If you have any Mac that you would like to manage remotely, then you can enable Screen Sharing or Remote Management in the Sharing system preferences. However, if these become disabled or if you keep them disabled by default, then you will not be able to access your system. Nevertheless, if you have Remote Login enabled and can establish an SSH connection, then you can take a few steps to re-enable Screen Sharing.
At the very least, you will need the IP address and credentials for a local administrative account on the system you are trying to administer, and then you can follow these steps to enable Screen Sharing:
- Open the OS X Terminal
- Start a remote login session by entering the following (replace <IP Address> and <Admin Username> with your Mac’s IP and admin user, accordingly. When run you will be prompted for your password, which will not show when typed):
ssh <Admin Username>@<IP Address>
- When successfully logged in, run the following command to re-enable Remote Management on the computer, followed by closing the Terminal to log out:
sudo /System/Library/CoreServices/Remot\ eManagement/ARDAgent.app/Contents/Resou\ rces/kickstart -activate
The above command uses the “-activate” flag to just enable the Remote Management service, which will load its default configuration as set in the Sharing system preferences. Normally this is all that is needed, and you can then connect to your Mac with Screen Sharing, Remote Desktop, or a VNC client of your choice. However, if you are receiving errors then you can re-run the command using the following flags in place of “activate”:
...kickstart -configure -access -on -privs -all -users <username>
These flags will instruct the Remote Desktop agent to configure the service to give full access to the designated users, so be sure to only use this for designated administrative accounts.
The fly in this ointment is the IP address necessary for a remote connection. Most people have a random IP address assigned by their ISP. You need a fixed IP address to tunnel into your computer. You can get a fixed IP from your service provider, but it will cost extra. If you often work remotely, as many road warriors do, it may be worth the trouble and expense to acquire a fixed address. Otherwise, not so much.
Of course there is Back-to-My-Mac, which can use your Apple ID and iCloud account to connect your two computers. But it may not provide the granular control that Topher describes here, to turn on the services you need, like screen sharing. In any case, any remote connection will require that the target computer be turned on and that Wake for network access be turned on in the Energy Saver preferences so that the computer will wake up when tickled by a remote access request.
That said, I’m no expert on remote access issues so hopefully Topher will correct me if I have any of this wrong. My point is that the predicate to Topher’s procedure here is not a simple matter.
The real fly in the ointment is that SSH and Remote Login are disabled by default, and most users should leave it that way. In addition, hopefully users, Mac and PC, are using routers with firewalls that will block this type of command-line access to their computers. If they do have a hardware firewall in place, most Mac users would then have an iP address which isn’t directly accessible from the internet, as the IP address on the “home” side of network is randomly assigned from a range of addresses which can’t be routed on the internet. Contrary to B. Jefferson Le Blanc’s comments, while your ISP assigns an IP address to your hardware connection, it can change, but may not for may users. Cable users in particular, will have an IP address (for their cable modem or router connection to the internet) that isn’t likely to change very often if ever. But even then, B. Jefferson Le Blanc is correct in that you would have to create a tunnel through that modem/router barrier to your computer. It seems too many things have to fall in into place for the SSH to work as an adequate backup to turning on remote access or screen sharing.
This is a great tip, thanks.
First, When doing screen sharing I already have network access to the computer. Either because it has a public IP, is on a VPN, or both computers are on the same LAN. So that is not an issue.
However, instead of using the Screen Sharing app I always use Apple Remote Desktop. Because of that I only need to turn on Remote Management as with Apple Remote Desktop Screen Sharing is controlled by Remote Management. Always make sure Remote Login is OFF to reduce any attempts to hack into the computer using SSH as telnet is a much more accessible client than Apple Remote Desktop.
Frankly, much of this is “don’t try this at home” territory for all but power users. Indeed, it’s usually the domain of IT professionals. That said, Topher does offer advice here for “experts” from time to time, stuff that most of us will not or should not use on our own. He respects that we can determine for ourselves which tips are for us, without arbitrarily labeling them. And he gives us room to express our concerns and ask questions, though it’s often up to other users to answer those questions.
As for users blocking SSH, that’s a wise policy in general to stop hackers, but the fact is many legitimate support services, including Apple’s, use SSH to assist users in troubleshooting their computers and in doing maintenance and repairs.
The trick is to never respond to anyone calling you asking for access. That’s a common scam and I’ve known people to fall for it. Someone with an Indian accent rings you up claiming they are calling from Windows, saying there are problems they need to help you resolve. If you allow them in, your computer belongs to them—and all the personal data on it. You’re screwed.
If you contact a service provider, which may also be in India, be sure you know they are legitimate before you let them onto your system. Frankly this is a more common issue for Windows users, whose computers may be hinky right out of the box due to all the crapware resellers dump on them.
I’ve had personal experience with Apple Care warrantee support. Tech support, if you contact them by phone, will direct you to a URL from which you can download an app that will allow them to basically run a screen sharing session with you. They don’t actually do anything to your computer, but rather instruct you what to do using a little red pointer. The app expires when you close out the session. It had no trouble, by the way, with my router firewall, which uses moderate security settings. So it’s a smart little critter. Other services may be more intrusive. Even Back-to-My-Mac is more powerful, or can be. But it uses your iCloud account for access so is, hopefully, more secure than SSH in general.
Of course, if you use a VPN, that too should be password secured.