Scripting SSH off/on without needing a PPPC/TCC profile

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS.

Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.)

For now, a workaround for this is to simply load or unload the launch daemon that enables/disables SSH: /bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist or /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

P.S. Since these are things you’re scripting via something like Munki or Jamf, I’m assuming you’re testing the commands as root.






2 responses to “Scripting SSH off/on without needing a PPPC/TCC profile”

  1. tom Avatar

    I’ve also been successful using a Jamf Policy that just runs `jamf startSSH` in the Files and Processes payload.

  2. David Avatar

    Thanks so much for the work around. I messed around a few hours trying to disable SSH through Jamf. Deploying a script using /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist shut down the SSH service. In the System Preferences > Sharing it still showed the Remote Login checkbox was checked but the service was no longer running. Restarting the computer updated the Preference pane and the service remained unavailable.

Leave a Reply

Your email address will not be published. Required fields are marked *