Delete and replace items
- Send messages
- Restart and Shut down
- Control
- Observe
- Show being observed
Adding a local user account named User Name to the com.apple.local.ard_interact group produces the following results.
Without any other configuration, the User Name account now appears listed in the Remote Management settings.
The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:
- Control
- Observe
- Show being observed
To assist with creating these groups and assigning user accounts to them, I’ve written the following script. It does the following:
- Allows a username and group to be specified for ARD permissions
- Verifies that the username exists on the Mac
- Creates all four ARD permissions management groups
- Adds the specified user account to the specified management group
- Turns on ARD’s management agent and configures it to use ARD’s directory-based management to assign permissions
The script is available below. It’s also available from GitHub using the following link:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| error=0 | |
| # To use this script to assign Apple Remote Desktop permissions, define the following: | |
| # | |
| # The username of the account that needs to be assigned Apple Remote Desktop permissions. | |
| # The name of the Apple Remote Desktop management group which assigns the right permissions. | |
| # | |
| # The Apple Remote Desktop group permissions are defined below: | |
| # | |
| # Name: com.apple.local.ard_admin | |
| # Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| # Delete and replace items, Send messages, Restart and Shut down, Control, | |
| # Observe, Show being observed | |
| # | |
| # Name: com.apple.local.ard_interact | |
| # Assigned rights: Send messages, Control, Observe, Show being observed | |
| # | |
| # Name: com.apple.local.ard_manage | |
| # Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| # Delete and replace items, Send messages, Restart and Shut down | |
| # | |
| # Name: com.apple.local.ard_reports | |
| # Assigned rights: Generate reports | |
| # | |
| # For example, to assign all Apple Remote Desktop permissions to an account named | |
| # "administrator", the user and group variables should appear as shown below: | |
| # | |
| # arduser="administrator" | |
| # ardgroup="com.apple.local.ard_admin" | |
| # | |
| # To assign only the permissions to screenshare and send messages to an account | |
| # named "helpdesk", the user and group variables should appear as shown below: | |
| # | |
| # arduser="helpdesk" | |
| # ardgroup="com.apple.local.ard_interact" | |
| # | |
| arduser="" | |
| ardgroup="" | |
| # Do not edit below this line. | |
| CreateGroups(){ | |
| # This function will create groups as needed using the dseditgroup tool. | |
| /usr/sbin/dseditgroup -n /Local/Default "$groupname" | |
| if [ $? != 0 ]; then | |
| echo "$groupname group does not exist. Creating $groupname group." | |
| /usr/sbin/dseditgroup -n /Local/Default -o create "$groupname" | |
| else | |
| echo "$groupname group already exists." | |
| fi | |
| } | |
| CreateAppleRemoteDesktopGroups(){ | |
| # This function will use the CreateGroups function to create the local groups used by | |
| # Apple Remote Desktop's directory-based permissions management. | |
| # To create the com.apple.local.ard_admin group | |
| groupname=com.apple.local.ard_admin | |
| CreateGroups | |
| # To create the com.apple.local.ard_interact group | |
| groupname=com.apple.local.ard_interact | |
| CreateGroups | |
| # To create the com.apple.local.ard_manage group | |
| groupname=com.apple.local.ard_manage | |
| CreateGroups | |
| # To create the com.apple.local.ard_reports group | |
| groupname=com.apple.local.ard_reports | |
| CreateGroups | |
| } | |
| AddUsersToAppleRemoteDesktopGroups(){ | |
| # This function will add users to the groups used by Apple Remote Desktop's directory-based management: | |
| /usr/sbin/dseditgroup -o edit -a "$arduser" -t user "$ardgroup" | |
| echo "Added $arduser to $ardgroup" | |
| } | |
| EnableAppleRemoteDesktopDirectoryManagement(){ | |
| ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart" | |
| # Turn on Apple Remote Desktop by activating | |
| # the Apple Remote Desktop management agent | |
| $ardkickstart -activate | |
| # Allow Apple Remote Desktop accesss only for specified users | |
| $ardkickstart -configure -allowAccessFor -specifiedUsers | |
| # Enable Apple Remote Desktop management groups | |
| $ardkickstart -configure -clientopts -setdirlogins -dirlogins yes | |
| # Restart the Apple Remote Desktop agent process | |
| $ardkickstart -restart -agent & | |
| } | |
| VerifyUser(){ | |
| /usr/bin/id "$arduser" | |
| if [ $? != 0 ]; then | |
| echo "Unable to set specified Apple Remote Desktop permissions!" | |
| echo "$arduser account not found on this Mac." | |
| error=1 | |
| exit "$error" | |
| else | |
| echo "$arduser account verified as existing on this Mac. Proceeding…" | |
| fi | |
| } | |
| if [[ -n "$arduser" ]] && [[ -n "$ardgroup" ]]; then | |
| # Verify that the specified user account exists. | |
| VerifyUser | |
| # Create Apple Remote Desktop management groups | |
| # and add the specified user account to the | |
| # specified management group. | |
| CreateAppleRemoteDesktopGroups | |
| AddUsersToAppleRemoteDesktopGroups | |
| # Turn on Apple Remote Desktop and configure | |
| # it to use Apple Remote Desktop's directory-based | |
| # management to assign permissions. | |
| EnableAppleRemoteDesktopDirectoryManagement | |
| else | |
| echo "Unable to set specified Apple Remote Desktop permissions!" | |
| echo "arduser variable is set to: $arduser" | |
| echo "ardgroup variable is set to: $ardgroup" | |
| error=1 | |
| fi | |
| exit $error |
Leave a Reply
Recent Comments
 | Thomas B. on 20 years of Der Flounder |
 | peter on 20 years of Der Flounder |
 | Scott Beach on 20 years of Der Flounder |
 | Mr Bombadil on Using Script2Pkg to create pay… |
 | gabeshack on Granting Volume Owner status o… |
Der Flounder 
Hello Mr. Trouton,
Thank you for the insightful blog post.
I´m a Admin in a mixed environment with lots of W$ PCs and several Macs. Since we are using AD for authentication for all maschines, It is really easy to manage the Macs with ARD in local network over LAN or WLAN. Recently I´ve received the task, to prepare an All-Mac environment in an office outside of our network.
The challenge now is to setup best possible way to administer those (5 Macs) with ARD outside of our network in a most realiable and secure way.
Could you point to a document or describe briefly an approach how would you do this?
That will be great. Thanking you in advance.
IB
Here some additional information:
All Macs are running latest realese 10.13
Those can be bind to AD and get DNS Name, but not part of the local network. Macs will not have VPN connection to us. I´ll prefer to use ARD instead TeamViewer or similar, if possible.
I´ve two scenarios for the moment:
1. Add those Macs to Cisco Meraki MDM. That way I can see the public IP
2. Install a small app that displays the public IP-Address (not router´s one) in the menubar, so I can ping them directly via IP.
I´m still not sure, if the selected approach (es) are good, therefore I´ll be very thankful, if you could point to better solutions, if any.
And right on queue, just 3 days ago Apple announced changes for kickstart in Mojave, looks like the trend for more things going “manual” is in full effect. And no “synthetic clicks” too I bet, just like UAMDM…
“Prepare your institution for iOS 12 or macOS Mojave”
https://support.apple.com/en-us/HT209028
• “For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences.”
I’ve yet to test on Mojave, but safe to say this means that the above won’t work properly, since it still does use kickstart?
Hello, is this possible to use in an environment where users never signed into workstations before using Active Directory credentials?