Can you force ARD to ask permission before control/observing *AND* still be able to push updates/patches?

To the best of my knowledge, no, that's not possible. You need admin permissions to be able to push packages and do the other functions, and admins get access without any ability to have the user have to grant permissions. Only with guest users does the user get the ability to grant access permission. ,If having that sort of control is a requirement, then ARD may not be a workable solution for you, at least as the sole solution. You could perhaps use a combination solution, of ARD for package distrubution and other functions and some other solution such as LogMeIn that has access control from the client side for observe and control functions, turning off the Observe/Control capabilities for ARD on the clients.

Regards.

Thanks for this response. We are currently using ARD for remote access, but we are switching to another product, and want to disable just the remote access (VNC) features of our currently-running ARD machines. Do you know what command/script I can send to them to keep the ability to push packages and run reports, but disable VNC?

There may also a command-line equivalent, but you can do this via the Manage -> Change Client Settings option. You can turn off Observe and Control in the "Set Remote Desktop access mode" part of the Incoming Access pane.

Regards.

You can take a look at this website and it will give you the command to run that will control the Observe and Control options for the access mode.

http://support.apple.com/kb/HT2370

The command is:

$

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users "THIS IS WHERE YOU PUT THE USERS YOU WANT TO HAVE ACCESS" -access -on -privs -ControlObserve -ObserveOnly -TextMessages

Have you considered a trust based solution? You could just call, email, chat a request to view their screen. And promise users your only going to connect to their computers with their permistion. Beside the ARD menu on the client shows when some one is connected; and all connections are logged, and the user can always look at the history to see who's conencted and when.

The reason I say this is being in support is very trust based relationship. If you can push out updates, then your always going to have the ablity to remotely connect to the computer without the users software based authorizing.

I think this is a great point. My concern is around not being able to automatically connect to say the CEO's computer. Trust is great and we try to build that with our clients but it feels like a big ask when you are talking about heads of companies etc. If you are managing these machines though, with a local admin account and ARD then you can only rely on trust to control access. It's a tough question. ARD is such a great time saving tool in the right situation and one's workflow might have to dramatically change without it.

If you increase the logging of the Application Firewall, there will be entries in /var/log/appfirewall.log which indicate the use of ARD ports 5900 and 3283 and the IP address requesting it.

/usr/libexec/ApplicationFirewall/socketfilterfw —setloggingmode on

/usr/libexec/ApplicationFirewall/socketfilterfw —setloggingopt detail

Cheers