Scripting SSH off/on without needing a PPPC/TCC profile

Posted on September 2, 2020 by alanysiu

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS.

Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.)

For now, a workaround for this is to simply load or unload the launch daemon that enables/disables SSH: /bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist or /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

P.S. Since these are things you’re scripting via something like Munki or Jamf, I’m assuming you’re testing the commands as root.

pppc scripting ssh

Mac admin'ing


2 thoughts on “Scripting SSH off/on without needing a PPPC/TCC profile

  1. September 1, 2021 at 03:44:02 PM by tom

    I’ve also been successful using a Jamf Policy that just runs `jamf startSSH` in the Files and Processes payload.


  2. October 22, 2021 at 07:59:02 PM by David

    Thanks so much for the work around. I messed around a few hours trying to disable SSH through Jamf. Deploying a script using /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist shut down the SSH service. In the System Preferences > Sharing it still showed the Remote Login checkbox was checked but the service was no longer running. Restarting the computer updated the Preference pane and the service remained unavailable.


Leave a Reply

Your email address will not be published. Required fields are marked *

Alan Siu's Blog