Alan Siu's Blog

Scripting SSH off/on without needing a PPPC/TCC profile

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS.

Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.)

For now, a workaround for this is to simply load or unload the launch daemon that enables/disables SSH: /bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist or /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

P.S. Since these are things you’re scripting via something like Munki or Jamf, I’m assuming you’re testing the commands as root.

Posted

in

by

alanysiu

Tags:

, ,

Comments

2 responses to “Scripting SSH off/on without needing a PPPC/TCC profile”

  1. tom Avatar
    tom

    I’ve also been successful using a Jamf Policy that just runs `jamf startSSH` in the Files and Processes payload.

    Reply
  2. David Avatar
    David

    Thanks so much for the work around. I messed around a few hours trying to disable SSH through Jamf. Deploying a script using /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist shut down the SSH service. In the System Preferences > Sharing it still showed the Remote Login checkbox was checked but the service was no longer running. Restarting the computer updated the Preference pane and the service remained unavailable.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *