Home > Apple Remote Desktop, Mac administration, macOS, Scripting > Using directory membership to manage Apple Remote Desktop permissions

Using directory membership to manage Apple Remote Desktop permissions

Apple Remote Desktop (ARD) is a screen sharing and remote administration tool that just about every Mac admin uses at some point. Configuring access permissions for it can be done in several ways:

  1. Using System Preferences’ Sharing preference pane to configure the Remote Management settings.
  2. Using the kickstart command line utility to grant permissions to all or specified users
  3. Using the kickstart command line utility to grant permissions to members of specified directories.

The last item may be the least-known method of assigning permissions, but it can be the most powerful because it allows ARD’s management agent to be configured once then use group membership to assign ARD permissions. For more details, please see below the jump.

As documented in the Apple Remote Desktop administrator guide, Apple’s directory-based permissions model looks like this:

Screen Shot 2018 08 21 at 2 04 29 PM

 

In the past, these rights could be assigned via Apple’s Workgroup Manager using MCX, using a configuration like the one shown below:

ARD3 AdminGuide page64

 

However, this MCX-based method does not seem to work on macOS High Sierra. I have not yet been successful when assigning them using a management profile.

A secondary method using local groups on the Mac still works as of macOS High Sierra.

ARD 3 Admin Guide v3 3 page 73

 

To configure ARD permission management via assignment to a local group, the following procedure should be used:

1. Create the following groups on your Mac:

com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_reports

2. Add the desired user(s) or groups to the relevant com.apple.local.ard_ group.

3. Configure ARD using the kickstart utility to recognize and use directory-based logins.

For example, the command shown below will enable the ARD management agent and configure it to use directory-based logins:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -clientopts -setdirlogins -dirlogins yes

Once configured, ARD permissions can be assigned by adding and removing from the relevant com.apple.local.ard_ groups. For example, adding a local user account named Administrator to the local com.apple.local.ard_admin group produces the following results.

Without any other configuration, the Administrator account now appears listed in the Remote Management settings.

Screen Shot 2018 08 22 at 8 40 26 AM

The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:

  • Generate reports
  • Open and quit applications
  • Change settings
  • Copy Items
  • Delete and replace items
  • Send messages
  • Restart and Shut down
  • Control
  • Observe
  • Show being observed

Screen Shot 2018 08 22 at 8 40 20 AM

 

Adding a local user account named User Name to the com.apple.local.ard_interact group produces the following results.

Without any other configuration, the User Name account now appears listed in the Remote Management settings.

Screen Shot 2018 08 22 at 8 41 37 AM

 

The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:

  • Control
  • Observe
  • Show being observed

Screen Shot 2018 08 22 at 8 41 42 AM

 

To assist with creating these groups and assigning user accounts to them, I’ve written the following script. It does the following:

  1. Allows a username and group to be specified for ARD permissions
  2. Verifies that the username exists on the Mac
  3. Creates all four ARD permissions management groups
  4. Adds the specified user account to the specified management group
  5. Turns on ARD’s management agent and configures it to use ARD’s directory-based management to assign permissions

The script is available below. It’s also available from GitHub using the following link:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/set_apple_remote_desktop_to_use_directory_based_management_permissions

  1. IB
    August 30, 2018 at 9:54 am

    Hello Mr. Trouton,
    Thank you for the insightful blog post.

    I´m a Admin in a mixed environment with lots of W$ PCs and several Macs. Since we are using AD for authentication for all maschines, It is really easy to manage the Macs with ARD in local network over LAN or WLAN. Recently I´ve received the task, to prepare an All-Mac environment in an office outside of our network.

    The challenge now is to setup best possible way to administer those (5 Macs) with ARD outside of our network in a most realiable and secure way.

    Could you point to a document or describe briefly an approach how would you do this?
    That will be great. Thanking you in advance.
    IB

    Here some additional information:
    All Macs are running latest realese 10.13
    Those can be bind to AD and get DNS Name, but not part of the local network. Macs will not have VPN connection to us. I´ll prefer to use ARD instead TeamViewer or similar, if possible.
    I´ve two scenarios for the moment:

    1. Add those Macs to Cisco Meraki MDM. That way I can see the public IP
    2. Install a small app that displays the public IP-Address (not router´s one) in the menubar, so I can ping them directly via IP.

    I´m still not sure, if the selected approach (es) are good, therefore I´ll be very thankful, if you could point to better solutions, if any.

  2. August 31, 2018 at 5:24 pm

    And right on queue, just 3 days ago Apple announced changes for kickstart in Mojave, looks like the trend for more things going “manual” is in full effect. And no “synthetic clicks” too I bet, just like UAMDM…

    “Prepare your institution for iOS 12 or macOS Mojave”
    https://support.apple.com/en-us/HT209028

    • “For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences.”

    • crambs
      September 3, 2018 at 2:18 am

      I’ve yet to test on Mojave, but safe to say this means that the above won’t work properly, since it still does use kickstart?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: