ARD (Apple Remote Desktop) kickstart in 10.14 (mac OS "Mojave")
Traditionally, when an administrator has needed to enable remote screensharing access (via ARD/Apple Remote Desktop) for management purposes - in a programmatic way via the command-line or a payload-less package - it's been relatively straightforward to do so.
This is documented by Apple here: https://support.apple.com/en-us/HT201710
However, there are many changes in the latest version of mac OS (OS X 10.14 aka "mac OS Mojave,") and those changes appear to result in failure using Apple's own documented method. So it appears that key (previously available) aspects of enabling remote access are being impacted by Apple's intended changes in security and privacy for 10.14.
Some excellent articles about some of the new security features and restrictions in 10.14/Mojave are the following:
A great debt, thanks & credit is owed (by many) to Rich Trouton, and he has documented an alternative means of enabling ARD that - in my testing so far - appears to work:
The key commands are (for example, for an intended ARD admin), where you'll need to edit <yourARDuserShortname> to be the shortname for the user-account you intend to configure for ARD admin access - with the brackets <> . Other levels of access (com.apple.local.ard_ groups) are listed in Rich Trouton's article, adding a user to more than one appears to not work and perhaps is intentional.
PLEASE NOTE: The script provided below is meant to be a starting point, it's (hardly) exemplary as there's no real error checking (think about a clause to handle if the group already exists, etc.). Hopefully you'll find it useful:
## ARD enablement via Apple ARD groups
if [[ $(dscl /Local/Default list /Groups | grep "$com.apple.local.ard_admin" | wc -l) -eq 0 ]]; then
/usr/sbin/dseditgroup -o create -n "/Local/Default" -r "ARD Admin Group" -T group com.apple.local.ard_admin
# add desired user to above ARD groups
/usr/sbin/dseditgroup -o edit -a <yourARDadminUsernamehere> -t user com.apple.local.ard_admin
-activate -configure -clientopts -setdirlogins -dirlogins yes
It's possible to add the above as a script named: postinstall (no suffix such as .sh), and proceeded with the standard
and included as part of a standard payload-less pkg installer. Other additions, elaborations and enhancements in any such script are left to the reader, the above is meant only as a potential starting-point. In terms of creating a ("payload-less") package installer to enact such a script, it's particularly easy to do so via Greg Neagle's excellent munkipkg, see:
Published October 1st, 2018 by David Haines,