[Question] Accessing a Mac that's on the Login Screen?

[PlaneNuts]

So, this is probably a dumb question, but maybe someone can point me in the right direction. I just came across MeshCentral today while looking for an RDP type solution for Macs. I got a test instance up and running, and as per this comment I got the agent installed and running on a Mac running Big Sur 11.6. Everything works perfectly right up until I reboot or log off.

On reboot The agent doesn't seem to relaunch unless I log into an account

On Log Out With the Mac on the login screen I can still connect to terminal and file sessions, but desktop sessions bring me to a black screen

I'm not sure if this is the normal behavior, or if I'm doing something wrong

[PetieM]

If you enable screen sharing on the Mac and novnc in MeshCentral, you can control the login screen via VNC through MeshCentral, at least if the agent is running. I think this is expected behavior due to Apple's security implementation on the login screen (as far as not being able to interact with it via the Mesh agent). As for it not restarting the service until a user logs in, that sounds unintended unless you're using FileVault by chance? I feel like it should work if the drive isn't encrypted but I can't test that as I don't have an unencrypted Mac at the moment.

[PlaneNuts]

Thanks for the reply

Screen Sharing and NoVNC worked perfectly for the issue on the login screen!

I did just check and confirmed the disk is not encrypted with File Vault. The service actually doesn't seem to start on it's own at all, I had to sudo launchctl kickstart -k system/meshagent to get the service running after logging in

[PetieM]

That's odd - my Mac service auto-starts just fine though I didn't follow the procedure referenced in your linked comment. I just installed using the installer and then connected once to trigger the permission prompt. Maybe try that?

[PlaneNuts]

I just tried again this morning on a different Mac running Big Sur (11.5.2) this time I installed like this

• sudo spctl --master-disable to allow installing from any source
• Logged into the MC portal on the Mac, downloaded the .mpkg installer, and installed the agent
• Agent launched, connected and I saw it online in the portal
• Connected to the desktop through the portal (just the background displayed)
• Got a prompt on the mac to allow Screen Share access (accepted)
• Could not control the screen
• Rebooted the Mac, logged in, agent did not auto launch

Edit: To add to this is I tried

• cd /usr/local/mesh_services/meshagent
• sudo ./meshagent_osx64
  • Unable to open database
• ./meshagent_osx64
  • Unable to open database

I had to sudo launchctl kickstart -k system/meshagent to get the agent running again

[PetieM]

Sorry, I should have been more specific. Here's the process I typically follow. I haven't had to use Terminal at any time during an initial setup though the spctl command likely isn't the issue here so use that if it's easier.

1. Download and install (I just right-click the installer and choose Open - you'll get the same security warning but with an additional Open option that you can use to bypass the unverified source without needing to execute spctl first)
2. Connect to trigger the screen recording request, allow it, verify meshagent_osx64 is listed and enabled under System Preferences > Security & Privacy > Privacy > Screen Recording
3. Right-click meshagent_osx64 and choose Show in Finder, then drag it to the Accessibility and Full Disk Access sections of that same Security & Privacy > Privacy window

The agent software needs at minimum Accessibility access though I'd suggest Full Disk Access as well for proper use of the files tab.

[PlaneNuts]

I granted the Full Disk Access to the agent but still no luck. Once funny thing, it's not showing up as online, but if I run sudo launchctl list I see this entry, so it looks like the agent is actually running, but not connecting for some reason. I have to kickstart it to get it to connect to the server again

PID	Status	Label
68	0	meshagent

[PetieM]

Just Full Disk Access or Accessibility too? I'm fairly sure Accessibility is the more important of the two though you should really have it in all 3 (Screen Recording, Accessibility, and Full Disk Access).

[PlaneNuts]

Yeah, I have all three. Sorry

Originally had Screen Sharing and Accessibility, just added Full Disk

[PetieM]

Got it, we'll probably need to wait for someone with a bit more knowledge than I have to chime in at this point. Sorry I couldn't get you the answer you needed!

[PlaneNuts]

No worries, I really appreciate the help

In case it's relevant this is what I have in /Library/LaunchDaemons/meshagent_osx64_LaunchDaemon.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>meshagent</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/mesh_services/meshagent/meshagent_osx64</string>
        </array>

        <key>WorkingDirectory</key>
        <string>/usr/local/mesh_services/meshagent/</string>
        <key>RunAtLoad</key>
        <true/>
    <key>KeepAlive</key>
    <dict>
      <key>Crashed</key>
      <true/>
    </dict>
    <key>ThrottleInterval</key>
    <integer>5</integer>
    </dict>
</plist>

[PetieM]

Mine is identical.

[krayon007]

One thing I meant to do, is modify the installer to make it request permissions at install time instead of runtime. I may try to work on that next week.

As far as the reboot issue. When it shows as offline, can you open a command line window, and from the agent install path, run:

sudo ./meshagent -state

That should show some relevant info on what the agent is doing, including it's connect state.

Bryan

[PlaneNuts]

Hi @krayon007 this is the output I got. I assume I needed to sudo ./meshagent_osx64 -state since it didn't find ./meshagent

MacBook-Pro:~ user$ cd /usr/local/mesh_services/meshagent/
MacBook-Pro:meshagent user$ sudo ./meshagent -state
Password:
sudo: ./meshagent: command not found
MacBook-Pro:meshagent user$ ls
DAIPC           meshagent_osx64     meshagent_osx64.log
kvm         meshagent_osx64.db  meshagent_osx64.msh

MacBook-Pro:meshagent user$ sudo ./meshagent_osx64 -state
Querying Mesh Agent state...
Mesh Agent connected to: [NOT CONNECTED]
 Chain Timeout: 168567 milliseconds
 FD[8] (R: 0, W: 0, E: 0) => Signal_Listener
 FD[11] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v4
 FD[12] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v6
 FD[13] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v4
 FD[16] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v6
 FD[14] (R: 0, W: 0, E: 0) => net.ipcServer.ipcSocketConnection
 FD[10] (R: 0, W: 0, E: 0) => net.ipcServer
 FD[15] (R: 0, W: 0, E: 0) => ILibWebRTC_stun_listener_ipv4

 Timer: 2.8 minutes  (0x7f855a809e00) [meshcore/agentcore.c:4077]

When that didn't work I kickstarted the process and got this

MacBook-Pro:meshagent user$ sudo launchctl kickstart -k system/meshagent

MacBook-Pro:meshagent user$ sudo ./meshagent_osx64 -state
Querying Mesh Agent state...
Mesh Agent connected to: local
 Chain Timeout: 117000 milliseconds
 FD[10] (R: 0, W: 0, E: 0) => MeshServer_ControlChannel
 FD[8] (R: 0, W: 0, E: 0) => Signal_Listener
 FD[11] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v4
 FD[12] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v6
 FD[13] (R: 0, W: 0, E: 0) => ILibMulticastSocket_v4
 FD[16] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v4
 FD[17] (R: 0, W: 0, E: 0) => ILibMulticastSocketListener_v6
 FD[18] (R: 0, W: 0, E: 0) => ILibMulticastSocket_v4
 FD[19] (R: 0, W: 0, E: 0) => net.ipcServer.ipcSocketConnection
 FD[14] (R: 0, W: 0, E: 0) => net.ipcServer
 FD[15] (R: 0, W: 0, E: 0) => ILibWebRTC_stun_listener_ipv4

 Timer: 2.0 seconds  (0x7f82a3c8dd90) [setTimeout()]
 Timer: 19.9 minutes  (0x7f82a3c90a30) [setInterval(), meshcore (InfoUpdate Timer)]

One thing that just occurred to me that is the device is bound to an AD domain. Don't know if that would have any impact. I tried both an AD mobile profile, and a local user profile. I don't have any MDM or policies installed (machine was literally wiped, and added to the domain, nothing else)

[krayon007]

This issue looks related to a long standing issue I've been trying to figure out, but couldn't replicate on my own... A while back someone reported an issue where when the mac is rebooted, the agent shows as disconnected... I found that in this state, none of the networking APIs are functioning correctly... By that I mean, normally I can detect error cases, but in this particular case, the calls all report success, they just never come back... I tried timeouts, but it seemed no matter how many times I retry/delay/retry the same thing, unless I restart the service... I did modify the agent so that on macos, it tries to look at the uptime, and if the network APIs timeout and it knows the mac was recently restarted, it will kickstart itself.

I'll take a closer look at that section of code, as it looks like in your case it isn't kickstarting itself...

[PlaneNuts]

If there's anything I can do to help feel free to let me know. Like I said, both Macs are AD domain joined. I've got a few Macs at my disposal that I can test with so if you need apples to apples (no pun intended) comparisons let me know. Tomorrow (or Monday morning) I'll format one of them to see if that makes a difference. I know years ago I had a network issue with our Macs where network wouldn't come up because it couldn't reach the domain.

[PlaneNuts]

So, I did the wipe of the Mac (formatted drive, reinstall OS). Went through initial setup, installed the mesh agent, and still the same issue

[si458]

duplicate #1459