using ssh to kickstart apple remote desktop (ARD)

ssh is an extremely powerful management tool, but sometimes GUI management is just easier. GUI management is also useful for end-user troubleshooting and training purposes. At my company we have Apple Remote Desktop (ARD) enabled by default for our global and local admin users. Sometimes ARD access becomes disabled, whether through a corrupt preference file or the actions of a member of the IT team, or some other reason.

Using ssh commands we can quickly enable ARD access for one, several, or all users (or disable it, change privileges, etc.). I’ve also added several lines to create an “ssh access” user for easier troubleshooting remote-access issues. These commands have to be run as root, so either su to root (if enabled) or sudo each command.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users globadmin,locadmin -privs -all -restart -agent -menu

sudo dseditgroup -o create -a globadmin -t user -q com.apple.access_ssh
sudo dseditgroup -o edit -a locadmin -t user com.apple.access_ssh

The first line is called “kickstarting” ARD, and turns on ARD access for only globadmin and locadmin and enables all ARD privileges (observe, control, install, etc), denoted by the “-privs -all” switches. It also restarts the ARD server on the client with the “-restart” switch, to make the changes immediately rather than waiting for a system reboot.

The first dseditgroup command creates a local user called com.apple.access_ssh and adds the globadmin user to it (since only users can be given ssh access). The -q switch disables interactive verification of the group or user being created – useful for a non-interactive shell script (as this set of commands is used at my company). The second command simply adds the locadmin user to the existing com.apple.access_ssh user. We can now select the com.apple.access_ssh user to enable/disable ssh access for locadmin and globadmin simultaneously rather than selecting users individually.


About this entry