Apple added more security to screen sharing, so the default behavior restricts all but local users from enabling this feature. With an MDM, admins can automate this process.
MacOS Mojave focused on securing macOS features by restricting what permissions apps have to the user’s system and, more importantly, the data it contains. One example of these types of restrictions set by default is when enabling the screen sharing protocol that allows IT to provide end-users with hands-on support when troubleshooting issues affecting their devices. The new security features still permit IT to enable the function, but in read-only mode.
This feature, while meant to secure users against unauthorized access to their systems, works against IT in that end users are now required to authorize full admin access to their systems by clicking a small button found in the System Preferences pane. It’s not easily found, and potentially frustrating for both users and IT. Even when enabled through Mobile Device Management (MDM), the feature is still restricted by default, making it troublesome for admins as well.
SEE: Cheat sheet: Apple macOS Catalina (free PDF) (TechRepublic)
As with everything in computers, there is another way to not only enable this feature but do so with the administrative powers needed to properly assist users with their devices. I’ll show you how to go about this. Bear in mind it’s a multi-step process so you’ll need to follow all the steps to get it working.
How to configure Privacy Preferences Policy Control
1. Log into your MDM server and navigate to Configuration Profiles to create a new profile and give it a name.
2. Select the Privacy Preferences Policy Control and add that to the profile, using the Indentifier of “com.apple.screensharing.agent.”
3. Select Bundle ID as the Identifier Type and enter “Identifier “com.apple.screensharing.agent” and anchor apple” as the Code Requirement.
4. Select “PostEvent” as the App or Service and select Access to “Allow,” then save your configuration profile.
5. Lastly, scope the configuration profile to target the devices you wish to manage remotely.
Kickstart script deployment
Some MDMs offer a way to enable screen sharing automatically via a pre-configured setting. If your MDM solution supports this, feel free to apply that to all your target devices. Otherwise, you can create a policy that will enforce a script to run at multiple intervals to ensure that devices have screen sharing enabled and configured for IT access.
1. Use the script below to enable screen sharing and allow access for all users:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes
2. Though optional, it is recommended to append the script with the line below that will restart the agent–not the computer–so that the new settings will be enabled immediately instead of waiting until the device reboots:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
Note: Different MDMs have their own ways to configure policies and how to trigger them. It may be a good rule of thumb to set multiple triggers, such as during inventory updates or logins, to ensure devices always have this setting configured properly.