Remote Management vs. Screensharing vs. VNC on OS X
September 17, 2008 6:53 AM Subscribe
In OS X Leopard, what is the difference between enabling the Screen Sharing and Remote Management options in Sharing Preferences? Assuming I can figure out firewall/port issues, will enabling Remote Management on my work Mac enable me to establish a VNC connection using a generic VNC client like Chicken of the VNC or do I have to use Remote Desktop? What authorization is required? Can I set it up so it requires my usual Mac username and password rather than some other password? Do I have other options if I want people using Linux and Windows to remotely manage their Macs at work when they are not logged in at the terminal?
>do I have to use Remote Desktop?
I dont have a mac near me today, but I'm pretty sure the remote desktop client for OS X is for connecting to windows terminal services not to VNC servers.
posted by damn dirty ape at 7:15 AM on September 17, 2008
I dont have a mac near me today, but I'm pretty sure the remote desktop client for OS X is for connecting to windows terminal services not to VNC servers.
posted by damn dirty ape at 7:15 AM on September 17, 2008
I've used Vine VNC server for Mac and it worked beautifully... probably the best VNC server I've used. You DO have to use a VNC password but you could always make it the same as the account pass. VNC works well for my computer company. I use it to connnect to my Linux, Vista, and Mac desktops. I like RDP/TS better but you can't beat (ostensibly) universal access for that price!
As for the difference between the two, I assume Screen Sharing is just being able to watch a person at their computer, while Remote Management is actually being able to take over the computer like Terminal Services/VNC.
posted by dozo at 7:16 AM on September 17, 2008
As for the difference between the two, I assume Screen Sharing is just being able to watch a person at their computer, while Remote Management is actually being able to take over the computer like Terminal Services/VNC.
posted by dozo at 7:16 AM on September 17, 2008
Response by poster: damn dirty ape: where is the VNC implementation on OS X? Is that the Remote Management thing I mention? What VNC server should I use then, if not the default? (Remote Desktop Client is apparently geared toward connecting to Macs, by the way.)
posted by caek at 7:25 AM on September 17, 2008
posted by caek at 7:25 AM on September 17, 2008
Response by poster: dozo: interesting. So once you've offered the VNC password are you presented with the normal OS X login screen or are you dropped straight into OS X for some default user?
posted by caek at 7:27 AM on September 17, 2008
posted by caek at 7:27 AM on September 17, 2008
Its called screen sharing is OS X Leopard. See here.
posted by damn dirty ape at 7:27 AM on September 17, 2008
posted by damn dirty ape at 7:27 AM on September 17, 2008
Once the VNC session is started you will just get whatever is on the screen at the time. So if youre logged in you'll get your desktop if not you'll get your login screen.
posted by damn dirty ape at 7:28 AM on September 17, 2008
posted by damn dirty ape at 7:28 AM on September 17, 2008
ARD is a more advanced (and not free) tool mainly used in corporate environments. You don't need to bother with it as a home user.
If you're on the same subnet, really the best tool is to click on the computer in the Finder and then click the "Share Screen" button. Super easy.
posted by mkultra at 7:29 AM on September 17, 2008
If you're on the same subnet, really the best tool is to click on the computer in the Finder and then click the "Share Screen" button. Super easy.
posted by mkultra at 7:29 AM on September 17, 2008
Response by poster: mkultra: I'm not on the same subnet. This is for a corporate environment. I want to provide my users with a way to log into their Macs when not at work.
posted by caek at 7:31 AM on September 17, 2008
posted by caek at 7:31 AM on September 17, 2008
Good luck with that. VNC is such bandwidth hog and such an old protocol I can barely get it to work over the internet at anything over 256 colors. Youre not using Photoshop or Illustrator like that. You'll be lucky to use Entourage. Its also not secure in the least. Everything is unencrypted and the 8 character password hash at login has supposedly been cracked several times over.
If you decide to test this out then you'll really need to go through an ssh tunnel or via a VPN client.
posted by damn dirty ape at 7:40 AM on September 17, 2008
If you decide to test this out then you'll really need to go through an ssh tunnel or via a VPN client.
posted by damn dirty ape at 7:40 AM on September 17, 2008
In Mac OS X Leopard, "Screen Sharing" is plain ole VNC. Enabling "Remote Management" means you're allowing a network admin to control your computer with Apple Remote Desktop. ARD includes VNC/screen sharing functionality, but also a whole hell of a lot more. Like allowing remote execution of UNIX commands on your computer, or remote push of Installer packages and... the list goes on.
If you're into Venn diagrams, ARD/Remote Management is the bigger circle, while VNC/screen sharing is a smaller circle inside it.
The thing I can't explain is wtf Apple named that line in the Sharing pref pane "Remote Management" instead of "Apple Remote Desktop". Sheesh.
posted by browse at 7:42 AM on September 17, 2008
If you're into Venn diagrams, ARD/Remote Management is the bigger circle, while VNC/screen sharing is a smaller circle inside it.
The thing I can't explain is wtf Apple named that line in the Sharing pref pane "Remote Management" instead of "Apple Remote Desktop". Sheesh.
posted by browse at 7:42 AM on September 17, 2008
Response by poster: Yes, I know about the speed and security issues, which is why I asked if there were alternatives and whether vanilla VNC was indeed all these two System Preferences are doing.
But if it comes to VNC, our users don't use graphics-intensive applications, are away from work at other academic institutions with very fast networks, and are sophisticated enough to set up the necessary SSH tunnel. I'm not interested in the VNC password, which is clearly worse than useless. That's why I asked if it's possible to set it up using the OS's own credentials.
posted by caek at 7:48 AM on September 17, 2008
But if it comes to VNC, our users don't use graphics-intensive applications, are away from work at other academic institutions with very fast networks, and are sophisticated enough to set up the necessary SSH tunnel. I'm not interested in the VNC password, which is clearly worse than useless. That's why I asked if it's possible to set it up using the OS's own credentials.
posted by caek at 7:48 AM on September 17, 2008
Response by poster: Previous post to DDA, by the way.
Thanks, browse: So ARD is the pay-for client? Does the client need to be on the same subnet? Is it suitable at all for end-users who just want access to their machines while they're away from the office?
posted by caek at 7:50 AM on September 17, 2008
Thanks, browse: So ARD is the pay-for client? Does the client need to be on the same subnet? Is it suitable at all for end-users who just want access to their machines while they're away from the office?
posted by caek at 7:50 AM on September 17, 2008
mkultra: I'm not on the same subnet. This is for a corporate environment. I want to provide my users with a way to log into their Macs when not at work.
You want to do this for a bunch of users? VPN.
VNC is not secure the way Apple provides it. I'm not even sure I'd consider any VNC implementation that's open to the internet secure. If what your users need access to internally is nothing more than files, email, and intranet, a VPN will give you what you need on its own, but it's an excellent layer to put above (under?) VNC.
posted by mkultra at 7:53 AM on September 17, 2008
You want to do this for a bunch of users? VPN.
VNC is not secure the way Apple provides it. I'm not even sure I'd consider any VNC implementation that's open to the internet secure. If what your users need access to internally is nothing more than files, email, and intranet, a VPN will give you what you need on its own, but it's an excellent layer to put above (under?) VNC.
posted by mkultra at 7:53 AM on September 17, 2008
caek asked "ARD is the pay-for client?"
In the US, Apple has two price points: $299 gives you a license for controlling ten computers, $499 allows you to administer unlimited computers.
"Does the client need to be on the same subnet?"
No, the clients don't all have to be on the same subnet, but ARD doesn't have any magical ability to deal with firewalls, changing IP addy due to DHCP or NATs.
"Is it suitable at all for end-users who just want access to their machines while they're away from the office?"
ARD can be used for that, but it's a pricey solution and see the above comments about NAT/DHCP. I'd use Leopard's Screen Sharing, either in iChat or the stand alone app. The Back to my Mac feature attempts to solve NAT/DHCP issues, though it is often unsuccessful.
posted by browse at 8:08 AM on September 17, 2008
In the US, Apple has two price points: $299 gives you a license for controlling ten computers, $499 allows you to administer unlimited computers.
"Does the client need to be on the same subnet?"
No, the clients don't all have to be on the same subnet, but ARD doesn't have any magical ability to deal with firewalls, changing IP addy due to DHCP or NATs.
"Is it suitable at all for end-users who just want access to their machines while they're away from the office?"
ARD can be used for that, but it's a pricey solution and see the above comments about NAT/DHCP. I'd use Leopard's Screen Sharing, either in iChat or the stand alone app. The Back to my Mac feature attempts to solve NAT/DHCP issues, though it is often unsuccessful.
posted by browse at 8:08 AM on September 17, 2008
Oh yeah, here's a link to Apple's page about ARD: linky
posted by browse at 8:12 AM on September 17, 2008
posted by browse at 8:12 AM on September 17, 2008
Response by poster: Thanks browse, that's really useful. This is an academic/Unixy environment, so I'm fine with asking users to set up SSH tunnels and then use their screen sharing client (whatever that may be) to connect to some port > 1024 on localhost and I'm not at all concerned about NAT/DHCP/firewall issues. In fact that's the way I'd prefer to do it!
My ideal scenario is:
1. user establishes SSH connection to our gateway SSH server which sets up a tunnel to the machine on their desk;
2. user connects to localhost on some port using screen sharing software, which is forwarded to the Mac on their desk by the gateway;
3. user is presented with the same OS X login screen that they see when they sit at their desk on a Monday morning.
Ideally, I need a way of doing this from Windows and Linux too! Am I asking the impossible?
posted by caek at 8:18 AM on September 17, 2008
My ideal scenario is:
1. user establishes SSH connection to our gateway SSH server which sets up a tunnel to the machine on their desk;
2. user connects to localhost on some port using screen sharing software, which is forwarded to the Mac on their desk by the gateway;
3. user is presented with the same OS X login screen that they see when they sit at their desk on a Monday morning.
Ideally, I need a way of doing this from Windows and Linux too! Am I asking the impossible?
posted by caek at 8:18 AM on September 17, 2008
As far as #3 goes, you're requiring a password to wake from sleep, right? Right?
So, if your guys tunnel in and then use ScreenSharing (or a straight up VNC client, as long as they know their IP address), the first thing they'll see is a password prompt.
posted by mkultra at 8:27 AM on September 17, 2008
So, if your guys tunnel in and then use ScreenSharing (or a straight up VNC client, as long as they know their IP address), the first thing they'll see is a password prompt.
posted by mkultra at 8:27 AM on September 17, 2008
Apple wants to charge you for remote desktop. Boo!
LogMeIn offers FREE remote desktop for Mac & Windows. You don't have to deal with port forwarding, changing IP addresses, etc. and your PC is accessed through a website.
When you create an account and log in, just "Add computer" when you're on the Mac and it will tie the computer to your account with a name of your choosing. It will also allow you to set a password to access the machine if there is not an existing account password.
More details
posted by ijoyner at 9:47 AM on September 17, 2008
LogMeIn offers FREE remote desktop for Mac & Windows. You don't have to deal with port forwarding, changing IP addresses, etc. and your PC is accessed through a website.
When you create an account and log in, just "Add computer" when you're on the Mac and it will tie the computer to your account with a name of your choosing. It will also allow you to set a password to access the machine if there is not an existing account password.
More details
posted by ijoyner at 9:47 AM on September 17, 2008
If you want to give people access to their machines from home, I highly recommend using Vine Server rather than the built-in screen sharing. Vine Server supports JPEG compression and if you crank the image quality down, it is reasonably usable over a DSL or cable connection. Still sluggish and awkward, but usable.
posted by kindall at 10:10 AM on September 17, 2008
posted by kindall at 10:10 AM on September 17, 2008
Do not use the VNC protocol without tunnelling it over something secure! I suggest tunneling over SSH.
I have a Mac desktop that I access through VNC. Here's how I do it:
I run Vine Server on my desktop. I have it set to "Only allow local connections (require SSH)", and I have it run as a System Server so that it runs on boot.
In System Preferences in Sharing, turn on "Remote Login", which is SSH. If you're behind a NAT router, you may have to set the router to forward Port 22 to the computer you're trying to access.
Additionally, if you have a dynamic IP, you may want to use a service like DynDNS, which'll give you some domain name (let's call mine asymptote.dyndns.org for the purposes of illustration) and a client to install on your computer so that your computer tells the service when your IP address changes.
On my laptop, I issue the following command in Terminal:
When prompted for my password, I use the password associated with the "myusername" account on my desktop. (And no, there's no way I can ever remember that command, I have a text file that I copy-paste it from).
Then, on my laptop, I use Chicken of the VNC to connect to
If you want, you can set a password in Vine Server that you have to type into Chicken of the VNC, but this is completely different than your account password.
I actually get quite good performance (it's not quite as good as sitting at the desktop, but it's not horrible like everyone else has been complaining about). This is with both the desktop and laptop connected to the internet through consumer cable service (and not actually the same ISP, either).
In case you're wondering what's going on with that SSH command, what it's doing is making everything sent to my laptop's port 5959 go to my desktop's port 5900. The tunnel connecting the two is encrypted, and also has compression applied.
If you're a visual person, you might find Mark Pilgrim's HOWTO Use Your Mac From Anywhere helpful. It accomplishes basically the same thing in a slightly different way, but everything's illustrated with video.
Enjoy!
posted by Asymptote at 10:01 PM on September 17, 2008
I have a Mac desktop that I access through VNC. Here's how I do it:
I run Vine Server on my desktop. I have it set to "Only allow local connections (require SSH)", and I have it run as a System Server so that it runs on boot.
In System Preferences in Sharing, turn on "Remote Login", which is SSH. If you're behind a NAT router, you may have to set the router to forward Port 22 to the computer you're trying to access.
Additionally, if you have a dynamic IP, you may want to use a service like DynDNS, which'll give you some domain name (let's call mine asymptote.dyndns.org for the purposes of illustration) and a client to install on your computer so that your computer tells the service when your IP address changes.
On my laptop, I issue the following command in Terminal:
ssh -C -L5959:localhost:5900 myusername@asymptote.dyndns.orgWhen prompted for my password, I use the password associated with the "myusername" account on my desktop. (And no, there's no way I can ever remember that command, I have a text file that I copy-paste it from).
Then, on my laptop, I use Chicken of the VNC to connect to
localhost:5959If you want, you can set a password in Vine Server that you have to type into Chicken of the VNC, but this is completely different than your account password.
I actually get quite good performance (it's not quite as good as sitting at the desktop, but it's not horrible like everyone else has been complaining about). This is with both the desktop and laptop connected to the internet through consumer cable service (and not actually the same ISP, either).
In case you're wondering what's going on with that SSH command, what it's doing is making everything sent to my laptop's port 5959 go to my desktop's port 5900. The tunnel connecting the two is encrypted, and also has compression applied.
If you're a visual person, you might find Mark Pilgrim's HOWTO Use Your Mac From Anywhere helpful. It accomplishes basically the same thing in a slightly different way, but everything's illustrated with video.
Enjoy!
posted by Asymptote at 10:01 PM on September 17, 2008
Oh, and Mark Pilgrim's HOWTO explains how you would go about connecting if the remote machine is running Windows.
posted by Asymptote at 10:05 PM on September 17, 2008
posted by Asymptote at 10:05 PM on September 17, 2008
Oh, and the Linux instructions for the remote machine would be basically identical to the ones I gave above, except replace Chicken of the VNC with your preferred Linux VNC client. SSH and VNC are platform-independent.
posted by Asymptote at 10:07 PM on September 17, 2008
posted by Asymptote at 10:07 PM on September 17, 2008
The only Mac VNC client worth using is Jolly's. I find Chicken of the VNC can lag user action by several minutes and disrecommend it.
posted by kindall at 1:56 PM on September 18, 2008
posted by kindall at 1:56 PM on September 18, 2008
This thread is closed to new comments.
I would install chicken of the vnc on there and not use the default vnc server.
posted by damn dirty ape at 7:07 AM on September 17, 2008