Disable Remote Management

What the Remote Management disabler does

This Automox Worklet™ disables Remote Management on macOS endpoints by deactivating Apple's ARDAgent (Apple Remote Desktop Agent) process. The Worklet uses the built-in kickstart command-line utility to stop the remote management service and prevent future activation of remote access features.

Remote Management in macOS provides convenient access to system preferences and remote administration capabilities, but it also exposes endpoints to potential security risks if not properly controlled. The Worklet targets the core service responsible for handling all Apple Remote Desktop communications.

Why prevent unauthorized remote management

Remote management services in macOS provide extensive control over endpoints, including screen sharing, file access, and command execution. When enabled without proper authentication controls, these services allow attackers who gain network access to completely compromise affected endpoints. Remote management vulnerabilities have been exploited in numerous security incidents to gain administrative access.

Organizations using modern endpoint management platforms like Automox do not need legacy Apple Remote Management services enabled. Keeping these older remote access mechanisms active creates redundant access paths that increase your attack surface. Disabling remote management eliminates this risk while maintaining full endpoint control through your chosen management platform.

Compliance frameworks require organizations to document and control all remote access methods to endpoints. Legacy remote management services that remain enabled without business justification create compliance gaps and increase the complexity of security audits.

How Remote Management disabling works

1. Evaluation phase: The Worklet checks whether the ARDAgent process is currently running on the endpoint using the pgrep command, which searches for active processes by name. If ARDAgent is found, remediation is triggered.

2. Remediation phase: The Worklet executes the kickstart utility with the -deactivate and -stop flags to disable the ARDAgent service. The kickstart tool is located at /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/ and is Apple's standard method for managing Remote Management settings from the command line.

Remote Management disabling requirements

• macOS endpoint with bash shell support

• Sufficient permissions to access /System/Library/CoreServices/RemoteManagement/

• Works on macOS endpoints where Remote Management is enabled or disabled (safe to run either way)

Expected remote access behavior

After remediation, Apple Remote Management services are completely disabled on affected macOS endpoints. Remote users cannot access the endpoint through Apple's built-in remote management protocols. Your organization's approved endpoint management platform continues functioning normally without interruption.

The Worklet verifies remote management is disabled through its evaluation phase. IT operations teams can confirm the setting by checking System Preferences under Sharing or reviewing Worklet execution results in the Automox console.

How to validate disable remote management changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable remote management.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as pgrep, exit, else.

4. Validate remediation effects from script operations such as pgrep, eval, else, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable remote management. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as pgrep, exit, else and remediation operations such as pgrep, eval, else. Use these indicators to verify that endpoint changes match intended policy outcomes.