There isn't a way to do this from profile manager, you still need to distribute to systems that are not allowing access in via ARD or SSH as they're at default settings. What I did is use TextWrangler (don't use textedit) and paste the following string I put together. Change <YOUR LOCAL ADMIN ACCOUNT> to your admin account name
Script |
# set up SSH access in from your admin account sudo dseditgroup -o edit -d admin -t group com.apple.access_ssh
sudo dscl . append /Groups/com.apple.access_ssh user <YOUR LOCAL ADMIN ACCOUNT>
sudo dscl . append /Groups/com.apple.access_ssh GroupMembership <YOUR LOCAL ADMIN ACCOUNT>
sudo dscl . append /Groups/com.apple.access_ssh groupmembers `dscl . read /Users/<YOUR LOCAL ADMIN ACCOUNT> GeneratedUID | cut -d " " -f 2`
sudo systemsetup -setremotelogin on # set up ARD to allow access to your account
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -configure -allowAccessFor -specifiedUsers
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -configure -users nsadmin -access -on -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -configure -activate -restart -console
exit0 |
Now the problem with admin users can be that they may try to remove anything they see as being limiting or allowing administration by you- so my next step was to name the script something that isn't obvious and hide it in the private folder somewhere, try something Unix-ish sounding.. Then download Lingon (its in the App store)- you're going to create a launch agent that will automatically apply these settings with each reboot using elevated privileges. I did it as root on the computer and I tested with before rolling it out. This is handy as you will revert any changes the user makes to your settings here.
You'll have the option to set when these are applied using the in the app- those are just application features you'll need to learn about to get the most out of it. (I can't help with it)
Now it isn't good to have to set up each computer this way (manually) so make another copy of that script. Download something like Iceberg and use this as preflight script. The Exit 0 I place in the script above gives the success signal the package installer is waiting for to continue. Running the package installer will run the script then install the settings.. They'll then run again at restart or login, whatever you selected.
Now test. Did the package run the script and place the launch agent and script into your chosen location? Did your share settings get switched to what you wanted? Adjust as needed. Remove the settings in the Sharing pref pane with each test to be sure its working.
It is far easier to create a one-stop-drop like this and visit people's computers for the small install of around 39k. Once this is done you have your way in, users won't easily find and disable your script and when working, it will self-heal any changes made by local admins in the GUI every time they start up the Mac.