Scripting SSH off/on without needing a PPPC/TCC profile


Posted on September 2, 2020 by alanysiu

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS.

Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.)

For now, a workaround for this is to simply load or unload the launch daemon that enables/disables SSH: /bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist or /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

P.S. Since these are things you’re scripting via something like Munki or Jamf, I’m assuming you’re testing the commands as root.


pppc scripting ssh

Mac admin'ing

2

2 thoughts on “Scripting SSH off/on without needing a PPPC/TCC profile

  1. September 1, 2021 at 03:44:02 PM by tom

    I’ve also been successful using a Jamf Policy that just runs `jamf startSSH` in the Files and Processes payload.

    Reply

  2. October 22, 2021 at 07:59:02 PM by David

    Thanks so much for the work around. I messed around a few hours trying to disable SSH through Jamf. Deploying a script using /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist shut down the SSH service. In the System Preferences > Sharing it still showed the Remote Login checkbox was checked but the service was no longer running. Restarting the computer updated the Preference pane and the service remained unavailable.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Alan Siu's Blog