7.5. Apple Remote Desktop

Apple Remote Desktop is a desktop management suite sold as a separate product from OS X Server. Commonly called ARD, the client for this application is installed by default on every OS X machine. Prior to management availability, a client machine must have the service turned on and access levels configured for users. This can be done by visiting the Remote Management service found in the Sharing Preference pane. The Sharing pane can be accessed by visiting System Preferences under the Apple menu. Under the Remote Management service UI, you will find options to configure the service for all users or for specific users. From here, you can add individual users, and configure levels of remote access, though typically, the only local user that would need remote access would be the 501 user. This user will typically have full access to the machine, and may or may not present visible queues to the end user when they are being observed or controlled. You can also configure this application via the command line and the kickstart command, found at /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart. For example, to configure access to your machine for your 501 user, myAdmin, runs the following command as root:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -users myAdmin -privs -all -restart -agent -menu

From here on out, the machine will accept login connections for that user, regardless of whether or not you enabled the service in System Preferences or from kickstart.

7.5.1. Scanning Networks with ARD

Apple Remote Desktop possesses a network scanner that can detect machines via bonjour, by a specific IP address or by a range of IP addresses. Multiple Scanners can be set up, making it easy to rediscover DHCP machines on remote subnets.

To create a network scanner, simply select New Scanner from the File menu. Name the scanner appropriately, and in the right hand pane, configure the scanner's settings. Options are Bonjour, Local Network, Network Range, Network Address, or File Import. These are mostly self-explanatory. Local Network searches subnets local to all interfaces on the machine. Network Range allows you to specify a starting and ending IP address, which is handy for scanning remote subnets. File Import allows you to import a file that has newline delimited subnet ranges. This is handy if you have rather intricate subnet configurations and want to capture multiple ranges in a single scan:

10.0.1.2-10.0.2.50
10.0.3.100-10.0.3.102

To list or to scan? ARD has both static lists and dynamic scanners. If you find yourself coming and going from a network a lot, you will be much happier with a scan. If you are managing static IP addresses only, or have only a single subnet for all machines then lists are probably better suited. Lists are also better suited if you need to repeatedly target specific machines.

7.5.2. Controlling machines

Controlling machines is pretty straightforward. First, you must add client machines to your local database. To do so, use a scanner that you previously configured. The scanner will display found machines with a blue icon. Simply drag them to the All Computers container on the left. Once you have performed this action, computers listed in the scanner will have a blue icon next to them, as shown in Figure 7-27.

Figure 7.27. Discovering machines with the Scanner in Apple Remote Desktop

Once added, you can control a machine by selecting it in the list and selecting the Control button. Now you will have remote control of the remote client's console session, assuming (or sharing) control of it's keyboard and mouse. It is important to note that all ARD sessions and loginwindow sessions share the same console. This is the equivalent to /console connections in Windows Terminal Services.

7.5.3. Sending Commands, Packages, and Scripts

One extremely powerful feature of ARD lies in its ability to distribute package installers, send remote unix shell commands, and even copy files to machines. When copying files, ARD will attempt to utilize multicast for distribution, making distribution of files and packages to machines on the same subnet extremely efficient. To push installation of a package to multiple machines, simply select them in your scanner or list and select "Install Packages." Here, you can install standard mkpg and pkg-based applications. You can deploy multiple packages at one time, they will execute in the order that they appear in the list. This makes it especially happy for pushing software installs and then subsequent updates all in one swoop. Figure 7-28 shows the GUI for remotely executing UNIX shell scripts via ARD's Send Unix Command.

Figure 7.28. Deploy packages in Apple Remote Desktop

Unix shell commands are an equally invaluable utility for remote machines. For example, you may need to temporarily enable ssh access on a group of machines for remote management. Using ARD, you can easily push out the command to do this. First, select the desired target computers from a scanner or list and select the Send Unix Command option from the Manage menu. Alternatively, you can click on the Unix button in the toolbar. Regardless of your choice, you will be presented with the window shown in Figure 7-29. In the top field of the window, enter the command:

launchctl load -w /System/Library/LaunchDaemons/ssh.plist

This command loads a system daemon, and because of that needs to run with root privileges. To do this, select the option Run as User: and enter a value of root.

Figure 7.29. Remotely execute shell scripts in Apple Remote Desktop

When you're done with your SSH work, you can disable it by simply redeploying the command with the 'unload' parameter.

7.5.4. Enabling Directory Service groups

With ARD, it is possible to configure authentication for a user existing in a network directory service. There are a couple of different approaches for this. First, you must enable directory authentication client side. This can be done graphically in the ARD application. Next, you will want to be able to manage the target clients in ARD with a local user. Once this is setup, select the target clients in a list or scanner and select the menu item Change Client Settings, found under the Manage menu. From here, you will be presented with a list of configuration options. This will ask you a series of configuration questions. On the fourth pane of the assistant, you are presented with the option to enable directory based-administration. This option will enable directory users found in specific groups: ard_admin, ard_interact, ard_manage, and ard_reports. From there, it will use membership in these groups to grant respective rights to the members. The ard_admin group represents full access and is the most common. The ard_interact group limits interaction to screen control. Alternatively, you can configure these options through the kickstart command:

kickstart -activate -configure -clientopts -setdirlogins -dirlogins yes -setdirgroups -dirgroups ard_admin, ard_interact, ard_manage, ard_reports -restart -agent

If you find that you need to deploy specific administrators to specific computers, the use of a single global ard_admin group isn't going to help you much. Instead, you can deploy MCX configurations that tell the application to utilize specific groups. The easiest way to deploy this setting is via the dscl. Specifically, you will be deploying a setting which will tell ARD to consult a group (or groups) of your choosing in place of the standard ard_admin, ard_interact, ard_manage, and ard_reports groups. You can subplant one or any of your groups. For example, if you want to have two administrative groups applied to your "lab2" computer group, you would use the following syntax:

dscl -u hunterbj /LDAPv3/hax.lbc mcxset /ComputerGroups/local com.apple.remotedesktop ard_admin always "(admingroup1,admingroup2)"

Once you have deployed the MCX settings, you just need to restart the machine and you should then be able to manage your machine. Unfortunately, this functionality was broken around the time of the introduction of Remote Desktop 3.2.2 and OS X 10.5.3 and the issue persists as of 10.5.7. This is the only official way to deploy ARD management capabilities to specific groups. However, you can use a workaround. This workaround involves creating an ard_admin group in the local directory node. From here, you can nest Open Directory groups inside of these local groups, thereby granting them ard_admin capabilities. To do this, you use the following syntax, locally on the client (as root):

dseditgroup -o create ard_admin
dseditgroup -o edit -a myadmingroup1 -t group ard_admin

By running these two commands, you create the local group and then nest your DS group inside of it. It isn't quite as clean as pure directory groups, but it gets the job done.

7.5.5. Enabling Directory-Based Administrator Groups

It is also possible to enable a directory service group to possess local administrative access to workstations. This procedure is essentially identical to nesting ard_admin groups. However, instead of nesting your groups inside of ard_admin, you'll do it into the standard admin group. To set up administrative OD groups, you utilize similar syntax:

dseditgroup -o edit -a myadmingroup1 -t group admin

If you are using AD, then the AD plug-in actually provides you with a nice GUI to do this. Surprisingly, there is no equivalent UI for OD groups. See Chapter 3 for more details on the AD plug-in.

To help deploy these configurations in one fell swoop, I have provided a script for you to use. This script, labeled setNetworkAdminRights, will nest specified OD groups inside of the local admin and ard_admin groups.