Set access privileges

You can set access privileges at each client computer using Sharing preferences, or if you use OS X Server, you can do it remotely from an administrator computer.

To make changes on a client, you must use the name and password of a user with administrator privileges on the computer.

Set access privileges at client computers

To prepare a client computer for administration, you enable Remote Management and set administrator access privileges in Sharing preferences. You can set access privileges for all users or specific user accounts.

You can skip this task if you create a custom installer package that automatically enables client settings.

  1. On the client computer, choose Apple menu > System Preferences, then click Sharing.

  2. In the Sharing pane, select Remote Management.

  3. To allow access for all users with an account on the computer, select “All users.”

    All users are given the same access privileges.

  4. To allow access for specific users or to give users specific access privileges, select “Only these users,” then select a user in the list. If you need to add a user, click Add add button, select the user, then click Select.

  5. Click Options.

  6. Select the access privileges you want to give, then click OK. (To select all options at once, hold down the Option key while clicking an option.)

    Your changes take effect immediately.

  7. If you’re changing access for specific users, repeat steps 4–6 for each user.

Change client administrator privileges

You can check and change the administrator privilege settings of client computers using Remote Desktop.

After you add client computers to a computer list, you can use the Change Client Settings command to change their administrator access privileges.

To maintain a secure Remote Desktop environment, regularly review administrative settings. You can also assign limited privileges to certain users so they can only do specific tasks, thus reducing the chances that subadministrators can do harm.

If you’re using directory services to designate administrator privileges, you don’t need to change the settings on the clients.

You don’t need to make a selection on every page of the Change Client Settings assistant. You can click Continue to move to the next set of settings.

  1. In the Remote Desktop window, select a computer list, then select one or more computers.

  2. Choose Manage > Change Client Settings, then click Continue.

  3. In Starting Remote Desktop, select the following options, then click Continue.

    • Choose whether to start remote management at system startup.

    • Choose whether to hide or show the Remote Desktop menu bar icon.

  4. In User Accounts, choose whether to create a new user that can administer the computer using Remote Desktop, then click Continue.

    Creating a new user account with Remote Desktop administrator privileges doesn’t overwrite existing user accounts or change existing user passwords on the client computer.

    If you choose not to create a new user account, skip to step 6.

  5. In Users to be Created, click Add, then enter the user’s name and password. When you finish adding users, click Continue.

  6. In Incoming Access, choose which users to give administrator access privileges by doing one of the following:

    • Select “Enable directory-based administration” to give access to users with accounts in a specified group on a directory server. For information, see Enable directory services group authorization.

    • Select “Set Remote Desktop access mode” to choose whether to give uniform remote management access privileges to all local users, or to give access to specific local users. If you deselect this, the client computer’s settings are used.

    • Choose whether you want to set remote management access privileges for specific users. If you choose not to set remote management access privileges for specific users, skip to step 8.

  7. In Access Privileges, click Add to add a user, or select an existing user and click Edit. Provide the user’s short name and set the privileges. Then click Continue.

    For information, see About access privileges.

  8. In Screen Sharing Options, do the following, then click Continue.

    • Choose to allow temporary access to a guest administrator when the administrator requests permission on the client computers.

    • Choose whether to allow computers running non-Apple VNC software to control the client computers.

    For information, see Virtual network computing access and control.

  9. In System Data, enter information about this computer that you want to appear in System Overview reports. For example, you can enter a serial number, asset tag number, or a user’s name. Then click Continue.

  10. Review your settings, and choose to execute the change using the app or a dedicated Task Server. Then click Change.

    For information, see Configure a remote Task Server.

    The client configuration assistant contacts all selected computers and changes their administration settings.

Set access privileges using directory services

If the client computers are bound to a directory service, you can grant Remote Desktop administrator access to specific groups in the directory without enabling any local users.

You can grant access using named groups from your Directory Services master domain, so you don’t have to add users and passwords for authorization. When Directory Services authorization is enabled on a client, the user name and password an administrator enters when authenticating to the computer are checked in the directory. If the name belongs to one of the Remote Desktop access groups, the administrator is granted the access privileges assigned to the group.

  • Do one of the following:

    • Use predefined groups with names that correspond to the privilege keys: ard_admin, ard_interact, ard_manage, and ard_reports.

      If the groups don’t already exist in the directory, you can create new groups with the reserved names.

      The group names correspond to Managed Preferences keys and have the same privileges as the key. The corresponding privileges are automatically assigned to these specially named groups. There’s no need to add the Managed Preferences key to the group record.

    • Create groups and assign them privileges through the MCXSettings attribute on any computer record, any computer group record, or the guest computer record.

    Management privilege





    Generate reports





    Open and quit apps





    Change settings





    Copy items





    Delete and replace items





    Send messages





    Restart and shut down















    Show being observed





Enable Remote Desktop guest access

Allow one-time access to a Remote Desktop administrator who doesn’t have a user name or password for the client computer.

Each time the Remote Desktop administrator wants to control the client computer, the administrator must request permission.

WARNING: Granting access to control a screen is the most powerful feature in Remote Desktop, and it allows unrestricted access.

  1. On the client computer, choose Apple menu > System Preferences, then click Sharing.

  2. Select Remote Management in the list at the left.

  3. Click Computer Settings.

  4. Select “Anyone may request permission to control screen.”

  5. Click OK.

Choose what a nonadminstrator can do

You can control what a nonadminstrator can do when using Remote Desktop.

When a nonadministrator opens Remote Desktop, it operates in user mode. You can control which tasks a nonadminstrator can perform in this mode. For example, you might not allow nonadministrators to copy or delete files, but you might allow them to observe screens and send messages.

Changing what a nonadminstrator can do is no substitute for enabling proper access privileges in the Sharing pane of System Preferences on the client computer. For information, see About access privileges.

Each task can be enabled independent of the others, or you can enable all Remote Desktop features for nonadministrator users. Make sure you’re logged in as an administrator user.

  1. Choose Remote Desktop > Preferences.

  2. Click Security.

  3. Select “Access restricted to the following features” to enable or disable features.