sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
The commands in this article work with Apple Remote Desktop 3.2 and later.
Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes
Turn on Remote Desktop Sharing, allow access for specified users:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
You must use the -configure, -access, and -privs options in a separate command to specify the set of users and their access privileges. For example, this command is for users with the short names "teacher" and “student." It gives them access to observe (but not control) the computer, and to send text messages:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users teacher,student -access -on -privs -ControlObserve -ObserveOnly -TextMessages
Unlike other kickstart options, you can’t combine the allowAccessFor options with other kickstart options. You must use it as in the last two samples above. You might have to call kickstart more than once to finish a computer’s setup. Remove access privileges for specified users ("student" in this example):
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users student -access -off
Disable ARD Agent and remove access privileges for all users:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
Yeah, that's my best guess. I don't have a Mac at home to verify, and can't experiment too much on the remote boxes (we're running VMs for the Ansible Core CI there so it's not really acceptable). Maybe, if I manage to get one, I'll try to reproduce this to verify. The upgrade originated on MacOS X 10.15 so that's a difference of many versions in between, crossing that 12.3 boundary additionally. For a regular SSH session, I think, granting FDA to
/bin/zsh
while you still have VNC or local access, might do the trick.This is not really spelled out anywhere on the internet so I wanted to make sure these findings don't get lost. Most people mass-managing macs would use MDM to set up FDA, but it's not doable for us since our use case is in between "a user is managing their one Mac with unrestricted access to the local session when needed" and "an IT department managing thousands of end-users' Macs".