- Get help
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Information security
- Anti-Spam (CASL) Compliance
- Data security standard
- Desktop Security
- Identity Protection
- Phishing Scams
- Remote work
- Security hygiene
- Tips for safe computing
- Travelling with technology
- Keeping Your Personal Information Safe During the Holidays
- October is Cyber Security Awareness Month
Vision, strategy and policy
- One I.S. vision
- Cloud Computing Strategy
- Stewardship Model
- Stewardship Committees
- Stewardship Workflow
- Connecting to University Governance
- Approval and Prioritization
- Stewardship and Project Management
- Terms of Reference: One I.S. Stewardship Committee
- Administrative Systems Stewardship Committee
- Terms of Reference: Research Systems Stewardship Committee
- Terms of Reference: Educational Systems Stewardship Committee
- Mobile Strategy
- Reports and blog
- Vision, strategy and policy
Remote access to Managed Mac
How to Configure Remote Access for Managed Macs
These instructions are for connecting a remote Mac to a managed Mac on campus.
Apple provides a fairly simple resource for remote control like Microsoft does with Windows "Remote Desktop". It is not as feature-rich or mature as Microsoft Remote Desktop but it gets the job done.
Important note: Macs can use simple VNC, but we will never use this. We will allow the Screen Sharing service. When we do, we should take extra measures to tunnel through SSH to ensure it is encrypted.
One thing to look out for: The majority (over 85%) of managed Macs at the University are already configured for Remote Management. Both services cannot be configured simultaneously, so the route you take will depend on how your Mac is currently configured.
With apple screen sharing the user id and password are sent encrypted, as are keystrokes and mouse movements.
Scenario 1: No Screen Sharing or Remote Management configured
- Open System Preferences: Sharing
- Click on Screen Sharing
- Be sure to only allow access for your main user
- Stop here.
- Do not ever enable VNC
We are NOT configuring VNC access at SFU, and doing so reduces security of our systems. Never, ever promote this practice.
Scenario 2: SFU managed Mac that has Remote Management configured.
It is still possible for an administrator to allow your Mac's main user to access, but the process is a little different.
Only one service can be configured, so you must add your user in the "Remote Management" dialog.
- Open System Preferences: Sharing
- Don't touch the Screen Sharing option.
- As an administrator, highlight the "Remote Management" section.
- On the right-hand dialog, only the first two options are necessary (observe and control)
- Enabling the remaining options will allow features only possible via Apple Remote Desktop. This is not necessary.
If you are not the administrator of your Mac, please contact your local IT support personnel to make these changes for you. Connect to your Mac using the built-in Screen Sharing application.
You can find this app in: /System/Library/CoreServices/Applications/Screen Sharing.app
Remote wake services designed for Windows PCs are not reliable on routed networks for Macs. As such, if you need reliableremote access to your Mac, please consider temporarily disabling system sleep.
The service connects on TCP port 5900 (just like VNC). The user ID and password are sent encrypted, as are keystrokes/mouse moves.
The managed Mac firewall is set to allow connections at a rate of 6 failures per 30 seconds. Brute force attempts past this rate will be blocked.
Tunneling through SSH:
Another secure approach is to use an ssh tunnel for screen sharing. Do-able, but a bit of setup work.
Using SSH port forwarding and VNC you can connect to your remote desktop using the Screen Sharing application.
- First connect to your machine over SSH and port forward 5900.
- $ ssh email@example.com -L 5900:localhost:5900
- Now open "Screen Sharing.app" and connect to "localhost", specifically (you've already made a SSH connection to your Mac in this last step)
- This way all portions of your connection are encrypted.