you probably got here by mistake.

Enabling Apple Remote Desktop via Workspace ONE

12 April 2021

This post is very similar to my last, enabling SSH via Workspace ONE. The process is identical, just the scripts have changed. Like the SSH post this is adapted from information here.

Create a Custom Attribute profile

The custom attribute profile will check the status of ARD on assigned devices, reporting back to WS1.

The bash script below will return a custom attribute with one of these values:

  1. ARD not running
  2. All Users Access Enabled
  3. admin not ARD admin
  4. ARD enabled

Make sure to the edit the admin_user variable.


#Edit this variable with your local admin user name!

PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/munki export PATH

# check wether ARD is running
ardrunning=$(ps ax | grep -c -i "[Aa]rdagent")

if [[$ardrunning -eq 0]]; then
	echo "ARD not running"
	exit 0

# all Users access should be off
all_users=$(defaults read /Library/Preferences/ ARD_AllLocalUsers 2>/dev/null)

if [[$all_users -eq 1]]; then
	echo "All Users Access Enabled"
	exit 0

# check whether the admin account is privileged
ard_admins=$(dscl . list /Users naprivs | cut -d ' ' -f 1)

if [[$ard_admins != $admin_user]]; then
	echo "$admin_user not ARD admin"
	exit 0

echo "ARD enabled"

exit 0

Create a new Provisioning Component File/Action

Next, crerate a new Provisioning Component of type Files/Actions to perform the ARD enable.

Add a new Files/Actions

I’ve split the process in to three Run Actions. You could probably do just one long one if you wanted.

The commands should be run in this order:

/System/Library/CoreServices/RemoteManagement/ -configure -access -on -users $ADMIN -privs -all

$ADMIN should be replaced with your admin account short name

/System/Library/CoreServices/RemoteManagement/ -configure -allowAccessFor -specifiedUsers

/System/Library/CoreServices/RemoteManagement/ -activate

Create a Product

A provisioning product must be created to tie this all together. You will want to assign this to a Smart Group that also is assigned the Custom Attribute profile you created at the top.


Edit the Assignment Rules

Your Custom Attribute profile will be available to select as the Attribute/Application. The Rule Logic should be ARDstatus@AirWatchAgent <> 'ARD enabled'. The script in the profile will return different values to let you know why ARD isn’t set up right for the client. It won’t just return yes or no.

Under Manifest click ADD

Action(s) To Perform should be File/Action - Install
Files/Actions should be macOS enable ARD (assuming you named the Action that)

Be sure to activate the Product. Any devices assigned should have ARD enabled for the admin user.