Enabling Apple Remote Desktop via Workspace ONE
Apple Remote Desktop (ARD) can be enabled through Workspace ONE using Provisioning.
This post is very similar to my last, enabling SSH via Workspace ONE. The process is identical, just the scripts have changed. Like the SHS post this is adapted from information here.
Create a Custom Attribute profile
The custom attribute profile will check the status of ARD on assigned devices, reporting back to WS1.
The bash script below will return a custom attribute with one of these values:
- ARD not running
- All Users Access Enabled
- admin not ARD admin
- ARD enabled
Make sure to the edit the admin_user variable.
#!/bin/sh #Edit this variable with your local admin user name! admin_user="admin" PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/munki export PATH # check wether ARD is running ardrunning=$(ps ax | grep -c -i "[Aa]rdagent") if [[ $ardrunning -eq 0 ]]; then echo "ARD not running" exit 0 fi # all Users access should be off all_users=$(defaults read /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers 2>/dev/null) if [[ $all_users -eq 1 ]]; then echo "All Users Access Enabled" exit 0 fi # check whether the admin account is privileged ard_admins=$(dscl . list /Users naprivs | cut -d ' ' -f 1) if [[ $ard_admins != $admin_user ]]; then echo "$admin_user not ARD admin" exit 0 fi echo "ARD enabled" exit 0
Create a new Provisioning Component File/Action
Next, crerate a new Provisioning Component of type Files/Actions to perform the ARD enable.
Add a new Files/Actions
I’ve split the process in to three Run Actions. You could probably do just one long one if you wanted.
The commands should be run in this order:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -users $ADMIN -privs -all
$ADMIN should be replaced with your admin account short name
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
Create a Product
A provisioning product must be created to tie this all together. You will want to assign this to a Smart Group that also is assigned the Custom Attribute profile you created at the top.
Edit the Assignment Rules
Your Custom Attribute profile will be available to select as the Attribute/Application. The Rule Logic should be
ARDstatus@AirWatchAgent <> 'ARD enabled'. The script in the profile will return different values to let you know why ARD isn’t set up right for the client. It won’t just return yes or no.
Under Manifest click ADD
Action(s) To Perform should be File/Action - Install
Files/Actions should be macOS enable ARD (assuming you named the Action that)
Be sure to activate the Product. Any devices assigned should have ARD enabled for the admin user.