Using directory membership to manage Apple Remote Desktop permissions

Apple Remote Desktop (ARD) is a screen sharing and remote administration tool that just about every Mac admin uses at some point. Configuring access permissions for it can be done in several ways:

1. Using System Preferences’ Sharing preference pane to configure the Remote Management settings.
2. Using the kickstart command line utility to grant permissions to all or specified users
3. Using the kickstart command line utility to grant permissions to members of specified directories.

The last item may be the least-known method of assigning permissions, but it can be the most powerful because it allows ARD’s management agent to be configured once then use group membership to assign ARD permissions. For more details, please see below the jump.

As documented in the Apple Remote Desktop administrator guide, Apple’s directory-based permissions model looks like this:

In the past, these rights could be assigned via Apple’s Workgroup Manager using MCX, using a configuration like the one shown below:

However, this MCX-based method does not seem to work on macOS High Sierra. I have not yet been successful when assigning them using a management profile.

A secondary method using local groups on the Mac still works as of macOS High Sierra.

To configure ARD permission management via assignment to a local group, the following procedure should be used:

1. Create the following groups on your Mac:

com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_reports

2. Add the desired user(s) or groups to the relevant com.apple.local.ard_ group.

3. Configure ARD using the kickstart utility to recognize and use directory-based logins.

For example, the command shown below will enable the ARD management agent and configure it to use directory-based logins:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -clientopts -setdirlogins -dirlogins yes

Once configured, ARD permissions can be assigned by adding and removing from the relevant com.apple.local.ard_ groups. For example, adding a local user account named Administrator to the local com.apple.local.ard_admin group produces the following results.

Without any other configuration, the Administrator account now appears listed in the Remote Management settings.

The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:

• Generate reports
• Open and quit applications
• Change settings
• Copy Items
• Delete and replace items
• Send messages
• Restart and Shut down
• Control
• Observe
• Show being observed

Adding a local user account named User Name to the com.apple.local.ard_interact group produces the following results.

Without any other configuration, the User Name account now appears listed in the Remote Management settings.

The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:

• Control
• Observe
• Show being observed

To assist with creating these groups and assigning user accounts to them, I’ve written the following script. It does the following:

1. Allows a username and group to be specified for ARD permissions
2. Verifies that the username exists on the Mac
3. Creates all four ARD permissions management groups
4. Adds the specified user account to the specified management group
5. Turns on ARD’s management agent and configures it to use ARD’s directory-based management to assign permissions

The script is available below. It’s also available from GitHub using the following link:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/set_apple_remote_desktop_to_use_directory_based_management_permissions