Created
November 19, 2020 16:21
-
-
Save MikeeI/c92f4d37b56f51ecba3ed6f50e8f89a0 to your computer and use it in GitHub Desktop.
set_apple_remote_desktop_to_use_directory_based_management_permissions.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| error=0 | |
| # To use this script to assign Apple Remote Desktop permissions, define the following: | |
| # | |
| # The username of the account that needs to be assigned Apple Remote Desktop permissions. | |
| # The name of the Apple Remote Desktop management group which assigns the right permissions. | |
| # | |
| # The Apple Remote Desktop group permissions are defined below: | |
| # | |
| # Name: com.apple.local.ard_admin | |
| # Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| # Delete and replace items, Send messages, Restart and Shut down, Control, | |
| # Observe, Show being observed | |
| # | |
| # Name: com.apple.local.ard_interact | |
| # Assigned rights: Send messages, Control, Observe, Show being observed | |
| # | |
| # Name: com.apple.local.ard_manage | |
| # Assigned rights: Generate reports, Open and quit applications, Change settings, Copy Items | |
| # Delete and replace items, Send messages, Restart and Shut down | |
| # | |
| # Name: com.apple.local.ard_reports | |
| # Assigned rights: Generate reports | |
| # | |
| # Fill in the names of the Open Directory groups below: | |
| ardLocalAdmin="administrator" | |
| ardOdGroup_admin="ardadmin" | |
| ardOdGroup_interact="ardinteract" | |
| ardOdGroup_manage="ardmanage" | |
| ardOdGroup_reports="ardreports" | |
| # Do not edit below this line. | |
| CreateGroups(){ | |
| # This function will create groups as needed using the dseditgroup tool. | |
| /usr/sbin/dseditgroup -n /Local/Default "$groupname" | |
| if [ $? != 0 ]; then | |
| echo "$groupname group does not exist. Creating $groupname group." | |
| /usr/sbin/dseditgroup -n /Local/Default -o create "$groupname" | |
| else | |
| echo "$groupname group already exists." | |
| fi | |
| } | |
| CreateAppleRemoteDesktopGroups(){ | |
| # This function will use the CreateGroups function to create the local groups used by | |
| # Apple Remote Desktop's directory-based permissions management. | |
| # To create the com.apple.local.ard_admin group | |
| groupname=com.apple.local.ard_admin | |
| CreateGroups | |
| # To create the com.apple.local.ard_interact group | |
| groupname=com.apple.local.ard_interact | |
| CreateGroups | |
| # To create the com.apple.local.ard_manage group | |
| groupname=com.apple.local.ard_manage | |
| CreateGroups | |
| # To create the com.apple.local.ard_reports group | |
| groupname=com.apple.local.ard_reports | |
| CreateGroups | |
| } | |
| AddUsersToAppleRemoteDesktopGroups(){ | |
| # This function will add users/groups to the groups used by | |
| # Apple Remote Desktop's directory-based management: | |
| /usr/sbin/dseditgroup -o edit -a "$ardLocalAdmin" -t user "com.apple.local.ard_admin" | |
| echo "Added $ardLocalAdmin to com.apple.local.ard_admin" | |
| /usr/sbin/dseditgroup -o edit -a "$ardOdGroup_admin" -t group "com.apple.local.ard_admin" | |
| echo "Added $ardOdGroup_admin to com.apple.local.ard_admin" | |
| /usr/sbin/dseditgroup -o edit -a "$ardOdGroup_interact" -t group "com.apple.local.ard_interact" | |
| echo "Added $ardOdGroup_interact to com.apple.local.ard_interact" | |
| /usr/sbin/dseditgroup -o edit -a "$ardOdGroup_manage" -t group "com.apple.local.ard_manage" | |
| echo "Added $ardOdGroup_manage to com.apple.local.ard_manage" | |
| /usr/sbin/dseditgroup -o edit -a "$ardOdGroup_reports" -t group "com.apple.local.ard_reports" | |
| echo "Added $ardOdGroup_reports to com.apple.local.ard_reports" | |
| } | |
| EnableAppleRemoteDesktopDirectoryManagement(){ | |
| ardkickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart" | |
| # Turn on Apple Remote Desktop by activating | |
| # the Apple Remote Desktop management agent | |
| $ardkickstart -activate | |
| # Allow Apple Remote Desktop accesss only for specified users | |
| $ardkickstart -configure -allowAccessFor -specifiedUsers | |
| # Enable Apple Remote Desktop management groups | |
| $ardkickstart -configure -clientopts -setdirlogins -dirlogins yes | |
| # Restart the Apple Remote Desktop agent process | |
| $ardkickstart -restart -agent & | |
| } | |
| # Create Apple Remote Desktop management groups | |
| # and add the specified user account to the | |
| # specified management group. | |
| CreateAppleRemoteDesktopGroups | |
| AddUsersToAppleRemoteDesktopGroups | |
| # Turn on Apple Remote Desktop and configure | |
| # it to use Apple Remote Desktop's directory-based | |
| # management to assign permissions. | |
| EnableAppleRemoteDesktopDirectoryManagement | |
| exit $error |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment