macOS Remote Desktop

OVERVIEW

SFU faculty and staff are able to remotely connect to on-campus managed Mac computers by using SFU's Virtual Private Network and Apple's built-in Screen Sharing app.

This is a convenient way to:

  • Remotely log in to on-campus managed Mac computers from a remote Mac.
  • Access software and files from office workstations.
  • Connect with other on-campus resources (such as shared-drives and printers).

Note: We recommend that undergraduate and graduate students see Remote Lab Access for a more friendly experience.

 

How to Connect (Mac to Mac Only)

SFU managed Macs are pre-configured with Apple's built-in remote management settings to help administrators troubleshoot issues. For you to use remote management, your user profile will need to be added as an allowed account for your on-campus Mac.

Step 1: Ask your departmental IT staff to configure your on-campus Mac

Only IT administrators can complete the following steps.

  1. Open "System Preferences"
  2. Selecting "Sharing"
  3. Select "Remote Management"
  4. Under "Allow access for" select the + icon.
  5. Select the user account to add. 

* Also consider disabling sleep mode for a reliable connection.

Step 2: Set up MFA and SFU VPN

You won't be able to use remote desktop without MFA or SFU VPN. Already have MFA and SFU VPN? Skip and proceed to Step 3.

Setup instructions:

Step 3: Sign in to SFU VPN

Sign in to SFU VPN app with your SFU computing ID and MFA code.

Step 4: Connect to your on-campus Mac

While signed in to SFU VPN, open Apple's built-in Screen Sharing app and enter the hostname of your on-campus Mac. See "How to Configure Remote Access for Managed Macs" for detailed instructions.

 

How to Configure Remote Access for Managed Macs

These instructions are for connecting a remote Mac to a managed Mac on campus.

Apple provides a fairly simple resource for remote control like Microsoft does with Windows "Remote Desktop". It is not as feature-rich or mature as Microsoft Remote Desktop but it gets the job done.

Note: Macs can use simple VNC, but we will never use this. We will allow the Screen Sharing service. When we do, we should take extra measures to tunnel through SSH to ensure it is encrypted.

One thing to look out for: The majority (over 85%) of managed Macs at the University are already configured for Remote Management. Both services cannot be configured simultaneously, so the route you take will depend on how your Mac is currently configured.

With Apple screen sharing the user ID and password are sent encrypted, as are keystrokes and mouse movements.

Scenario 1: No Screen Sharing or Remote Management configured

  1. Open System Preferences > Sharing
  2. Click on Screen Sharing
  3. Be sure to only allow access for your main user
  4. Stop here.
  5. Do not ever enable VNC

Note: We are NOT configuring VNC access at SFU, and doing so reduces security of our systems. Never, ever promote this practice.

Scenario 2: SFU managed Mac that has Remote Management configured

It is still possible for an administrator to allow your Mac's main user to access, but the process is a little different.

Only one service can be configured, so you must add your user in the "Remote Management" dialog.

  1. Open System Preferences: Sharing
  2. Don't touch the Screen Sharing option.
  3. As an administrator, highlight the "Remote Management" section.
  4. On the right-hand dialog, only the first two options are necessary (observe and control)
  5. Enabling the remaining options will allow features only possible via Apple Remote Desktop. This is not necessary.

If you are not the administrator of your Mac, please contact your local IT support personnel to make these changes for you. Connect to your Mac using the built-in Screen Sharing application.

You can find this app in: /System/Library/CoreServices/Applications/Screen Sharing.app

Power considerations:

Remote wake services designed for Windows PCs are not reliable on routed networks for Macs. As such, if you need reliableremote access to your Mac, please consider temporarily disabling system sleep.

Firewall considerations:

The service connects on TCP port 5900 (just like VNC). The user ID and password are sent encrypted, as are keystrokes/mouse moves.

The managed Mac firewall is set to allow connections at a rate of 6 failures per 30 seconds. Brute force attempts past this rate will be blocked.

Tunneling through SSH:

Another secure approach is to use an ssh tunnel for screen sharing. Do-able, but requires a bit of set up to work.

Using SSH port forwarding and VNC you can connect to your remote desktop using the Screen Sharing application.

  • First connect to your machine over SSH and port forward 5900:
  • $ ssh sfuid@mac.its.sfu.ca -L 5900:localhost:5900
  • Now open "Screen Sharing.app" and connect to "localhost", specifically (you've already made a SSH connection to your Mac in this last step)
    • This way all portions of your connection are encrypted.

For additional information, see Mac screen sharing by Apple.

 

Frequently Asked Questions about Mac Remote Desktop

My on-campus Mac isn't responding. What should I do? 
If inactive, on-campus devices will enter a sleep mode to conserve energy. For a reliable connection to your on-campus Mac, you will need to ensure that sleep mode is disabled. To help with energy conservation, SFU recommends that you only do this as a temporary measure.
SFU doesn't centrally manage my on-campus Mac. Will I still need to use SFU VPN to connect?
Yes. Remote connection protocols (VNC, RDP and ARD) are all blocked while off campus to protect the SFU community from common threats. SFU VPN provides an encrypted and secure connection to the SFU campus network and is required for remote connections to on-campus devices.