Update, : Since originally publishing this article, it seems that the above KB has now been simplified (its last update as of today is January 26, 2022) to remove the details of to grant PostEvent permissions in a PPPC payload profile. That document also describes exactly what capabilities are enabled by the command, which match what I see from my experiments. Upon reading the aforementioned KB it took me some back and forth to understand that the actual command it is hinting at is EnableRemoteDesktop, as described in the developer documentation. Sending only the command, without any PPPC configuration profile, is sufficient to allow view and control. Usually these show up in the System Preference Privacy Pane, but Screen Sharing / Remote Management don’t seem to show up in this list.Īpple’s release notes point to this support document, which at the time of writing states that if your target machine is enrolled in MDM, then it is possible to send an MDM command to enable Remote Desktop, and optionally a PPPC payload configuration profile, granting PostEvent rights to the service, in order to allow control. These prevent a service from (for example) recording a machine’s screen without the user’s explicit permission. The underlying cause for this behaviour change, is that the Screen Sharing service is now fully gated behind the TCC mechanisms in macOS.
What I experience as of macOS 12.1 (and this seems mostly echoed by others I talk with on the MacAdmins Slack) is that enabling Screen Sharing / Remote Management using either of the above methods leads to either a blank screen or a connection that just stalls forever, even though the target machine will display a popover from the menubar, with a message to the effect of “this screen is currently being observed.” $kickstart -configure -access -on -users admin -privs -allĬonfusingly, Apple did document that this would allow view-only as of macOS 10.14 Mojave, but this wasn’t what I observed. $kickstart -configure -allowAccessFor -specifiedUsers Kickstart =/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
Prior to 12.1, it was possible to enable Screen Sharing by simply running this: So, this post is both a recap of what I’ve been able to make sense of and some ideas/research that I hope clarifies things going forward.
But, as I’m learning how to make use of MDM on headless build machines, what I dug up seems generally relevant for others leveraging Screen Sharing / Remote Desktop in their environments. The only macOS machines I manage are build servers used for continuous integration (CI), not for regular use, and so I am looking at this for this somewhat niche use-case. I came across multiple Slack threads where people were confused by Apple’s documentation not matching their observations about existing solutions involving kickstart and PPPC configuration profiles.
I spent the last several days being confused by (1) how the change would impact my environment, (2) Apple’s documentation, (3) mixed reports from others about whether their prior methods for enabling Screen Sharing / Remote Management were still working as usual for them on Monterey 12.1, and (4) disagreement over what components of their existing solutions were even required to have functional Screen Sharing.