Sign in Subscribe
macadmin

Enabling remote access on macOS endpoints via script

Sterling Anderson

3 min read
Enabling remote access on macOS endpoints via script
Photo by Fotis Fotopoulos / Unsplash

I wrote a couple posts several years ago with information on using Workspace One to enable Remote Desktop and SSH access on macOS endpoints. That information may still work, but I've grown increasingly frustrated with Workspace One and how it runs scripts. Particularly the requirement that a user be logged in to the device for Freestyle Orchestrator workflows to run. This makes imaging and deploying devices that are shared or not assigned to a specific user really challenging.

I've redesigned a lot of my deployment workflow around Outset, which runs scripts at some specific times in the boot process. I the check status of, and enable if necessary, SSH and Apple Remote Desktop at boot on all my shared devices with the script below. It is installed as a "boot-every" script for Outset.

The AUTHORIZED_KEY and ADMIN_USER variables need to be set. If you leave AUTHORIZED_KEY empty the script will skip over adding your key to the SSH authorized_keys file for your admin user.

Assuming AUTHORIZED_KEY is set the script creates your ADMIN_USER home folder is necessary, then adds the required folders and files for the SSH process to find your authorized_key when you try to log in via SSH.

The script then makes sure SSH is enabled and your ADMIN_USER is in the correct group.

Finally, the script sets up your user with access to Remote Desktop and enables the service. You must enable Remote Desktop prior to running the script via your MDM for this to do anything. That can be done by sending the EnableRemoteDesktop MDM command. If your MDM is Workspace One, which does not support doing this easily, see my previous post about using the Apple Shortcuts application to send the appropriate command via the API.

#!/bin/zsh

AUTHORIZED_KEY=""
ADMIN_USER=""

if [[ -z $AUTHORIZED_KEY ]]
then
	echo "AUTHORIZED_KEY is empty so skip all the stuff that sets up SSH key access."
else
	echo "AUTHORIZED_KEY is not empty so make sure the key is added to /Users/${ADMIN_USER}/.ssh/authorized_keys and file permissions are set."
	if [[ ! -d /Users/$ADMIN_USER ]]
	then
		echo "Creating ${ADMIN_USER} home folder"
		/usr/sbin/createhomedir -cu $ADMIN_USER
	else
		echo "/Users/${ADMIN_USER} exists already."
	fi
	
	if [[ ! -d /Users/$ADMIN_USER/.ssh ]]
	then
		echo "Creating .ssh/"
		/bin/mkdir -p /Users/$ADMIN_USER/.ssh
	else
		echo "/Users/${ADMIN_USER}/.ssh exists already."
	fi
	
	if [[ ! -f /Users/$ADMIN_USER/.ssh/authorized_keys ]]
	then
		echo "Creating .ssh/authorized_keys"
		/usr/bin/touch /Users/$ADMIN_USER/.ssh/authorized_keys
	else
		echo "/Users/${ADMIN_USER}/.ssh/authorized_keys exists already."
	fi
	
	echo "Setting ownership of /Users/${ADMIN_USER}/.ssh"
	chown -R $ADMIN_USER:staff /Users/$ADMIN_USER/.ssh
	chmod 700 /Users/$ADMIN_USER/.ssh
	echo "Setting ownership of /Users/${ADMIN_USER}/.ssh/authorized_keys"
	chmod 644 /Users/$ADMIN_USER/.ssh/authorized_keys
	
	if [[ $(grep -c "${AUTHORIZED_KEY}" /Users/$ADMIN_USER/.ssh/authorized_keys) < 1 ]]; then
		echo "Authorized key not in file, adding it."
		echo $AUTHORIZED_KEY >> /Users/$ADMIN_USER/.ssh/authorized_keys
	else
		echo "Authorized key exists."
	fi
fi

if [[ $(systemsetup -getremotelogin) = 'Remote Login: Off' ]]; then
	echo "Turning on SSH"
	/usr/sbin/systemsetup -f -setremotelogin On
else
	echo "SSH is on. Yay!"
fi

if [[ $(dscl /Local/Default list /Groups | grep "com.apple.access_ssh-disabled" | wc -l) -eq 1 ]]; then
	/usr/bin/dscl localhost change /Local/Default/Groups/com.apple.access_ssh-disabled RecordName com.apple.access_ssh-disabled com.apple.access_ssh
elif [[ $(dscl /Local/Default list /Groups | grep "com.apple.access_ssh" | wc -l) -eq 0 ]]; then
	dseditgroup -o create -n "/Local/Default" -r "Remote Login Group" -T group com.apple.access_ssh
fi

if [[ $(dscl /Local/Default read Groups/com.apple.access_ssh GroupMembers | grep "$(dsmemberutil getuuid -U ${ADMIN_USER})" | wc -l) -eq 0 ]]; then
	echo "Adding ${ADMIN_USER} to com.apple.access_ssh group."
	dseditgroup -o edit -n "/Local/Default" -a $ADMIN_USER -t user com.apple.access_ssh
fi

echo "Setting ARD options. (MDM command EnableRemoteDesktop needs to be sent manually for this to do anything)"
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs -all -users $ADMIN_USER
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

exit 0

Sign up for more like this.

Enter your email
Subscribe