Remote access to Managed Mac

How to Configure Remote Access for Managed Macs

These instructions are for connecting a remote Mac to a managed Mac on campus.

Apple provides a fairly simple resource for remote control like Microsoft does with Windows "Remote Desktop". It is not as feature-rich or mature as Microsoft Remote Desktop but it gets the job done.

Important note: Macs can use simple VNC, but we will never use this. We will allow the Screen Sharing service. When we do, we should take extra measures to tunnel through SSH to ensure it is encrypted.

One thing to look out for: The majority (over 85%) of managed Macs at the University are already configured for Remote Management. Both services cannot be configured simultaneously, so the route you take will depend on how your Mac is currently configured.

With apple screen sharing the user id and password are sent encrypted, as are keystrokes and mouse movements. 

Scenario 1: No Screen Sharing or Remote Management configured

  1. Open System Preferences: Sharing
  2. Click on Screen Sharing
  3. Be sure to only allow access for your main user
  4. Stop here.
  5. Do not ever enable VNC

We are NOT configuring VNC access at SFU, and doing so reduces security of our systems. Never, ever promote this practice.

Scenario 2: SFU managed Mac that has Remote Management configured.

It is still possible for an administrator to allow your Mac's main user to access, but the process is a little different.

Only one service can be configured, so you must add your user in the "Remote Management" dialog.

  1. Open System Preferences: Sharing
  2. Don't touch the Screen Sharing option.
  3. As an administrator, highlight the "Remote Management" section.
  4. On the right-hand dialog, only the first two options are necessary (observe and control)
  5. Enabling the remaining options will allow features only possible via Apple Remote Desktop. This is not necessary.

If you are not the administrator of your Mac, please contact your local IT support personnel to make these changes for you. Connect to your Mac using the built-in Screen Sharing application.

You can find this app in: /System/Library/CoreServices/Applications/Screen

Power considerations:

Remote wake services designed for Windows PCs are not reliable on routed networks for Macs. As such, if you need reliableremote access to your Mac, please consider temporarily disabling system sleep.

Firewall considerations:

The service connects on TCP port 5900 (just like VNC). The user ID and password are sent encrypted, as are keystrokes/mouse moves.

The managed Mac firewall is set to allow connections at a rate of 6 failures per 30 seconds. Brute force attempts past this rate will be blocked.

Tunneling through SSH:

Another secure approach is to use an ssh tunnel for screen sharing. Do-able, but a bit of setup work.

Using SSH port forwarding and VNC you can connect to your remote desktop using the Screen Sharing application.

  • First connect to your machine over SSH and port forward 5900.
  • $ ssh -L 5900:localhost:5900
  • Now open "Screen" and connect to "localhost", specifically (you've already made a SSH connection to your Mac in this last step)
    • This way all portions of your connection are encrypted.