In the past three blogs you have seen how to change a user preference, how to change the background and how to change a system preference by changing the logon window text. In this blog I want to show you that you are also able to enable remote administration, including VNC access and that you are able to manage or add users to a remote Mac OS X device. This can be handy if you need to manage a lot of Mac devices and if you do not want to configure them by hand. Let’s see how this works, again the Mac community was very helpful in explaining how to for instance create a user via Shell Script.
After trying to manage the com.apple.remotemanagement.plist file located in /library/Preferences I searched for an alternative option to enable remote management and remote control via VNC. An alternative was found in Kickstart, located in a well hidden place /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/ . With this command line utility you are able to configure the remote management preferences. So this is a great tool to misuse (again 😉 ) in for instance the Discovery Script of a Configuration Item.
When running the command line manually you see that the command report back if remote management has been activated correctly or not, so if we configure the compliance rule check if the reported results contains “Activated”.
Now that we have configured Remote Management we also want to create an administrative user that can be used to remotely control and manage the Mac OS X device. Let’s say we want to create a user called remoteadmin. First we need to first create a discovery script that checks if there is a folder called remoteadmin exists in the /users/ folder. If so the user is already in place and nothing needs to be done, if the user is not in place we need to create the user by remediating it via the remediation script.
In the fourth line of the script we starting Sudo in Super User mode (sudo –su), to be able to run Sudo in this mode we need to supply a password which we temporary parsed to a file called pwd.txt. This can be every accessible folder on the Mac OS X device. With the Directory Service command line utility we are able to create a user with the appropriate permissions and settings. In this example we will use the super-secret password P@ssw0rd. 😉
If you want to use the script above be sure to change the location in line #2 and the Super User password (P@ssw0rd) in line #3.
Adding both Configuration Items to a Configuration Baseline and deploying it to a collection with Mac devices will result in the fact that a user remoteadmin is created and that Remote Management is enabled. In the Mac OS X device you are able to see if Remote Management and VNC access are configured.
Now that Remote Management is configured you need to check if the remoteadmin user is created, this can also be done in the preferences.
If you want to try this baseline, you can download it here. Be sure to test it first in a lab environment before using it in production.