MacOS: Login screen not controllable?

[n9yty]

I installed the agent and was using it fine. I logged out and the screen went black. Disconnecting/reconnecting to the screen shows the login screen, but it doesn't respond to mouse or keyboard input. I could not find if this is known or not, not as much information about the Mac agent.

This is in the latest install (everything just installed tonight) and MacOS 10.13.6. Once I log in on the machine (physically) control starts working again.

[krayon007]

Yes, it's a known issue. On later versions of macOS, I forget which version it started, it might have been Sierra or High Sierra, apple started blocking access to remote injection on the login screen. Therefore, it is currently not possible to control the mouse or keyboard remotely while nobody is logged in, on those versions of macOS.

[n9yty]

Interesting, Apple Remote Desktop does it, but then again, Apple can do what Apple wants to do. Thanks for acknowledging it, it is much appreciated. This was on 10.13.6 by the way.

[krayon007]

Yes, Apple Remote Desktop does allow it. I figured you could always tunnel an Apple Remote Desktop session thru mesh, similar to what you can do with RDP on windows, so I didn't worry too much about it.

[Ylianst]

One way I could get around this is for me to add support for noVNC in MeshCentral. This would allow users to VNC into a macOS machine from the web page.

[krayon007]

@Ylianst just deployed noVNC support. If you click on your mac in the Mesh Central UI, click on the noVNC link at the bottom of the page, and it will connect to your mac... On you mac, as long as you enabled VNC Password, it will work.

I tested it on Mojave, when no users were logged in... You click noVNC, and enter in the VNC password you set... Then it will show the macOS login page, where you enter in your macOS credentials, and it will login

Once logged in, you can either continue to use noVNC, or you can switch to the Mesh Remote Desktop.

[krayon007]

VNC can be pretty slow, so it may look like it's jammed, but it connects... When I tested it, it took about 20 seconds for the login screen to appear... So please be patient :)

[krayon007]

Here is the setting to enable VNC on macOS. You must go to System Preferences, then Sharing, then click 'Computer Settings', and then add a password for VNC. This is the password you'll use on the noVNC page on Mesh Central. Once connected, the built in VNC server in macOS will present you with a login page, where you must enter in your macOS credentials, regardless if a user is logged in or not.

[PetieM]

Confirmed working in my tests so far - this is an awesome addition. Thanks!

[n9yty]

Strange, two systems I am working with here as I test this out, both 10.13.6. I can connect to both of them using a regular VNC client, but on both of them I get nothing after hitting Connect on the NoVNC browser tab. Never asked for a password, but I assume that happens after the connection. Does the client have to be updated or just the server? I have v0.5.53 on the server.

[krayon007]

Strange, two systems I am working with here as I test this out, both 10.13.6. I can connect to both of them using a regular VNC client, but on both of them I get nothing after hitting Connect on the NoVNC browser tab. Never asked for a password, but I assume that happens after the connection. Does the client have to be updated or just the server? I have v0.5.53 on the server.

Client does not need to be update, this is purely a server side change. You should get a password prompt right away tho, because that is part of the VNC protocol. If nothing happens at all, it probably wasn't able to establish a tunnel with the macOS agent. Are you still able to files/terminal to the agent?

[n9yty]

Yes, and control the screen. So everything seems fine except the VNC for some reason.

[krayon007]

I haven't tested it on anything older than Mojave. Not sure why it wouldn't work. The only thing I can think of, is that the macOS VNC server isn't liking that the client connection is originating from localhost... I have Sierra and Yosemite with me right now, so I will test those really quick...

[n9yty]

I have my own system set up as a client, running Catalina, I can control the desktop (although the second monitor doesn't show up), terminal, files, etc, same issue with VNC, so maybe it is something server-side with the noVNC stuff on the host I am running it on?

I waas testing in Chrome... I tried Firefox and when I hit connect I get a red bar at the top saying it cannot connect to the server, so at least it is giving more information there.

[n9yty]

In the webbrowser console I see this:

websock.js:184 Refused to connect to 'wss://{redacted}' because it violates the following Content Security Policy directive: "connect-src 'self' wss://{host:port redacted}". open @ websock.js:184

[Ylianst]

Are you running MeshCentral on port 443 or a different port? I am working on a fix for this, but I only get this error if MeshCentral is not running on 443.

[n9yty]

Not on 443, using 444 as another service on this host is already on 443

[krayon007]

Probably unrelated, but my Sierra system behaves way differently than my Mojave and Catalina systems...

On Mojave, it didn't matter if I was logged in or not, VNC worked fine... On my Sierra system, if someone is logged into the mac, VNC will connect, but will hang on the login screen.... If I log out of the physical mac, then VNC behaves normally, and allows me to login...

[krayon007]

Hmmm... Nevermind... Seems to work fine, now that I logged out and back in.... Very strange tho...

[Ylianst]

Perfect, I am fixing noVNC when running on non-standard port now. Easy fix.

[Ylianst]

Just published MeshCentral v0.5.54 with noVNC fix for non-standard ports. Let me know if it works.

[n9yty]

Now I get a red box at the top on both Chrome and Firefox that says "Failed to connect to server". Console on Chrome shows:

rfb.js:668 Failed when connecting: Connection closed (code: 1005) _fail @ rfb.js:668

FIrefox shows: Failed when connecting: Connection closed (code: 1005) rfb.js:668:21 _fail https://{host}:444/novnc/core/rfb.js:668 RFB https://{host}:444/novnc/core/rfb.js:210 onclose https://{host}:444/novnc/core/websock.js:199

[n9yty]

On trying to connect to my Catalina host I get this instead:

Red bar at top: New connection has been rejected with reason: Incompatible Version.

Chrome console: Failed when connecting: Security negotiation failed on authentication scheme (reason: Incompatible Version.) _fail @ rfb.js:668 _handle_security_reason @ rfb.js:916 _init_msg @ rfb.js:1278 _negotiate_security @ rfb.js:888 _init_msg @ rfb.js:1269 _handle_message @ rfb.js:713 (anonymous) @ rfb.js:186 _recv_message @ websock.js:278

[n9yty]

Ah, but on the second 10.13.6 system It is working!

[Ylianst]

I imagine this is because the VNC server needs to be setup with a password, but I have no idea. I also speculated that maybe the VNC port would be TLS enabled, but that does not seem to be likely.

[krayon007]

I just tested on Sierra, Mojava, and Catalina, and it works on all my systems for me... I just used the default settings on macOS, aside from setting a password for VNC.

[n9yty]

It is set up with a password, I can connect using another VNC client, so it is strange indeed. But only one of them is acting this way. Oh, my Catalina system may not have a password, so that could explain that. I forgot I never set that up.

[n9yty]

It is doing a filevault set up now (testing MDM profiles) so I can't reboot it to see if it helps. I will later. I should be going to bed anyway. :)

[Ylianst]

Same here (almost 1am here), thanks for the testing.

[krayon007]

My sierra system, VNC kept locking up, until I logged out and back in on the physical mac.

[n9yty]

Ok, that one system that wouldn't connect... When testing, I tried to use the 'alternate port' to be sure, and when I blanked it out it seems it didn't go back to the default of 5900 but instead went to 3389 which is why it wouldn't connect on that system. Putting in 5900 made it work again.

[nikki-t]

Hi there! I am having the same issue with novnc. When I go to connect using the "novnc" link I end up with a red box that displays "Failed to connect to server."

We have a slightly complex environment where we are hosting MeshCentral in an LXD container. Is it possible to get a list of ports that require this feature? I am wondering if we are blocking necessary traffic somewhere along the line. I do not see any traffic other than the expected 443 traffic being initiated from our MeshCentral server when I attempt to connect via novnc.

I am not hosting MeshCentral on port 443 but that seems like this should work as this was fixed with v0.5.54. I am running version 0.5.81 of MeshCentral on an Ubuntu server. We followed the installation instructions for a standard installation. The client is running 10.15.6 (MacOS Catalina)

Here is the client-side console log when trying to access a Mac through the "vnclink" in Chrome web browser: "Failed when connecting: Connection closed (code: 1006) _fail @ rfb.js:668 (anonymous) @ rfb.js:210 _websocket.onclose @ websock.js:199"

This is a new setup for us; so apologies if I am missing something obvious. Any thoughts or suggestions?

[nikki-t]

To follow up: We were able to run a debug session and determined the issue.

The key to the error was this log message: "WEB: ERR: Invalid domain, got "labs", expected "".

I was not using the default domain but had created an alternate domain. It appears that the novnc session (or some component that creates the novnc session) only supports the default domain.

Would it be possible to change this so that one could use MacOS clients in different domains? I understand if this is more of a novnc issue than a MeshCentral issue.

Either way, I can confirm that once I moved the Macs to the default domain, I can now connect and login via novnc.

[Ylianst]

Oh!!! That is something I can fix. Certainly a server bug in how the encrypted cookie is created. I will look at it later tonight or tomorrow morning.

[Ylianst]

Nice. MeshCentral v0.6.14 will have a fix for this.

[zaggynl]

Found a way to enable Remote Management via SSH but the cursor remains a dot and the screen black on a connection attempt by any VNC client.

Commands used to enable Remote Management via SSH:

(as root) /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw PASSWORDHERE -restart -agent -privs -all

(Change PASSWORDHERE to the preferred password) (as root) echo "PASSWORDHERE" | perl -we 'BEGIN { @k = unpack "C*", pack "H*", "1734516E8BA8C5E2FF1C39567390ADCA"}; $_ = <>; chomp; s/^(.{8}).*/$1/; @p = unpack "C*", $_; foreach (@k) { printf "%02X", $_ ^ (shift @p || 0) }; print "\n"' | sudo tee /Library/Preferences/com.apple.VNCSettings.txt

To disable:

(as root) /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off