Enable Remote Management on OS X

(imported topic written by rzm10291)

I’m trying to create a fixlet for enabling Remote Management on OS X 10.4-10.6

I can’t get my relevance to work. When Remote Management is enabled there is a process running. On 10.4 machines it is “ARDAgent -psn_0_2621441”. The string of numbers changes for each machine. 10.4 Machines also have a “ARDHelper” process running. On 10.5+ machines the process is “ARDAgent”.

My thought was to create a relevance to check for these running processes and enable remote management if it’s not running. Here’s the relevance I came up with:

(name of operating system = Mac OS X AND if (system version >= 10.5) then (NOT (exists process whose (name of it = ARDAgent))) else (NOT (exists process whose (name of it = ARDHelper))))

This does not work. It shows machines that are 10.5 and are running the “ARDAgent” process. How would I write a relevance that would check for the processes on these OS machines that are running these “ARDAgent” processes?

When I get the correct relevance, the script is a bash command:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all

The bash command is tested and works well.

Thanks

Rusty

(imported comment written by MattBoyd)

Rusty,

Your relevance is on the right track, but has a few syntax errors. Any string values should be encased in double-quotes. I rewrote it for you. Please give this a try:

if (name of operating system = "Mac OS X") then (if (system version >= "10.5") then (not exists process whose (name of it = "ARDAgent")) else (not exists process whose (name of it = "ARDHelper"))) else (false)

It should only be relevant for 10.5+ machines that do not have ARDAgent running, and <10.5 machines that do not have ARDHelper running.

I’m not sure if there is a better way to query the status of ARD on the Mac (Me != Mac admin), but that relevance should work for checking those processes (and I did test it on a Mac that had ARDAgent running).

(imported comment written by rzm10291)

Boyd, Thanks for the reply.

I also poked around today and I think this is working:

(name of operating system = Mac OS X AND (NOT (exists process whose (name of it starts with “ARDAgent”)

I’m not certain that this works, but I appreciate the alternate relevance for my testing.

This was my first relevance and I’m starting to get the hang of writing them, but I’m having trouble figuring out how to test for these things on the Mac, don’t really know where to go for help on that!

Cheers!

Rusty

(imported comment written by MattBoyd)

Hey Rusty,

I’m not sure if you’re using the relevance debugger for Mac, but it could save you some time testing/debugging your relevance code: http://forum.bigfix.com/viewtopic.php?id=3762 .

I usually try relevance out on one or two machines using the relevance debugger before adding it to a Fixlet/Task :slight_smile:

(imported comment written by rzm10291)

Wow, I was NOT using that! I couldn’t find it, but I did try the windows versions. Thanks for the information! Let me know if there are any Mac specific resources, I’m very new!

Cheers,

Rusty

(imported comment written by rzm10291)

Reviving this thread because I realized I made an error when creating the relevance. The relevance will tell me if remote management is on or not, but it doesn’t tell me if the etcadmin account that I’m enabling as the authorized remote management account is created. So on a laptop that didn’t have the etcadmin account, the remote management was enabled, but I couldn’t get into the machine! I could change the remote management command to allow all users to control the machine, but I only want machines that have the etcadmin account.

So, here’s what I did with the relevance:

(name of operating system = Mac OS X AND (NOT (exists process whose (name of it starts with ARDAgent))) AND ((exists file /var/db/dslocal/nodes/Default/users/etcadmin.plist) OR (exists file /etc/httpd/users/etcadmin.conf)))

The issues I have are with the different ways accounts were stored between 10.4 and 10.5+. 10.5+ uses plist files in /var/db/dslocal/nodes/Default/users for all users on the machine. 10.4 does not, and it doesn’t look like it’s easy to determine if the account is created. I see that a httpd configuration file is created for the user when it’s made, so I made my relevance off that files existence.

This all seems unnecessary to me because I would have expected that BigFix could tell if a user is already created on the machine. I see that BigFix can tell who the current user logged in is, can it determine if a user account is created on the machine too?

If not, and in addition to this question, can I run shell commands within relevance and use the output in if/then statements?

(imported comment written by jcampbell91)

If you are just looking to determin if a user exists on a system you can use the following relevance.

(exists user "etcadmin")

This should work regardless of the version of the OS you are running.

(imported comment written by rzm10291)

Yes, that’s what I was looking for, Thanks!

Now relevance is:

(name of operating system = “Mac OS X”) AND (not exists process whose (name of it starts with “ARDAgent”)) AND (exists user “etcadmin”)

where etcadmin is the short name of the user I want to exist before the relevance is true.