Enabling remote management on macOS Mojave is different from an admin’s usual process. Learn how to enable remote management in macOS 10.14 or newer.
With the past two releases of macOS, Apple has made strides to increase user data protections. The User-Approved Mobile Device Management (UAMDM) framework was rolled out initially back in 10.13.2; however, further enforcement of certain features has occurred with 10.13.4, and additional restrictions implemented in Mojave.
Some of these protections, such as the User Approved Kernel Extension Loading or the ability to silently enroll devices with an MDM server, have been severely limited until the user manually approves the profile; this confirmation allows the profile to be fully enabled on the system, thereby granting IT full management rights. While this makes IT’s job particularly difficult on corporate networks, it was changed in an effort to allow users greater control over the security over their devices.
While the instances above primarily affect MDM enrolled devices, a longtime go-to feature for remote device management—enabling Apple Remote Desktop (ARD)—silently via script or SSH has been restricted to “read-only rights” as of 10.14. Before this change, admins could simply run a command to enable access and allow full access to the device remotely; this setting has been moved to Apple’s configuration profile, and it is managed through the Privacy Preferences Policy Control Payload property key.
SEE: 10 essential apps and utilities for your Mac (free PDF) (TechRepublic)
Different MDM platforms may call this key something different, but the underlying Apple-created frameworks are shared by all MDM platforms. Fortunately, the same configuration steps will work across all platforms. Follow the steps below to generate the specific configuration profile for your organization to allow full remote management access once it’s deployed.
How to enable remote management in macOS 10.14 or newer
- After extracting the contents of the ZIP file, launch Terminal.app.
- Change working directories to the path of the extracted ZIP.
- Enter the following command, taking care to modify the lines that specify your organization:
./tccprofile.py —pe /System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent —allow —payload-description="Enables ARD/Remote Management on macOS 10.14 (Mojave)" —payload-identifier="COM.COMPANYNAME.DOMAIN" —payload-name="Enable ARD Kickstart" —payload-org="COMPANY_NAME" —payload-version="1" -o ~/Desktop/Enable_ARD_Kickstart.mobileconfig
4. The script generates the file Enable_ARD_Kickstart.mobileconfig on the user’s desktop. Using a text editor, open the newly created file and locate the following block of lines:
Identifier /System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/MacOS/ScreensharingAgent IdentifierType path
5. Delete the lines, and replace them with the following block of lines, then save your mobileconfig file:
Identifier com.apple.screensharing.agent IdentifierType bundleID
6. Log on to your MDM server and find the corresponding key (or location where you can upload custom configurations) and point it to your newly created mobileconfig. Upon deployment, the policy will be distributed to your managed Macs and configure them OTA.
Note: The following only applies to organizations using Apple’s Profile Manager (PM) as an MDM. Before uploading the configuration, rename the extension from .mobileconfig to .plist, since PM only recognizes the latter when uploading customized configurations. No other changes need to be made, as the extension types are interchangeable.