{"id":77318,"date":"2026-07-03T05:35:33","date_gmt":"2026-07-03T05:35:33","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=77318"},"modified":"2026-07-03T05:44:21","modified_gmt":"2026-07-03T05:44:21","slug":"macos-screen-sharing-remote-management-troubleshooting-guide","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/macos-screen-sharing-remote-management-troubleshooting-guide\/","title":{"rendered":"macOS Screen Sharing \/ Remote Management Troubleshooting Guide"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Purpose<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This guide explains how to troubleshoot macOS Screen Sharing or Remote Management connection issues when connecting from one Mac to another using:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">vnc:\/\/<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Typical symptoms include:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Connection failed\nConnection refused\nUsername\/password popup appears but login fails\nScreen Sharing opens but disconnects\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">1. Identify target details<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Replace these placeholders with your own values:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\"><span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>        = IP address of the remote Mac\n<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span>      = username on the remote Mac\n<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_HOSTNAME<\/span>&gt;<\/span>  = hostname of the remote Mac\n<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">CLIENT_IP<\/span>&gt;<\/span>        = IP address of your local Mac\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example format:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">Remote Mac IP: <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\nRemote user: <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">2. Check network reachability<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">From the client Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">ping -c 4 <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Expected result:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\">0<span class=\"hljs-selector-class\">.0<\/span>% <span class=\"hljs-selector-tag\">packet<\/span> <span class=\"hljs-selector-tag\">loss<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If ping fails, check:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Remote Mac is powered on\nRemote Mac is not sleeping\nBoth Macs are on reachable networks\nVPN\/routing is correct\nIP address has not changed\nFirewall is not blocking ICMP\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">3. Check Screen Sharing port<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">macOS Screen Sharing \/ VNC uses TCP port <code>5900<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From the client Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">nc -vz <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span> 5900\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Result interpretation<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Result<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td><code>succeeded<\/code><\/td><td>Screen Sharing \/ Remote Management is listening<\/td><\/tr><tr><td><code>Connection refused<\/code><\/td><td>Remote Mac is reachable, but Screen Sharing is not enabled\/listening<\/td><\/tr><tr><td><code>timed out<\/code><\/td><td>Firewall, routing, VPN, or network ACL may be blocking traffic<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If port <code>5900<\/code> is refused, continue with the next steps.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">4. Check SSH access<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">If SSH is enabled:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">ssh <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span>@<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If SSH works, you can troubleshoot the remote Mac without physical access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If SSH does not work, enable <strong>Remote Login<\/strong> locally on the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">System Settings \u2192 General \u2192 Sharing \u2192 Remote Login\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">5. Enable Remote Management from terminal<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac over SSH:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">REMOTE_USER=<span class=\"hljs-string\">\"&lt;REMOTE_USER&gt;\"<\/span>\n\nsudo \/System\/Library\/CoreServices\/RemoteManagement\/ARDAgent.app\/Contents\/Resources\/kickstart \\\n-activate \\\n-configure \\\n-access -on \\\n-users <span class=\"hljs-string\">\"$REMOTE_USER\"<\/span> \\\n-privs -all \\\n-restart -agent \\\n-menu\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Expected output may include:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Activated Remote Management.\nSet user remote control privileges.\nSet user remote access.\nDone.\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">6. Confirm port 5900 is listening<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">sudo<\/span> <span class=\"hljs-selector-tag\">lsof<\/span> <span class=\"hljs-selector-tag\">-nP<\/span> <span class=\"hljs-selector-tag\">-iTCP<\/span><span class=\"hljs-selector-pseudo\">:5900<\/span> <span class=\"hljs-selector-tag\">-sTCP<\/span><span class=\"hljs-selector-pseudo\">:LISTEN<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Expected output may show <code>launchd<\/code>, <code>screensharingd<\/code>, or <code>ARDAgent<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-10\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">COMMAND<\/span>   <span class=\"hljs-selector-tag\">PID<\/span>   <span class=\"hljs-selector-tag\">USER<\/span>   <span class=\"hljs-selector-tag\">NAME<\/span>\n<span class=\"hljs-selector-tag\">launchd<\/span>   1     <span class=\"hljs-selector-tag\">root<\/span>   <span class=\"hljs-selector-tag\">TCP<\/span> *<span class=\"hljs-selector-pseudo\">:5900<\/span> (<span class=\"hljs-selector-tag\">LISTEN<\/span>)\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-10\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">This is normal on macOS because <code>launchd<\/code> can listen first and start the actual service when a connection arrives.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">7. Connect from client Mac<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">From the client Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-11\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">open \"vnc:\/\/<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\"\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-11\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Or force the username:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-12\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">open \"vnc:\/\/<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span>@<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\"\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-12\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">When prompted, use:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-13\" data-shcb-language-name=\"HTTP\" data-shcb-language-slug=\"http\"><span><code class=\"hljs language-http\"><span class=\"hljs-attribute\">Username<\/span>: &lt;REMOTE_USER&gt;\n<span class=\"hljs-attribute\">Password<\/span>: remote Mac user password\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-13\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTTP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">http<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Important: this is the password for the <strong>remote Mac user<\/strong>, not the local Mac user.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">8. Verify user permissions<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">whoami\ngroups\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Check whether the user is an admin:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-14\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">groups <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-14\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">The user should ideally be in:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-15\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">admin<\/span>\n<span class=\"hljs-selector-tag\">com<\/span><span class=\"hljs-selector-class\">.apple<\/span><span class=\"hljs-selector-class\">.access_screensharing<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-15\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Check Screen Sharing group membership:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo dscl . -read \/Groups\/com.apple.access_screensharing GroupMembership\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Add the user if needed:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-16\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">sudo<\/span> <span class=\"hljs-selector-tag\">dseditgroup<\/span> <span class=\"hljs-selector-tag\">-o<\/span> <span class=\"hljs-selector-tag\">edit<\/span> <span class=\"hljs-selector-tag\">-a<\/span> &lt;<span class=\"hljs-selector-tag\">REMOTE_USER<\/span>&gt; <span class=\"hljs-selector-tag\">-t<\/span> <span class=\"hljs-selector-tag\">user<\/span> <span class=\"hljs-selector-tag\">com<\/span><span class=\"hljs-selector-class\">.apple<\/span><span class=\"hljs-selector-class\">.access_screensharing<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-16\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Restart the agent:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo \/System\/Library\/CoreServices\/RemoteManagement\/ARDAgent.app\/Contents\/Resources\/kickstart -restart -agent\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">9. Check if the user account is valid for GUI access<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-17\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">dscl . -read \/Users\/<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span> UserShell NFSHomeDirectory IsHidden AuthenticationAuthority\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-17\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Healthy examples:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-18\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">UserShell: <span class=\"hljs-regexp\">\/bin\/<\/span>zsh\n<span class=\"hljs-attr\">NFSHomeDirectory<\/span>: <span class=\"hljs-regexp\">\/Users\/<\/span><span class=\"xml\"><span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">REMOTE_USER<\/span>&gt;<\/span>\n<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-18\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If <code>IsHidden<\/code> returns:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">No such key: IsHidden\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">That is usually fine. It means the account is not explicitly hidden.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">10. Watch Screen Sharing logs<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac, run:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-19\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">sudo log stream --style compact --info --predicate <span class=\"hljs-string\">'process CONTAINS&#91;c] \"screensharing\" OR process CONTAINS&#91;c] \"ARDAgent\" OR process == \"loginwindow\" OR eventMessage CONTAINS&#91;c] \"VNC\" OR eventMessage CONTAINS&#91;c] \"authenticate\"'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-19\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Then try connecting again from the client Mac.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Look for messages like:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Authentication: FAILED\nbad authentication occurred\nvalid admin\nscreenCaptureFlag 0\nkTCCServiceScreenCapture\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">These help identify whether the issue is:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">wrong credentials\nmissing user permission\nprivacy\/TCC issue\nMDM restriction\nScreenCapture permission issue\nRemote Management policy issue\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">11. Test legacy VNC password<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">This is useful only as a temporary diagnostic test.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo \/System\/Library\/CoreServices\/RemoteManagement\/ARDAgent.app\/Contents\/Resources\/kickstart \\\n-configure \\\n-clientopts \\\n-setvnclegacy -vnclegacy yes \\\n-setvncpw -vncpw Temp1234\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Then from the client Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-20\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">open \"vnc:\/\/<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">TARGET_IP<\/span>&gt;<\/span>\"\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-20\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Try:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-21\" data-shcb-language-name=\"HTTP\" data-shcb-language-slug=\"http\"><span><code class=\"hljs language-http\"><span class=\"hljs-attribute\">Username<\/span>: leave blank if possible\n<span class=\"hljs-attribute\">Password<\/span>: Temp1234\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-21\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTTP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">http<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If username is required:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-22\" data-shcb-language-name=\"HTTP\" data-shcb-language-slug=\"http\"><span><code class=\"hljs language-http\"><span class=\"hljs-attribute\">Username<\/span>: &lt;REMOTE_USER&gt;\n<span class=\"hljs-attribute\">Password<\/span>: Temp1234\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-22\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTTP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">http<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Result interpretation<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Result<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td>Legacy VNC works<\/td><td>Account-based Screen Sharing auth may be broken<\/td><\/tr><tr><td>Legacy VNC also fails<\/td><td>Likely MDM\/TCC\/ScreenCapture\/Remote Management policy issue<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Disable legacy VNC after testing:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo \/System\/Library\/CoreServices\/RemoteManagement\/ARDAgent.app\/Contents\/Resources\/kickstart \\\n-configure \\\n-clientopts \\\n-setvnclegacy -vnclegacy no\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Do not leave legacy VNC enabled.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">12. Check MDM enrollment<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo profiles status -type enrollment\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Possible output:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Enrolled via DEP: Yes\nMDM enrollment: Yes\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If the Mac is MDM-managed, local <code>kickstart<\/code> commands may not be enough. MDM profiles can control Screen Sharing, Remote Management, privacy permissions, firewall, login window behavior, and PPPC\/TCC permissions.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">13. List installed configuration profiles<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-23\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">sudo profiles <span class=\"hljs-keyword\">list<\/span> -type configuration\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-23\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Look for profiles related to:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">PPPC\nPrivacy\nRestrictions\nLogin Window\nFirewall\nRemote Management\nSecurity\nMDM\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">14. Inspect privacy \/ PPPC \/ TCC profiles<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Dump profile details:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-24\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">sudo system_profiler SPConfigurationProfileDataType &gt; <span class=\"hljs-regexp\">\/tmp\/<\/span>profile-details.txt\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-24\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Search for remote access and screen permissions:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-25\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">grep -iE <span class=\"hljs-string\">\"Remote Desktop|RemoteManagement|Remote Management|ARD|ARDAgent|ScreenCapture|Screen Capture|Screen Recording|screensharing|ScreensharingAgent|AppleVNC|ListenEvent|PostEvent|Accessibility|Deny|Allow|Authorization\"<\/span> \/tmp\/profile-details.txt -C <span class=\"hljs-number\">12<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-25\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">You want to know whether the MDM profile allows or denies:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">ScreenCapture\nListenEvent\nPostEvent\nAccessibility\nARDAgent\nScreensharingAgent\nAppleVNCServer\nRemote Management\nApple Remote Desktop\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">15. Check local TCC database<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">On the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-26\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">sudo sqlite3 <span class=\"hljs-string\">\"\/Library\/Application Support\/com.apple.TCC\/TCC.db\"<\/span> \\\n<span class=\"hljs-string\">'.headers on'<\/span> \\\n<span class=\"hljs-string\">'.mode column'<\/span> \\\n<span class=\"hljs-string\">'select service, client, client_type, auth_value, auth_reason, flags, datetime(last_modified,\"unixepoch\",\"localtime\") as modified\n from access\n where service like \"%Screen%\"\n    or service like \"%Listen%\"\n    or service like \"%Post%\"\n    or service like \"%Accessibility%\"\n order by service, client;'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-26\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Important services:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Service<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td><code>kTCCServiceScreenCapture<\/code><\/td><td>Screen capture \/ screen recording<\/td><\/tr><tr><td><code>kTCCServiceListenEvent<\/code><\/td><td>Observe input events<\/td><\/tr><tr><td><code>kTCCServicePostEvent<\/code><\/td><td>Control keyboard\/mouse<\/td><\/tr><tr><td><code>kTCCServiceAccessibility<\/code><\/td><td>Accessibility control<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">16. Check MDM TCC overrides<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-27\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">sudo ls -l <span class=\"hljs-string\">\"\/Library\/Application Support\/com.apple.TCC\/\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-27\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Then:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-28\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">sudo plutil -p <span class=\"hljs-string\">\"\/Library\/Application Support\/com.apple.TCC\/MDMOverrides.plist\"<\/span> <span class=\"hljs-number\">2<\/span>&gt;<span class=\"hljs-regexp\">\/dev\/<\/span><span class=\"hljs-literal\">null<\/span> | \\\ngrep -iE <span class=\"hljs-string\">\"ScreenCapture|Screen|ListenEvent|PostEvent|Accessibility|ARDAgent|screensharing|Remote|AppleVNC|Deny|Allow\"<\/span> -C <span class=\"hljs-number\">8<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-28\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If MDM overrides exist and do not allow Apple Remote Desktop \/ Screen Sharing components, IT may need to update the MDM policy.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">17. Check Login Window profile<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">If a Login Window profile is installed:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-29\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">sudo profiles show -type configuration &gt; <span class=\"hljs-regexp\">\/tmp\/<\/span>all-profiles.txt <span class=\"hljs-number\">2<\/span>&gt;&amp;<span class=\"hljs-number\">1<\/span>\n\ngrep -iE <span class=\"hljs-string\">\"loginwindow|Autologin|allowed|denied|authorized|users|groups|Disable|Deny|Allow\"<\/span> \/tmp\/all-profiles.txt -C <span class=\"hljs-number\">10<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-29\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Login Window profiles may affect:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">autologin\nallowed users\nlogin display behavior\nremote login\/session behavior\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">18. Check firewall profile<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-30\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">sudo profiles show -type configuration &gt; <span class=\"hljs-regexp\">\/tmp\/<\/span>all-profiles.txt <span class=\"hljs-number\">2<\/span>&gt;&amp;<span class=\"hljs-number\">1<\/span>\n\ngrep -iE <span class=\"hljs-string\">\"firewall|stealth|block|allow|screen|remote|5900|sharing|ARD|VNC\"<\/span> \/tmp\/all-profiles.txt -C <span class=\"hljs-number\">10<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-30\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Also check listening port again:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-31\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">sudo<\/span> <span class=\"hljs-selector-tag\">lsof<\/span> <span class=\"hljs-selector-tag\">-nP<\/span> <span class=\"hljs-selector-tag\">-iTCP<\/span><span class=\"hljs-selector-pseudo\">:5900<\/span> <span class=\"hljs-selector-tag\">-sTCP<\/span><span class=\"hljs-selector-pseudo\">:LISTEN<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-31\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If <code>5900<\/code> is listening and the connection reaches the login popup, firewall is less likely to be the main issue.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">19. Common root causes<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Symptom<\/th><th>Likely cause<\/th><\/tr><\/thead><tbody><tr><td>Ping fails<\/td><td>Network, VPN, sleep, wrong IP<\/td><\/tr><tr><td>Ping works, 5900 refused<\/td><td>Screen Sharing\/Remote Management disabled<\/td><\/tr><tr><td>5900 works, login popup appears, password fails<\/td><td>User permission, auth, MDM, or privacy issue<\/td><\/tr><tr><td>User is admin and allowed, but login still fails<\/td><td>MDM\/PPPC\/TCC policy likely<\/td><\/tr><tr><td>Legacy VNC also fails<\/td><td>Strong sign of MDM\/ScreenCapture\/Remote Desktop policy issue<\/td><\/tr><tr><td>Screen connects but black screen<\/td><td>ScreenCapture \/ display \/ headless Mac issue<\/td><\/tr><tr><td>Can view but not control<\/td><td>PostEvent \/ Accessibility \/ Remote Management control permission issue<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">20. Full diagnostic collection script<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Run this on the remote Mac:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-32\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== Host Info ===\"<\/span>\nhostname\nscutil --get ComputerName\nscutil --get LocalHostName\nsw_vers\ndate\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== Listening Ports ===\"<\/span>\nsudo lsof -nP -iTCP:<span class=\"hljs-number\">5900<\/span> -sTCP:LISTEN\nsudo lsof -nP -iTCP:<span class=\"hljs-number\">22<\/span> -sTCP:LISTEN\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== User Info ===\"<\/span>\nwhoami\nid &lt;REMOTE_USER&gt;\ngroups &lt;REMOTE_USER&gt;\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== Screen Sharing Group ===\"<\/span>\nsudo dscl . -read \/Groups\/com.apple.access_screensharing GroupMembership\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== User Record ===\"<\/span>\ndscl . -read \/Users\/&lt;REMOTE_USER&gt; UserShell NFSHomeDirectory IsHidden AuthenticationAuthority <span class=\"hljs-number\">2<\/span>&gt;&amp;<span class=\"hljs-number\">1<\/span>\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== ARD \/ Screen Sharing Processes ===\"<\/span>\nps aux | egrep <span class=\"hljs-string\">\"screensharingd|ARDAgent|ScreensharingAgent\"<\/span> | grep -v grep\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== MDM Enrollment ===\"<\/span>\nsudo profiles status -type enrollment\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== Configuration Profiles ===\"<\/span>\nsudo profiles <span class=\"hljs-keyword\">list<\/span> -type configuration\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== Profile Details Search ===\"<\/span>\nsudo system_profiler SPConfigurationProfileDataType &gt; \/tmp\/profile-details.txt\ngrep -iE <span class=\"hljs-string\">\"Remote Desktop|RemoteManagement|Remote Management|ARD|ARDAgent|ScreenCapture|Screen Capture|Screen Recording|screensharing|ScreensharingAgent|AppleVNC|ListenEvent|PostEvent|Accessibility|Deny|Allow|Authorization\"<\/span> \/tmp\/profile-details.txt -C <span class=\"hljs-number\">12<\/span>\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== TCC Database ===\"<\/span>\nsudo sqlite3 <span class=\"hljs-string\">\"\/Library\/Application Support\/com.apple.TCC\/TCC.db\"<\/span> \\\n<span class=\"hljs-string\">'.headers on'<\/span> \\\n<span class=\"hljs-string\">'.mode column'<\/span> \\\n<span class=\"hljs-string\">'select service, client, client_type, auth_value, auth_reason, flags, datetime(last_modified,\"unixepoch\",\"localtime\") as modified\n from access\n where service like \"%Screen%\"\n    or service like \"%Listen%\"\n    or service like \"%Post%\"\n    or service like \"%Accessibility%\"\n order by service, client;'<\/span>\n\n<span class=\"hljs-keyword\">echo<\/span>\n<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"=== MDM Overrides ===\"<\/span>\nsudo plutil -p <span class=\"hljs-string\">\"\/Library\/Application Support\/com.apple.TCC\/MDMOverrides.plist\"<\/span> <span class=\"hljs-number\">2<\/span>&gt;\/dev\/<span class=\"hljs-keyword\">null<\/span> | \\\ngrep -iE <span class=\"hljs-string\">\"ScreenCapture|Screen|ListenEvent|PostEvent|Accessibility|ARDAgent|screensharing|Remote|AppleVNC|Deny|Allow\"<\/span> -C <span class=\"hljs-number\">8<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-32\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">21. Escalation message for IT<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-33\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Hi IT,\n\nI am trying to connect to a managed Mac using macOS Screen Sharing \/ Remote Management.\n\nI verified the following:\n\nNetwork:\n- ping works\n- SSH works\n- port <span class=\"hljs-number\">5900<\/span> is listening\n- Screen Sharing reaches the remote Mac and shows the login popup\n\nUser\/permission:\n- the remote user is valid\n- the remote user is an admin\n- the remote user is <span class=\"hljs-keyword\">in<\/span> com.apple.access_screensharing\n- Remote Management was enabled using kickstart\n- ARDAgent was restarted\n\n<span class=\"hljs-attr\">Failure<\/span>:\n- Screen Sharing login still fails\n- temporary legacy VNC password auth was also tested and failed\n- logs show Screen Sharing authentication failure\n\n<span class=\"hljs-attr\">MDM<\/span>:\n- the Mac is DEP\/MDM enrolled\n- configuration profiles include PPPC\/privacy, restrictions, login <span class=\"hljs-built_in\">window<\/span>, and firewall policies\n- I <span class=\"hljs-keyword\">do<\/span> not see a clear PPPC\/TCC allow entry <span class=\"hljs-keyword\">for<\/span> Apple Remote Desktop \/ ARDAgent \/ ScreensharingAgent \/ AppleVNCServer\n\nCan you please check MDM policy <span class=\"hljs-keyword\">for<\/span> <span class=\"hljs-keyword\">this<\/span> Mac and confirm:\n\n<span class=\"hljs-number\">1.<\/span> Apple Remote Desktop \/ Remote Management is enabled via MDM, not only local kickstart\n<span class=\"hljs-number\">2.<\/span> Observe + Control permissions are enabled\n<span class=\"hljs-number\">3.<\/span> PPPC\/TCC allows ScreenCapture, ListenEvent, PostEvent, and Accessibility <span class=\"hljs-keyword\">for<\/span> Apple Remote Desktop \/ ARDAgent \/ ScreensharingAgent \/ AppleVNCServer\n<span class=\"hljs-number\">4.<\/span> No restriction, login <span class=\"hljs-built_in\">window<\/span>, or firewall profile is blocking Screen Sharing\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-33\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">22. Final takeaway<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">When macOS Screen Sharing fails, troubleshoot in this order:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Network \u2192 Port 5900 \u2192 SSH \u2192 Remote Management \u2192 User permissions \u2192 Logs \u2192 Legacy VNC test \u2192 MDM\/PPPC\/TCC policy\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If all local checks pass but both normal Screen Sharing and legacy VNC fail, the issue is usually outside the local user account and should be handled by the MDM\/IT team.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Purpose This guide explains how to troubleshoot macOS Screen Sharing or Remote Management connection issues when connecting from one Mac to another using: Typical symptoms include: 1&#8230;. <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-77318","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=77318"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77318\/revisions"}],"predecessor-version":[{"id":77321,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77318\/revisions\/77321"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=77318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=77318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=77318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}