Control Apple Remote Desktop Access with Munki

Previously, I posted how to ensure SSH access is enabled with Munki. Another favored (though sorely neglected by Apple) tool to remote control Macs is obviously Apple Remote Desktop.

Note: Apple Remote Desktop access is called ‘Remote Management’ in the Sharing Preference Pane. This also includes access for the Screen Sharing application.

We will use a nopkg setup to control, so we need one script to check wether the configuration needs to be fixed ( and a postinstall script to actually do the fixing (

The install check script first tests wether ardagent process is running, wether the “All Users” access option is turned on, and finally wether our user for remote access (clientadmin in this example, modify for your needs) is in the privileged group.

Paradoxically, the installcheck has to return 1 when everything is ok. (The actuall install does not have to run so the install is aborted.) If any of the settings aren’t as they should be the script returns 0 (installation needs to proceed) and Munki will run the postinstall script.

The postinstall script uses the kickstart tool to setup ARD the way we want it. (In this example we enable access for two admin accounts clientadmin and localadmin, modify to what you need.)

The run makepkginfo to build the pkginfo which tells Munki what to do:

makepkginfo --name=EnableARD \
    --displayname="Enable Apple Remote Desktop" \
    --pkgvers=1.0 \
    --nopkg \ \ \
    --unattended-install > EnableARD.pkginfo

( and need to be in the current working directory, or give the path to the scripts.)

Then copy the pkginfo file to the pkginfo folder on the munki repository (or a subfolder), add EnableARD to a manifest and run makecatalogs.

Run managedsoftwareupdate on a client that has that manifest configured.

Even if a user changes the “Remote Management” setting, the next time Munki runs in the background it should notice the change and set them back with the postinstall script.

Introducing `quickpkg`

This tool will quickly and easily build a package from an installed application, a disk image file or zip archive with an enclosed application bundle. It will also extract the application name and version and use it to name the resulting pkg file.

The tool will look for applications on the first level of the disk image or archive. If it finds no or more than one application it will error.

The name of the resulting package will be of the form {name}-{version}.pkg. Spaces will be removed from the name. The package will be written to the current working directory.

Get the tool at the quickpkg repository.


Build package from installed application:

quickpkg /Applications/

Build package from a disk image:

quickpkg ~/Downloads/Firefox\ 43.0.4.dmg

Build package from a zip archive:

quickpkg ~/Downloads/


OS X has had the pkgbuild tool since Xcode 3.2 on Snow Leopard. With pkgbuild you can directly build a installer package from an application in the /Applications folder:

pkgbuild --component /Applications/ Numbers.pkg

Or even an application inside a mounted dmg:

pkgbuild --component /Volumes/Firefox/ \
         --install-location /Applications \

This tool even does the work of determining a bundle’s identifier and version and sets the identifier and version of the pkg to the same values.

However, while pkgbuild does automatically name the package, it does not include the version, which is important when you tracking many versions of the same application. It also doesn’t automatically look into a dmg file or zip archive.

quickpkg vs autopkg

This tool is not meant to replace autopkg. autopkg will automate the download, the re-packaging (if necessary) and the upload to and configuration of your client management system. It can also handle much more complex setups than quickpkg. autopkg is far superior and should be your tool of choice.

However, there are situations where autopkg does not work well. The most common reason is if the download cannot be automated because the download page is behind a paywall. Also autopkg requires a recipe for a given piece of software. If no recipe exists, quickpkg may be a simple alternative. (Though if quickpkg works, creating an autopkg recipe should not be hard.)


All quickpkg does is identify an application bundle and package it in a way that the package will install that application bundle into the /Applications folder. If the application needs other files (libraries, frameworks, configuration files, license files, preferences etc.) to run and work they are your responsibility.

Creating a Droplet for munkiimport

You can use Automator to build an applet for munkiimport. Then you can just drag and drop pkgs, dmgs and Applications on it to import them.

However, can’t just use do shell script since munkiimport will prompt for some extra information. Instead you can use Terminal’s command do script. While do shell script will execute then given command quietly in the background, do script will open a new Terminal window and run the given command – just what we need.

Open Automator and create a new workflow. Choose ‘Application’ as the template. This template will accept files and folders dropped on it. Add a ‘Run AppleScript’ action and fill in the following code:

on run {input, parameters}
  repeat with x in input
    tell application "Terminal"
      do script "munkiimport" & space & quoted form of POSIX path of (x as alias)
    end tell
  end repeat
  return input
end run

Then save the Automator applet as ‘MunkImport’. (or whatever suites you)

The downside of do script versus do shell script is that you cannot receive and process the result.

Copy all Safari tabs to

I had previously posted about one of my oldest but still frequently used scripts which gathers all tabs from a window into a text list to be pasted in an email or something like that.

I have recently adapted that script to do something new. This new script will gather the tabs in the frontmost Safari window and create a note in the Notes app with all the links (then, presumably, you would want to clean out and close most of the tabs)

Also I learned that the Safari tabs from all your Macs and iOS devices are stored in the `~/Library/SyncedPreferences/` and extended the script to read that instead of grabbing them directly from Safari:

To use it is probably easiest to enable the Script menu (in Script Editor > Preferences) and drop the scripts in the `~/Library/Scripts/Applications/Safari` folder.

MacID adds Scripting Support

MacID is a very useful application which automatically locks a Mac when a paired iOS device moves out of range. It will also offer to unlock the Mac using Touch ID on the device, but I use that part less than I would expect. (You can also unlock with Apple Watch, which is cool.)
The latest update adds scripting support:

You can now extend MacID by dropping AppleScript text files (they MUST be exported as text files) into onSleep, onLock, onWake, onUnlock directories in ~/Application Support/MacID/. MacID will execute these scripts at the respective event. For example, you could pause iTunes when your Mac locks, and resume playing when your Mac unlocks.

To try this, I created a simple AppleScript

tell application "iTunes"
end tell

and saved it as a text AppleScript document in the onUnlock folder. Works as expected!

Typefaces for Terminal and text editing

Many users on Twitter pointed out a new typeface designed for terminals and text editors called Hack. It looks nice but I thought I’d make a list of other useful open source typefaces:

  • Source Code Pro from Adobe is designed for code editing. This is my favorite and I have set it in Terminal and BBEdit. It has many different weights, italics, and also related typefaces Source Sans Pro and Source Serif Pro in case you want proportional typefaces as well. These are regularly updated with minor improvements and new glyphs.

  • Courier Prime is an improvement on the standard Courier typeface. There are also sans serif and code versions available.

  • Hack is the new typeface which inspired this post. The characters seem much larger than similar fonts at the same point size, but according to the page that is intentional.

Hack will be nice to have around, but for now Source Code Pro remains my favorite.

(If you, like me, are curious when to use ‘typeface’ vs ‘font’ then read this helpful article.)

Mount a dmg off a web server

I saw this project by Douglas Nerad which stream lines the bootstrapping installation of Munki, so that you can do it while booted from the Recovery partition. This is useful to inject munkitools on a new Mac without having to go through setting up a user.

The read me recommends to put the script and other resources on a USB key, which works fine, as long you have only one USB key. If you have to share this tool among multiple admins keeping the keys up to date (and in your pocket) can be a pain.

If you put all the resources and the script in an dmg file on a web server, you can run

hdiutil attach http://webserver/path/to/InstallThis.dmg

and then run scripts and installer pkgs from the attached volume.

installer -pkg /Volumes/InstallThis/munkitools2-latest.pkg

Note that you cannot run python scripts from the Recovery partition. It is best to use shell or bash scripts.

Using ShellCheck with BBEdit

Several people I follow in Twitter have pointed a quite useful looking tools called ShellCheck. It will scan shell script code for common problems that may lead to errors later, especially quoting.

However, the script is written in Haskell, which brings with it a rat’s tail of dependencies if you want to install it on your own Mac.

Since I did not want to bother with that I wrote a script that will grab the code from the frontmost BBEdit window and paste it into the webpage:

Drop this in your BBEdit Scripts folder and enjoy!