ARD (Apple Remote Desktop) kickstart in 10.14 (mac OS "Mojave")

Traditionally, when an administrator has needed to enable remote screensharing access (via ARD/Apple Remote Desktop) for management purposes - in a programmatic way via the command-line or a payload-less package - it's been relatively straightforward to do so.

This is documented by Apple here: https://support.apple.com/en-us/HT201710

However, there are many changes in the latest version of mac OS (OS X 10.14 aka "mac OS Mojave,") and those changes appear to result in failure using Apple's own documented method. So it appears that key (previously available) aspects of enabling remote access are being impacted by Apple's intended changes in security and privacy for 10.14.

Some excellent articles about some of the new security features and restrictions in 10.14/Mojave are the following:

A great debt, thanks & credit is owed (by many) to Rich Trouton, and he has documented an alternative means of enabling ARD that - in my testing so far - appears to work:

The key commands are (for example, for an intended ARD admin), where you'll need to edit <yourARDuserShortname> to be the shortname for the user-account you intend to configure for ARD admin access - with the brackets <> . Other levels of access (com.apple.local.ard_ groups) are listed in Rich Trouton's article, adding a user to more than one appears to not work and perhaps is intentional:

## ARD enablement via Apple ARD groups
if [[ $(dscl /Local/Default list /Groups | grep "$com.apple.local.ard_admin" | wc -l) -eq 0 ]]; then
 /usr/sbin/dseditgroup -o create -n "/Local/Default" -r "ARD Admin Group" -T group com.apple.local.ard_admin
fi

# add desired user to above ARD groups
/usr/sbin/dscl . append /Groups/com.apple.local.ard_admin user <yourARDuserShortname>

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
 -activate -configure -clientopts -setdirlogins -dirlogins yes

It's possible to add the above as a script named: postinstall (no suffix such as .sh), and proceeded with the standard

#!/bin/bash

and included as part of a standard payload-less pkg installer. Other additions, elaborations and enhancements in any such script are left to the reader, the above is meant only as a potential starting-point. In terms of creating a ("payload-less") package installer to enact such a script, it's particularly easy to do so via Greg Neagle's excellent munkipkg, see:


Published October 1st, 2018 by David Haines,

coresolutiongroup.com

(413) 584-5115