flanerider
Level 1 (5 points)
Servers Enterprise

Q: Anyway to get ARD to connect to a client using an Open Directory account

Hi. I work IT in a small enterprise, where all of the staff use Macs (iMacs and Mac Minis, of varying generations). All the machines run OS X 10.10.5, and we use ARD to monitor the machines and diagnose issues remotely. Our current setup uses ARD to connect to the clients via the local administrator account on the machine (staff use a regular user account). However, we like to change the admin credentials from time to time to keep things secure. It's a tedious process though, as we not only have to change the passwords on all the machines themselves, we also have to edit our computer lists in ARD to use the new password.

 

Is there anyway to get ARD to connect to a client through an open directory profile? Like could we create an entry in our OD server that acts as "the ARD account", in that it has the privileges to control all the clients, but we can change that 1 password instead of everything we do now?

 

I've already tried granting a network account admin access, and I'm able to authenticate installs and ssh in, like any other admin, but ARD can't connect to a client when I try to authenticate with that users credentials.

Remote Desktop, OS X Yosemite (10.10.5)

Posted on Jul 6, 2016 3:30 PM

Close
flanerider

Q: Anyway to get ARD to connect to a client using an Open Directory account

  • All replies
  • Helpful answers

  • by Pagrash,

    Pagrash Pagrash Jul 21, 2016 3:45 PM in response to flanerider
    Level 1 (79 points)
    Servers Enterprise
    Jul 21, 2016 3:45 PM in response to flanerider

    It's been a while since I did this, but basically create a network group "ard_admin" and add the user to the group.

     

    Then use ARD to change client settings. (manage/change client settings.)

    The third window has a checkbox "Enable directory-based administration"

     

    Hope this helps

  • by remotedesktop,

    remotedesktop remotedesktop Aug 12, 2016 10:18 AM in response to flanerider
    Level 1 (34 points)
    Aug 12, 2016 10:18 AM in response to flanerider

    The client on the target system will recognize the local group name “com.apple.local.ard_admin” and allow the users contained in it. You won’t be able to see the group in action in Sys Prefs, but it should work.

     

    To enable network users in general:

    sudo defaults write /Library/Preferences/com.apple.RemoteManagement DirectoryGroupLoginsEnabled -bool YES


    The group can be created with this command:

    sudo dseditgroup -o create -n /Local/Default com.apple.local.ard_admin

    To add a user to the group:

    sudo dseditgroup -o edit -n /Local/Default -a my-od-user1 com.apple.local.ard_admin