Secure macOS Remote Screen Sharing for Admins with Road Warriors
You may come across the situation where you have to service a couple of MacBooks for remote workers or frequent travellers. There are commercial offers for remote screen sharing available but I wanted to achieve a good result with freely available tools.
- A Unix-based server connected to the internet running OpenSSH
- A static IP address or dynamic DNS setup
useradd sshtunnel -m -d /home/sshtunnel -s /bin/true mkdir /home/sshtunnel/.ssh
# /etc/ssh/sshd_config Match User sshtunnel AllowTcpForwarding yes X11Forwarding no AllowAgentForwarding no ForceCommand /bin/true
# /home/sshtunnel/.ssh/authorized_keys ssh-ed25519 AAAA...
chmod 500 /home/sshtunnel/ chmod 500 /home/sshtunnel/.ssh chmod 400 /home/sshtunnel/.ssh/authorized_keys service sshd restart
Create a script named
#!/bin/bash SERVER="server.example.com" PORT="60000" echo "===================================" echo "=== START remote access mode... ===" echo "===================================" echo "Set up ARD permissions and start up..." sudo bash -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers | tee -a /var/log/sshtunnel.log" echo "Create SSH tunnel to server... Ctrl-C closes the connection." ssh -nNT -p 22 -C sshtunnel@$SERVER -R $PORT:localhost:5900 echo "Connection closed." sleep 2 echo "Stop ARD and clean up permissions..." sudo bash -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -access -off | tee -a /var/log/sshtunnel.log" echo "Everything's shut down again." sleep 5
chmod 500 RemoteAccess.command
For additional clients just add more SSH keys and increment the port number by one.
RemoteAccess.command on the client machine and wait for it to connect properly.
On your administration machine, use software like SSH Tunnel Manager or manually create a SSH tunnel to the server:
ssh -nNT -p 22 -C email@example.com -L 60000:localhost:60000
On your administration machine, open Screen Sharing.
open /System/Library/CoreServices/Applications/"Screen Sharing.app"
In Finder, connect to server
Ctrl-C on the client machine as well as the administration machine and let the terminal window of the client close by itself.
If your users won’t mind running a “text window” (Terminal.app) instead of a full native UI application when the need arises, this can make things easy and secure for all parties. Of course, because it opens up screen sharing ports for all local users, make sure the user passwords are strong. If you know the POSIX user names of all machines, you can restrict this further. Run
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart for all options available. Passwords are usually the biggest concern since users are all too often cavalier about security. I’ve actually had customers with passwords like “whatever”, “1234” and yes: “password”.
To upgrade security even more in one go, nothing beats a properly configured VPN which tunnels all connections including DNS queries through itself.