A digital publication from the J. Willard Marriott Library

ARD – Admin, Client, VNC and Security

25 Dec ARD – Admin, Client, VNC and Security

Posted at 09:17h in Administration, Automation, Client Management, Cross platform, display, Documentation, Enterprise, Higher Education, Information Technology, Jamf Pro, Jamf Pro Server, Kandji, Linux, Mac, Management, system administration, Vunerability, Windows by
0 Likes

Introduction

Generally, remote desktop access protocols, such as those using the Microsoft Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC), can be used after a careful review & analysis of the security risks and limiting the scope of exposure. And specific options with Virtual Network Computing (VNC) support on Mac systems like legacy VNC allow non-Mac VNC viewers access but at increased security risk and exposure.

Enabling firewalls, reviewing null session settings, and assessing LAN authentication mechanisms will strengthen network security. A null session occurs when you log in to a system with no username or password. For example, firewalls should restrict remote access services (VNC, RDP, etc.) to only authorized organization networks to limit overexposure to risks. Use firewall rules that block Internet traffic to ports 5800 and 5900 except for authorized IP or MAC addresses.

This post outlines Apple Remote Desktop, both client & administrative software, Virtual Network Computing (VNC) usage with Mac to Mac, and additional risks with Non-Mac to Mac usage.

Why Apple Remote Desktop?

When managing a fleet of Mac systems, Apple Remote Desktop is still a very useful tool for all these small and/or tasks and quick ad-hoc tasks that you don’t need to take the extra time & effort implementing with your organization-wide client management solutions like Jamf Pro, etc.

For many MacAdmins, Apple Remote Desktop is a love & hate relationship, but it is a useful tool to have in your tool-belt when everything isn’t a nail, or you don’t want or need to limit yourself to only a hammer.

Details

Virtual Network Computing (VNC)

Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to control another computer remotely. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network. This simple protocol allows interaction with remote computers in a familiar graphical interface. It is suitable for all windowing systems and applications since it operates at the frame buffer level, including Microsoft Windows, macOS, and the X Window System.

VNC is platform-independent, there are clients and servers for many GUI-based operating systems and for Java. Multiple clients may connect to a VNC server at the same time. Popular uses for this technology include remote technical support and accessing files on one’s work computer from one’s home computer or vice versa.

Default Port

VNC by default uses TCP port 5900+N, where N is the display number (usually :0 for a physical display). Some variations of VNC will also initiate a basic HTTP Server just to provide a VNC viewer as a Java Applet, which can facilitate access via any java-enabled web browser.

Security

By default, RFB is not a secure protocol. While passwords are not sent in plain text (as in telnet), cracking could prove successful if both the encryption key and encoded password were sniffed from a network. For this reason, it is recommended that a password of at least 8 characters be used. On the other hand, there is also an 8-character limit on some versions of VNC; if a password is sent exceeding 8 characters, the excess characters are removed and the truncated string is compared to the password.

An additional security concern for the use of VNC is to check whether the version used requires authorization from the remote computer user before someone takes control of their device. This will avoid the situation where the user of the computer realizes there is someone in control of their system without previous notice.

VNC implementations were found to contain a total of 37 vulnerabilities, some of which had gone unnoticed since 1999. VNC applications consist of two parts: a “server” installed on the computer to which your user connects remotely, and a “client” running on the device from which it connects.

Vulnerabilities are far less common on the server side, which is usually somewhat simpler and has fewer bugs. Many of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome. In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.

Apple Remote Desktop

Apple Remote Desktop (ARD) is a macOS administrative application produced by Apple Inc., that replaced a similar old product called Apple Network Assistant. Aimed at administrators responsible for large numbers of Macs who need to assist individuals or perform group or individual demonstrations, tasks, installations, configuration modifications, etc. Apple Remote Desktop allows users to control or monitor other computers over a network remotely. Mac Pro (2019), Mac mini (M1, 2020), and Mac Studio with 10 Gbps Ethernet have Lights Out Management functions and are able to power on by Apple Remote Desktop.

With VNC, the two parts consist of a “server” (Mac with Remote Management enabled) set up on the computer to which MacAdmin or user connects remotely, and a “client” (Mac with Apple Remote Desktop administrative software) running on the computer/device from which it connects.

Apple Remote Desktop – VNC Usage

Apple Remote Desktop used VNC:

  • Control and Observe –  Port: 5900 & Protocol: TCP

  • Send Screen, Share ScreenPort: 5900 & Protocol: UDP

Port

Protocol

Function
5900 TCP Control and observe
5900 UDP Send screen, share screen
3283 TCP Reporting
3283 UDP Additional data
22 TCP Encrypted file transfer, observation, and control (using SSH tunnel)

 

Apple Documentation – TCP and UDP port reference in Apple Remote Desktop

Here is Apple documentation covering TCP & UDP ports used with Apple Remote Desktop:

Apple Remote Desktop (Admin) – Encryption Options

You can control the level of security when using Apple Remote Desktop on Mac computers. Depending on the version of the macOS running Apple Remote Desktop and the versions of the macOS client computers, the type of encryption varies and when it is or isn’t used can be managed & controlled.

When using Copy Items or Install Packages, encryption isn’t enabled by default. You need to enable it for each Copy task, or globally in Apple Remote Desktop preferences.

Encryption – Global Preference

Encryption – Each Copy of the Task

Notable Property List Keys

The following Apple Remote Desktop administrator application keys are notable for improving security by enabling encrypting network data.

Preference and configuration files in macOS use property lists (.plists) to specify the attributes, or properties, of an application or process. One option is to use the “defaults” command to view property list keys settings for Apple Remote Desktop administrative application.

Apple Remote Desktop Admin Property List Path
The Apple Remote Desktop administrative application property list file is located here:

~/Library/Containers/com.apple.RemoteDesktop/Data/Library/Preferences/com.apple.RemoteDesktop.plist

Property List Primary Items
With property lists, an individual preference or configuration consists of three primary items.

(1) Name – Or property key uniquely identifies the setting.

<type>[PROPERTY KEY NAME]</type>

(2) Value –  Includes the content of the named property key.

<type>[VALUE]</type>

(3) Type – The type of value that defines how its interpreted.

Array = <array>
Boolean = <true/> or <false/>
Data = <data>
Date = <date>
Dictionary = <dict>
Integer Number = <integer>
Real Number = <real>
String = <string>

This post will primarily focus on the “boolean” key type and value, which can be defined as “true” or “false”, and “1” or “0”.

Note, “0”  is interpreted as “false” and “1” or any other number is interpreted as “true”.

Encrypt network data when using Copy Items
Apple Remote Desktop Admin – Encrypt Network Data when Using Copy Items – defaults command
So, in the below example, the “Encrypt Network Data when Using Copy Items” option in Apple Remote Desktop is “1” or “true” or enabled.

defaults read com.appl.RemoteDesktop encryptCopy
1

Another option to view settings from property list files is JavaScript for Automation (JXA)

It was introduced in Mac OS X Yosemite and is a JavaScript interface for the automation architecture on which also AppleScript is built. It makes almost all functionality that is accessible through AppleScript also available to JavaScript. If you already know how to write JavaScript or AppleScript’s unusual syntax scares you off, JavaScript for Automation (JXA) might be an option for you.

An additional benefit of using “JavaScript for Automation (JXA)” vs “defaults” is that it will properly show you the managed setting applied when using configuration profiles on managed systems. Where “defaults” will “lie” and only show you the setting stored in the property list file and not the applied managed setting.

With many MacAdmins using and implementing shell/bash scripts, you can include JavaScript for Automation (JXA) using the “osascript” command to allow you to execute AppleScript and other OSA language scripts.

For example…

Apple Remote Desktop Admin – Encrypt Network Data when Using Copy Items – JavaScript for Automation (JXA)

#!/bin/bash

/usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.RemoteDesktop')
   .objectForKey('encryptCopy').js
EOS

exit $?

 

And running this script on a Mac system with the “Encrypt Network Data when Using Copy Items” option enabled will output “true”.

/path/to/check_ard_encryptcopy_enabled.sh
true

Using a script like this to verify the state of your managed settings is beneficial to provide metrics across our fleet of Macs. Using Jamf Pro you have multiple methods to implement this type of script or monitoring like Extenstion Attributes, Dashboards, etc., or could be integrated with a higher-end analysis tool like Splunk, Elastic Stack (ELK), etc.


Encrypt network data when using Install Packages
Apple Remote Desktop Admin – Encrypt Network Data when Using Copy Items – defaults command

In the below example, the “Encrypt Network Data when Using Copy Items” option in Apple Remote Desktop is “1” or “true” or enabled.

defaults read com.apple.RemoteDesktop encryptInstall
1


Apple Remote Desktop Admin – Encrypt Network Data when Using Copy Items – JXA Script

Or similar to the previous example, using a JavaScript for Automation (JXA) script to output the “Encrypt Network Data when Using Copy Items” option preference.
#!/bin/bash

/usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.RemoteDesktop')
   .objectForKey('encryptInstall').js
EOS

exit $?

 

Encrypt all network data (more secure)


In the below example, the “Encrypt Network Data” option in Apple Remote Desktop is “1” or “true” or enabled.

defaults read com.apple.RemoteDesktop useEncryptedTunnel
1


Apple Remote Desktop Admin – Encrypt Network Data – JXA Script

Or similar to the previous examples, using a JavaScript for Automation (JXA) script to output the “Encrypt Network Data” option preference.
#!/bin/bash

/usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.RemoteDesktop')
   .objectForKey('useEncryptedTunnel').js
EOS

exit $?

 

Notable Property List Keys

The following Apple Remote Desktop administrator application keys are notable for improving security by disabling the “Allow communication with older computers (less secure)” option, but if you are supporting old macOS operating systems this might prevent access and Apple Remote Desktop features.

It appears that enabling this option enables weaker and less secure Diffie-Hellman connections, but it doesn’t modify the default Apple Remote Desktop administrative property list, but the client Remote Management property list is located here:

Apple Remote Desktop Client (aka Remote Management) Property List Path
/Library/Preferences/com.apple.RemoteManagement.plist

And sets the key “allowInsecureDH”  and value to “true”, for example:

Apple Remote Desktop Client (aka Remote Management) Property List Example with Allow Connections to Older Computers Enabled
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allowInsecureDH</key>
    <true/>
</dict>
</plist>

Note –  if your organization requires this option to be disabled, it will most likely break access to macOS clients bound to LDAP or version 10.11 or earlier.

Apple Remote Desktop Client (aka Remote Management) Property List Example with Allow Connections to Older Computers Disabled

For example, when disabling this option the following set the key “allowInsecureDH” and value to “false”:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allowInsecureDH</key>
    <false/>
</dict>
</plist>

 

Encrypt Network Date in Remote Desktop

Apple documents the encryption of network data with Apple Remote Desktop and macOS dependencies.

See Apple’s, Encrypt network data in Remote Desktop article for details.

Configuration Profile

Configuration profiles provide and manage pre-defined settings for users and computers on macOS. Overall, applications need to support the standard macOS preferences model and not do their own individual configuration for configuration profiles to be effective.  Not all OS-level configuration a MacAdmin might want to manage is available through profiles, but you can use a configuration profile to manage these Apple Remote Desktop administrator or client settings across your fleet Mac systems with a Mobile Device Management (MDM) solution like Jamf Pro.

Apple Remote Desktop Admin Encryption Options Enabled – Property List Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>encryptCopy</key>
    <true/>
    <key>encryptInstall</key>
    <true/>
    <key>useEncryptedTunnel</key>
    <true/>
</dict>
</plist>

Note – these settings use the preference domain, “com.apple.RemoteDesktop”.

 

Apple Remote Desktop Admin Encryption Options Enabled – Configuration Profile Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
  <dict>
    <key>PayloadUUID</key>
    <string>85E2BCA3-5BD7-4D3E-A893-C09109CE6910</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadOrganization</key>
    <string>University of Utah, Marriott Library ITS</string>
    <key>PayloadIdentifier</key>
    <string>85E2BCA3-5BD7-4D3E-A893-C09109CE6910</string>
    <key>PayloadDisplayName</key>
    <string>Apple Remote Desktop Administrator - Require Encryption</string>
    <key>PayloadDescription</key>
    <string>This configuration profile enables encryption options is "Apple Remote Desktop" administrative software. This includes options, Encrypt network data when using Copy Items (encryptCopy), Encrypt network data when using Install Packages (encryptInstall) and Encrypt all network data (useEncryptedTunnel).</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadEnabled</key>
    <true/>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadDisplayName</key>
        <string>Custom Settings</string>
        <key>PayloadIdentifier</key>
        <string>BE1DED2A-7FEE-49F9-981C-120FE8237B72</string>
        <key>PayloadOrganization</key>
        <string>JAMF Software</string>
        <key>PayloadType</key>
        <string>com.apple.ManagedClient.preferences</string>
        <key>PayloadUUID</key>
        <string>BE1DED2A-7FEE-49F9-981C-120FE8237B72</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadContent</key>
        <dict>
          <key>com.apple.RemoteDesktop</key>
          <dict>
            <key>Forced</key>
            <array>
              <dict>
                <key>mcx_preference_settings</key>
                <dict>
                  <key>encryptCopy</key>
                  <true/>
                  <key>encryptInstall</key>
                  <true/>
                  <key>useEncryptedTunnel</key>
                  <true/>
                </dict>
              </dict>
            </array>
          </dict>
        </dict>
      </dict>
    </array>
  </dict>
</plist>

 

Legacy VNC Security

Allowing a non-Apple VNC viewer access to a Remote Desktop client is less secure than using Apple Remote Desktop to control the client. Third-party VNC viewers might not encrypt keystrokes sent over the network, so sensitive information may be intercepted. Granting VNC access to control a screen provides nearly unrestricted access.

If you use Remote Desktop to control a computer running non-Apple VNC software, nothing is encrypted.

For some other environments MacAdmins, might use a non-Mac VNC viewer or want a simple (and insecure) password that is easy to type and/or remember.

But, these choices will put your environment in a less secure situation and are strongly NOT recommended,

Manual Verification & Disable
Disable Access for 3rd Party VNC Software

For security, verify you do NOT have this enabled and it is recommended to disable it to maximize security.

macOS 12.x or earlier…

You can manually disable the ability for 3rd party VNC viewers to control Mac screens with a password.

  1. Apple menu > System Preferences, then click Sharing. If prompted, enter the administrative username and password.
  2. Select Remote Management in the list at the left, then click Computer Settings.
  3. Select “VNC viewers may control screen with password,” enter a VNC password, then click OK.

macOS 13.x or later…

You can manually disable the ability for 3rd party VNC viewers to control Mac screens with a password.

  1. Apple menu > System Settings, then click General, then click “Sharing”.If prompted, enter the administrative username and password.
  2. Select Remote Management in the list at the left, then click Computer Settings.
  3. Select “VNC viewers may control screen with password,” enter a VNC password, then click OK.

Verify – VNC Legacy Connections Setting

You can use the following shell script with JXA code to verify the “VNC Legacy Connections” setting is enabled or not with the Apple Remote Desktop client (Remote Management):

#!/bin/bash
 
/usr/bin/osascript -l JavaScript << EOS
    $.NSUserDefaults.alloc.initWithSuiteName('com.apple.RemoteManagement')
    .objectForKey('VNCLegacyConnectionsEnabled').js
EOS
 
exit $?

 

The macOS Security Compliance Project

This script and other macOS security compliance information were from the macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).

The specific JXA code was inside a YAML file, here.

For example, the “check:” is where the “JavaScript for Automation” script is available. Note the extra backslash to escape the line break is not necessary, but is added for the readability of the PDF & HTML document creation add it inside a shell script.

The “mobileconfig_info:” section has the preference domain ( com.apple.RemoteManagement) and keys (VNCLegacyConnectionsEnabled) and value (false)

id: system_settings_vnc_legacy_connection_disable
title: "Disable Legacy VNC Connection"
discussion: |
  If Remote Management with screen sharing is used it _MUST_ be configured to disable legacy VNC connections.
check: |
  /usr/bin/osascript -l JavaScript << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.RemoteManagement')\
  .objectForKey('VNCLegacyConnectionsEnabled').js
  EOS
result:
  string: "false"
fix: |
  This is implemented by a Configuration Profile.
references:
  cce:
    - N/A
  cci:
    - N/A
  800-171r2:
    - 3.5.1
    - 3.5.2
  800-53r5:
    - AC-2(9)
    - AC-2
  srg:
    - N/A
  disa_stig:
    - N/A
  cis:
    benchmark:
      - N/A
    controls v8:
      - N/A
  hipaa:
    - 164.312(a)(1)
    - 164.312(a)(2)(i)     
macOS:
  - "13.0"
tags:
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-171
  - cnssi-1253
  - hipaa
mobileconfig: true
mobileconfig_info:
  com.apple.RemoteManagement:
    VNCLegacyConnectionsEnabled: false


Enabling  VNC Legacy Connections & Password

FYI, if you wanted to go down an insecure path and enable VNC Legacy Connections a hash file of the password is created here on the macOS client:

/Library/Preferences/com.apple.VNCSettings.txt

The GUI appears to limit the password to 6 characters, but you could write a script to increase the number of characters to provide more security to an insecure implementation.

Also, as noted previously another issue with VNC is if a password is sent exceeding 8 characters, the excess characters are removed and the truncated string is compared to the password.

Or using the “kickstart” command & following arguments:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw "insecure"

 

VNC Password Security?
If you set a VNC password on your Mac clients, the “com.apple.VNCSettings.txt” file that stores the has can be decrypted using the following command:

cat /Library/Preferences/com.apple.VNCSettings.txt | perl -wne 'BEGIN { @k = unpack "C*", pack "H*", "1734516E8BA8C5E2FF1C39567390ADCA"}; chomp; @p = unpack "C*", pack "H*", $_; foreach (@k) { printf "%c", $_ ^ (shift @p || 0) }; print "\n"'
urpwned

This is especially a concern in environments where end-users are given administrative permissions or if you have a script or process that sets the permissions incorrectly:

ls -al /Library/Preferences/com.apple.VNCSettings.txt
-r--------  1 root  wheel  32 Dec 20 16:20 /Library/Preferences/com.apple.VNCSettings.txt

Note, you can manage this setting, preventing it from accidentally or purposefully being enabled on your Mac systems by using a configuration profile and distributing it using an MDM solution like Jamf Pro, etc.

Apple Remote Desktop Admin Encryption Options Enabled – Property List Example

Create a property list, that matches the format of the original application property list with only the keys/values you want to manage:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>VNCLegacyConnectionsEnabled</key>
    <false/>
</dict>
</plist>

Note –  it uses the preference domain, “com.apple.RemoteManagement”.

Apple Remote Desktop Admin Encryption Options Enabled – Configuration Profile Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
  <dict>
    <key>PayloadUUID</key>
    <string>0A21F757-7E8E-425C-A9D3-5D5FD88CB87D</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadOrganization</key>
    <string>University of Utah, Marriott Library ITS</string>
    <key>PayloadIdentifier</key>
    <string>0A21F757-7E8E-425C-A9D3-5D5FD88CB87D</string>
    <key>PayloadDisplayName</key>
    <string>Remote Management - Disable VNC Legacy Connections</string>
    <key>PayloadDescription</key>
    <string>his configuration profile sets the Remote Management key "VNCLegacyConnectionsEnabled" to disabled or false. Enabling this option is a security risk.</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadEnabled</key>
    <true/>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadDisplayName</key>
        <string>Custom Settings</string>
        <key>PayloadIdentifier</key>
        <string>6FAED567-493A-415F-B555-933C8C9F7B14</string>
        <key>PayloadOrganization</key>
        <string>JAMF Software</string>
        <key>PayloadType</key>
        <string>com.apple.ManagedClient.preferences</string>
        <key>PayloadUUID</key>
        <string>6FAED567-493A-415F-B555-933C8C9F7B14</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadContent</key>
        <dict>
          <key>com.apple.RemoteManagement</key>
          <dict>
            <key>Forced</key>
            <array>
              <dict>
                <key>mcx_preference_settings</key>
                <dict>
                  <key>VNCLegacyConnectionsEnabled</key>
                  <false/>
                </dict>
              </dict>
            </array>
          </dict>
        </dict>
      </dict>
    </array>
  </dict>
</plist>

And after the configuration profile is distributed to your Mac systems, users will not be enabled to modify the  “VNC Legacy Connections Enabled” option in the “Remote Management” settings.

Note, the UI seems to allow the user to enable the “VNC Legacy Connections Enabled” option “Remote Management” settings, but if you quit & reload “System Preference” or “System Settings” the “effective” or “authoritative” setting is enforced and the UI shows it is disabled.

Apple Documentation – Virtual Network Computing access and control with Remote Desktop

Here is Apple documentation covering security & 3rd party Virtual Network Computing (VNC) software:

 

Screen Sharing

It appears that Apple Remote Desktop administrator & client and Screen Sharing depend on “screensharingd” binary for remote support and client security tips outlined here could help with securing macOS Screen Sharing, but it was NOT thoroughly investigated or researched for this post.

Summary

In summary, Apple Remote Desktop is a useful & beneficial tool for a MacAdmin to have in their tool-belt for ad-hoc or quick installations, configuration changes, or support. Enable firewalls to restrict remote access services (VNC, RDP, etc.) to only authorized organization networks to limit overexposure to risks from outside networks. To limit unnecessary security risks, disabling legacy VPN usage and preference for Mac-to-Mac solutions like Apple Remote Desktop administrator and client vs non-Mac VPN viewer solutions. And depending on the required level of security compliance of your organization, implementing encryption for network data and disabling Diffie-Hellman connections should be considered, but could impact performance and support for older macOS versions.

No Comments

Leave a Reply