Home > Apple Remote Desktop, Mac administration, macOS > Enabling least-privilege screensharing using Apple’s Remote Desktop Client and Screen Sharing.app

Enabling least-privilege screensharing using Apple’s Remote Desktop Client and Screen Sharing.app

In a number of Mac-using environments, there is often a need for IT staff to remotely connect to a Mac’s screen using Apple’s Remote Desktop application and work with the person on the other end to resolve a problem. However, there can be several technical and human-centric issues with enabling remote assistance:

  1. Authentication – To enable access using a username and password, that user account must be granted access rights by belonging to a group or by explicitly granting rights to a local account.
  2. Password rotation – If you’re enabling screensharing via granting access to a local account, the security requirements in most environments mandate that those passwords be changed on a regular basis. However, securely changing the account password on multiple remote Macs can be a management challenge on its own.
  3. Access privileges – A lot of folks don’t like the idea that someone they don’t know can take over access to their keyboards and screens without the remote customer saying it’s OK for them to do so. Frankly, I’ve been on both sides of this fence and I don’t like it either.

However, there is a way to enable screen sharing using Apple’s Remote Desktop Client and Apple’s Screen Sharing.app which does the following:

  • Removes the need for any account to be enabled for screen sharing access
  • Mandates that all screen sharing access be approved by the logged-in user
  • Does not allow screen sharing access if no user is logged in.

For more details, see below the jump.

To configure Apple’s Remote Desktop Client to allow only explicitly-permitted screen sharing access, use the following procedure:

1. Log into the Mac in question
2. Open System Preferences
3. Select the Sharing preferences

Screen Shot 2017 07 07 at 1 52 31 PM

4. Check the Remote Management box to turn on the Remote Desktop Client

Screen Shot 2017 07 07 at 1 54 55 PM

5. In the Allow access for: section, select the Only these users: option, but do not select any users.

Screen Shot 2017 07 07 at 1 17 39 PM

6. Click the Computer Settings… button.

Screen Shot 2017 07 07 at 2 31 56 PM

7. Select the Anyone may request permission to control screen option, then click the OK button.

Screen Shot 2017 07 07 at 1 17 25 PM

8. Close System Preferences

You may also configure the Remote Desktop Client using Apple’s kickstart utility. To set the above configuration using the kickstart utility, run the command shown below with root privileges:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes

Screen Shot 2017 07 07 at 1 19 40 PM

Once the Remote Desktop Client is configured this way, the Remote Desktop Client should not allow any remote user to authenticate successfully, but will allow the logged-in user to permit screen sharing requests from remote users.

To screen share with a remote Mac configured this way, use the following procedures:

Sending a screen sharing request

1. Open the Screen Sharing application
2. Under the Connection menu, select New…

Screen Shot 2017 07 07 at 2 05 56 PM

3. In the Connect To: blank, enter the DNS name or IP address of the remote Mac then click the Connect button.

Screen Shot 2017 07 07 at 1 25 42 PM

4. When prompted to log in, select By requesting permission.

Screen Shot 2017 07 07 at 1 50 25 PM

5. Once By requesting permission is selected, click the Connect button.

Screen Shot 2017 07 07 at 1 25 48 PM

6. Wait for the response.

Screen Shot 2017 07 07 at 1 25 52 PM

Accepting a screen sharing request

1. On the remote Mac’s screen, a Share Screen Request prompt will appear to the logged-in user.

Screen Shot 2017 07 07 at 2 36 50 PM

2. If all appears OK, click the Share Screen button.

Screen Shot 2017 07 07 at 1 26 01 PM

Once the request has been accepted, the remote Mac’s screen should appear in the Screen Sharing application.

Screen Shot 2017 07 07 at 2 24 31 PM

With this Remote Desktop Client configuration, there must be a logged-in user in order for a screen sharing connection to take place. If no user is logged in, then the By requesting permission option will not appear in the login prompt.

Screen Shot 2017 07 07 at 1 49 56 PM

This method only enables the following functions: 

  1. Screen sharing
  2. The ability to copy files from the remote Mac, by dragging and dropping the file from its location on the remote Mac to a location outside of the Screen Sharing window.

None of the Remote Desktop Client’s other features will be enabled, including the ability to copy files to the remote Mac, pull reports from the remote Mac, or the ability to run commands on the remote Mac. 

  1. August 9, 2017 at 10:07 pm

    Thank you so much for sharing this.

    It looks like the -clientopts flag is required in the kickstart command in order for it to work:

    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes

    • August 14, 2017 at 2:11 pm

      Confirming that -clientopts was needed in my implementation as indicated by Lucas.

      • August 14, 2017 at 2:42 pm

        Thanks, I’m updating the `kickstart` command to include the `-clientopts` flag.

  2. Gilbert Palau
    April 25, 2019 at 7:33 pm

    Does anyone know how to change the name in the pop up: “A guest user connecting from IP address is requesting permission to share your screen” so that it doesn’t read as guest and it reads as the user trying to remote access into?

    • May 30, 2019 at 2:45 pm

      Gilbert you find anything about that? I would imagine you’d have to hack into the ARDAgent to change that, but it would be a good thing.

      • December 19, 2019 at 9:15 pm

        You are correct, I discussed this with Frogor in macadmins.slack and there is no way around it because how the client works. The only way this would work is by hacking the screen sharing.app and modify it.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: