Secure macOS Remote Screen Sharing for Admins with Road Warriors
You may come across the situation where you have to service a couple of MacBooks for remote workers or frequent travellers. There are commercial offers for remote screen sharing available but I wanted to achieve a good result with freely available tools.
Requirements
- A Unix-based server connected to the internet running OpenSSH
- A static IP address or dynamic DNS setup
Setup Server
useradd sshtunnel -m -d /home/sshtunnel -s /bin/true
mkdir /home/sshtunnel/.ssh
# /etc/ssh/sshd_config
Match User sshtunnel
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
ForceCommand /bin/true
# /home/sshtunnel/.ssh/authorized_keys
ssh-ed25519 AAAA...
chmod 500 /home/sshtunnel/
chmod 500 /home/sshtunnel/.ssh
chmod 400 /home/sshtunnel/.ssh/authorized_keys
service sshd restart
Setup Clients
Create a script named RemoteAccess.command:
#!/bin/bash
SERVER="server.example.com"
PORT="60000"
echo "==================================="
echo "=== START remote access mode... ==="
echo "==================================="
echo "Set up ARD permissions and start up..."
sudo bash -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all -allowAccessFor -allUsers | tee -a /var/log/sshtunnel.log"
echo "Create SSH tunnel to server... Ctrl-C closes the connection."
ssh -nNT -p 22 -C sshtunnel@$SERVER -R $PORT:localhost:5900
echo "Connection closed."
sleep 2
echo "Stop ARD and clean up permissions..."
sudo bash -c "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -access -off | tee -a /var/log/sshtunnel.log"
echo "Everything's shut down again."
sleep 5
chmod 500 RemoteAccess.command
For additional clients just add more SSH keys and increment the port number by one.
Using
Double-click RemoteAccess.command on the client machine and wait for it to
connect properly.
On your administration machine, use software like SSH Tunnel Manager or manually create a SSH tunnel to the server:
ssh -nNT -p 22 -C sshtunnel@server.example.com -L 60000:localhost:60000
On your administration machine, open Screen Sharing.
open /System/Library/CoreServices/Applications/"Screen Sharing.app"
In Finder, connect to server vnc://localhost:60000.
Shutting Down
Ctrl-C on the client machine as well as the administration machine and let the terminal window of the client close by itself.
Conclusion
If your users won’t mind running a “text window” (Terminal.app) instead of a
full native UI application when the need arises, this can make things easy and
secure for all parties. Of course, because it opens up screen sharing ports for
all local users, make sure the user passwords are strong. If you know the POSIX
user names of all machines, you can restrict this further. Run
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
for all options available. Passwords are usually the biggest concern since
users are all too often cavalier about security. I’ve actually had customers
with passwords like “whatever”, “1234” and yes: “password”.
To upgrade security even more in one go, nothing beats a properly configured VPN which tunnels all connections including DNS queries through itself.