Tips August 12, 2005 at 2:00 pm

Apple Remote Desktop Directory-based Authentication

One of the great gems of Apple Remote Desktop 2, and while it’s not hidden in the documentation, no one seems to have sung its virtues – until now.

Read on for more…You’re going to love how easy this is…

I’m making a couple assumptions here, so before we start, here they are: You already have ARD 2 installed and set up to administer your client machines with a local account. You have LDAP set up, and your client machines are already bound into the domain.

The theory behind this is creating groups in Workgroup Manager, and then adding users who you want to be authorized to use ARD into those groups. There are 4 groups, ard_admin, ard_interact, ard_manage and ard_reports.

ard_admin will have access to all functions of ARD, ard_interact is simply interaction (like you’d get with VNC alone) with the client, ard_manage allows for more advanced features, and ard_reports can only generate reports from the ARD clients. For a clearer idea, check out the Interact, Manage and Reports items in the menubar of ARD.

Create your groups in Workgroup Manager – you don’t need to add all 4, you can pick and choose which you would like, and they can be created with any GID, it’s only the name which must be exact. Then add your ARD administrative users to their appropriate groups.

To set up the clients, you can either create your own Client Installer, or you can change your existing client settings (under the Manage menu bar item). Using the “Change Client Settings” as an example, click through the screens until you get to the “Incoming Access” screen. From here click the “Set authorized groups to:” checkbox. Keep continuing through once you’ve done this, and eventually you’ll be able to set your selecting machines with these settings.

Do check out some of the other options you can apply to your client machines using this tool, it allows you to set up, or remove local admin users, and set up other tools like openWBEM.

Once you’ve pushed out these setting to your clients, set up the computers you wish to manage in ARD, and put yourself into one of the ard_* groups, you can use your own username and password to add the clients to your computer lists. This will also make your administrative life much easier if you want different ARD users to have different abilities.

About

Andrina Kelly is responsible for anything and everything touched by, or connected to, a Mac at Bell Media, Canada's premiere multimedia company. You may recognize her name from the end credits of Canada's evening news broadcast. She has previously spoken at MacSysAdmin, JAMF National Users Conference, Apple's WWDC, Macworld IT conferences, Mac Networkers Retreat, and Canada MacExpo.

No Comments

  • and remember you can do this via the cli, with:

    
      kickstart -configure -clientopts -setdirlogins -dirlogins yes -setdirgroups -
    dirgroups ardadmin,ardcontrol
    

    -setdirgroups is optional, I’m pretty sure that it just grabs the defaults the
    same way the article states.

    Now if we could only come up with a decent way to Kerberize all workstations
    and ARD, so that those strict rotating password policies don’t end up meaning
    your password keeps needing to be updated in ARD… 🙂

    This is great though, once ARD could do this, we were able to banish all local
    users from our lab images altogether.

  • In our Active Directory environment, we can’t seem to get ARD management
    using Directory Services on Tiger. It works beautifully in Panther, but simply
    won’t work in Tiger. Anyone know what’s up?

    We bind the Macs to Active Directory, add the groups "ard_manage" and
    "ard_reports" to Active Directory, put the custom plist on the clients, and then
    try to manage the clients using ARD as a user in the AD groups.

    • We run Tiger exclusively and this is what I have found out about directory based auth with ARD.

      We created the group ard_admin in WGM. If I try to nest an AD group in there ARD won’t auth correctly. But if I populate the ard_admin group with AD user accounts we have no trouble authing to the directory in ARD.

      Of course we did have to reconfigure the clients to accept directory authentication.

      Hopefully this will help someone out there!

Leave a reply

You must be logged in to post a comment.