sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
The commands in this article work with Apple Remote Desktop 3.2 and later.
Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes
Turn on Remote Desktop Sharing, allow access for specified users:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
You must use the -configure, -access, and -privs options in a separate command to specify the set of users and their access privileges. For example, this command is for users with the short names "teacher" and “student." It gives them access to observe (but not control) the computer, and to send text messages:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users teacher,student -access -on -privs -ControlObserve -ObserveOnly -TextMessages
Unlike other kickstart options, you can’t combine the allowAccessFor options with other kickstart options. You must use it as in the last two samples above. You might have to call kickstart more than once to finish a computer’s setup. Remove access privileges for specified users ("student" in this example):
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users student -access -off
Disable ARD Agent and remove access privileges for all users:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
Friendly reminder to rollback permissions slowly and see if it still works. Make if work, make it right, make it fast, make it secure.
Either that or after the configuration is finished rollback the FDA modifications entirely. Probably the easier/better choice in this scenario since it sounds session specific
That sounds pretty cool, so you're esentially using ansible as stand-in asset management, which has the added benefit of helping to configure with freedom of connectivity versus assuming ownership over the system and having it enrolled into something like an MDM in order to configure (which possibly brings a whole can of worms). Very neat.
Also lets you do highly customized one offs, and auth independently if its owned by someone else or needs indepedent credentials.