JAMF Nation, hosted by JAMF Software, is a dynamic and knowledgeable community of Apple-focused IT admins and Casper Suite users. Join us in person, in October, for the annual JAMF Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

CCA Badge CCE Badge
6

Setting Screen Sharing

Posted: 7/17/12 at 4:19 PM by tkimpton

Hi guys

Im trying to get a VPN solution working for our home users to connect in and vnc to their workstations. Problem Is the ARD directory access is not going to work for the mobile accounts because I don't run OD and have a setup using ADmitMac.

Cutting a long story short I have worked out that Screen Sharing activated for specific users in the System Preferences works and is what I need. Problem is I can't work out how to configure the access for specified users. Ive looked at the ARD kickstart but that's for setting Remote Management and not screen sharing.

Does anyone in the community know how to set the access for Screen Sharing (not ARD) for currently 10.6.8 and possibly 10.7.4?

6
CCA Badge

Posted: 7/17/12 at 7:32 PM by Lhsachs

There are a a few things to look at for this issue:
1. Having the workstations set to allow Remote Login and Remote Management \- by specific users, with the options you choose set for observing, controlling, etc..
2. If your dns is working \- forward and reverse \- and you know the user's system's name \- once Screen Sharing is open, you should be able to connect with the system's name. (if you are static IP, the IP address will get you to the system)
3. have the users at home know how to open Screen Sharing....

...If the users at home aren't running macs \- they will need to set up a VNC password.

If assisted customers working at home via VPN through screen sharing \- a great way to assist...

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 7/17/12 at 8:28 PM by donmontalvo

@Lhsachs I would be careful with that Sharing > VNC password feature...it's insecure. Anyone with the password can view/control the computer without the user being prompted. We use Remote Management instead, so any Mac on 10.5 or later can connect using local credentials (not the VNC password). This way each user has to use their account password.

CCA Badge CCE Badge

Posted: 7/17/12 at 11:14 PM by tkimpton

Thanks guys.

VPN set allowing ports 5900 and 5901 only
Macs to mac only
No Dns for security they know their working reserved ip before they go home
they have a 15 page instruction manual They get training sessions.

As stated I cannot use remote management with specific user in my environment. It doesnt work with mobile accounts and I don't have an OD set up plus kickstart dirlogins won't work with ADmitMac.

In my test Screen sharing enabled for specified user works but I just need to know how to set this up via the command line. I don't want to go down the manual route.

This works to enable Screen Sharing on 10.6.8 but no ideas about setting access for specified users.

sudo sh -c /bin/echo -n enabled > 
/private/etc/ScreenSharing.lauchd

For now I can get remote management to work at the moment on 10.6.8 using a script and the jamf binary to create a local vnc account, and then using Casper remote I get the user over and get them to change the user vnc password.

Problem is I am thinking later down the road about 10.7 \+ where a vnc legacy password doesn't work anymore anyway and the vnc virtual desktop confusion/nightmare. I'd like them to authenticate as themselves and not log in as the local account vnc.

For Remote Managemet to work I think I need to create the ard groups using discl

This would be com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_report

Here is what I looked at but it says to create them with WGM locally. Does anyone know how to create these from the command line using dscl?

http://tinyurl.com/cjvf5y

CCA Badge CCE Badge

Posted: 7/18/12 at 1:35 AM by tkimpton

I answered my own question lol.

  1. I created the group com.apple.local.ard_interact using WGM in the local node and added myself

  2. I found i had to add this to my ard script

    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes

  3. I found i also still had to specify my access

\# GETTING THE CURRENT CONSOLE USER
consoleuser=ls -l /dev/console | cut -d " " -f4\

\# Allow tkimpton account access
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs -ControlObserve -ShowObserve -users ${consoleuser}

  1. I can now vnc authenticate using my mobile cached account from my home mac to my work laptop :)

Please can someone help me how to create the following groups using dscl in a script

com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_report

My idea to help automate it as much as possible is to just using a command to add a user to the com.apple.local.ard_interact group when needed :)

CCA Badge CCE Badge

Posted: 7/18/12 at 3:05 AM by tkimpton

so far i have below but need to work out how to exclude a local admin account when quering the console user. hmmmmmmmm...

#!/bin/bash
\# GETTING THE CURRENT CONSOLE USER
consoleuser=ls -l /dev/console | cut -d " " -f4\

\# SEE IF THE GROUP EXISTS
if
dscl . list /groups | grep com.apple.local.ard_interact
then
echo "Group already exists"

\# CREATE THE GROUP IF DOESN'T EXIST
else
dscl . -create /groups/com.apple.local.ard_interact
dscl . -create /groups/com.apple.local.ard_interact PrimaryGroupID 1025
fi

\# SEE IF CONSOLE USER IS IN THE GROUP
if
dscl . read /groups/com.apple.local.ard_interact | grep ${consoleuser}
then
echo "Console user is already in the group"

#ADD THE CONSOLE USER IF NOT IN THE GROUP
else
dscl . -append /groups/com.apple.local.ard_interact GroupMembership ${consoleuser}
fi

CCA Badge CCE Badge

SOLVED Posted: 7/18/12 at 6:07 AM by tkimpton

Thanks Tim your F**kin awesome lol

Here is what i use now for self service

#!/bin/bash

\# Environment variable for the home directory of the account
FILE=/private/var/vnc
USER=dscl /Local/Default -list /Users | grep vnc\

\# Check to see if the account exists in dscl and the home folder
if [ "$USER" ] && [ $FILE ]; then

\# If found echo it exists to the shell
echo "vnc account exists"

else

\# If the account and home folder doesn't exist then go and create it
/usr/sbin/jamf createAccount -hiddenUser -username vnc -realname vnc -password DrillHall -home /private/var/vnc

fi

\# GETTING THE CURRENT CONSOLE USER
rluser=ls -l /dev/console | cut -d " " -f4 | grep rufusleonard.hq\

\# SEE IF THE GROUP EXISTS
if
dscl . list /groups | grep com.apple.local.ard_interact
then
echo "Group already exists"

\# CREATE THE GROUP IF DOESN'T EXIST
else
dscl . -create /groups/com.apple.local.ard_interact
dscl . -create /groups/com.apple.local.ard_interact PrimaryGroupID 1025

fi

\# SEE IF CONSOLE USER IS IN THE GROUP
if
dscl . read /groups/com.apple.local.ard_interact | grep ${rluser}
then
echo "rluser is already in the group"

\# DISPLAY A MESSAGE
jamf displayMessage -message "Group already exists!

${rluser} is already a member of it!

You don't need to run this anymore!"

\# ADD THE CONSOLE USER IF NOT IN THE GROUP
else
dscl . -append /groups/com.apple.local.ard_interact GroupMembership ${rluser}

\# DISPLAY A MESSAGE
jamf displayMessage -message "Group created

${rluser} is now a member of the group

vnc account created and the default password must be changed!"

fi

\# Allow the local vnc account to control and observe modifying the trigger file
touch /Library/Management/Triggers/adminremotemanagement