Live: The Best Black Friday deals PS5 restock tracker Black Friday sales you can't miss New COVID variant found in South Africa Xbox Game Pass Ultimate The Beatles: Get Back documentary

Tutorial: Screen Sharing in Leopard (Mac OS X 10.5): How it works and how it doesn't

If you are into troubleshooting (and given that you are here at MacFixIt, it's likely that you are), you'll find a wealth of welcome goodies in Mac OS X 10.5 (Leopard). If I were to make a list of Noteworthy New Troubleshooting-Related Features in Leopard

Originally posted by Ted Landau (November 2007)

Updated by MacFixIt Staff (May 2009)

If you are into troubleshooting (and given that you are here at MacFixIt, it's likely that you are), you'll find a wealth of welcome goodies in Mac OS X 10.5 (Leopard). If I were to make a list of Noteworthy New Troubleshooting-Related Features in Leopard, the first item would be the redesigned and pumped-up Sharing System Preferences pane and its related features. And of all the new sharing?related features, the one perched at the absolute pinnacle would be screen sharing.

Regardless of what you may already know about screen sharing in Leopard, I am confident that you will learn something new in this article?as we get down to the nitty-gritty of how screen sharing works, how it sometimes doesn't work, and when it may even pose a significant security risk.

Why is screen sharing at the top of my list? If you've done any remote troubleshooting (especially over a phone), you already know the answer. Not being able to see the other person's screen, not being able to carry out the desired actions yourself?is too often an exercise in frustration, especially when working with a novice user. I have lost count of how many times I have silently cringed at the responses to my requests to "Go to the Desktop" or "Select About This Mac from the Apple menu." Too often, there's an ominous pause followed by "What's the Desktop?" or "Where's the Apple menu?" It's hard to make progress in resolving what's really wrong when you have to start by explaining the concept of the Finder. Every time this happens, it increases my respect for those people who answer the phone for Apple Tech Support; they have more patience than I ever will.

That's why screen-sharing is such a boon. With this feature, you can view and control another user's screen from your Mac?opening applications, deleting files or whatever else you need to do. This can exponentially reduce the time needed to solve a problem.

True, you don't need to upgrade to Leopard to use screen sharing. It has worked reasonably well in Tiger for some time, typically via third-party VNC software such as the popular Chicken of the VNC. With it installed on your Mac and the "Apple Remote Desktop" service set up in Sharing System Preferences of the computer at the other end, you can effectively share a screen.

Recently, some screen sharing online services have started supporting OS X, including the popular CrossLoop client which allows you to find a variety of available tech help personnel with whom you can optionally share your screen and solve problems. While more of these services will find their way to the Mac, in many instances they are not as convenient as using the built-in options that come with OS X.

Underlying Technologies

Apple's screen sharing is based on the "Virtual Network Computing" architecture of screen sharing that was developed for Linux and UNIX machines. This technology uses "remote frame-buffering" (RFB) protocols to send dynamically updating screenshots of the system's desktop to a remote location. Apple's implementation of this technology came in the form of the Apple Remote Desktop workgroup management package that needed to be installed on the various machines that supported it. While Apple Remote Desktop is a fairly robust and feature-rich implementation, besides iChat, the screen sharing options that ship with OS X have been relatively stripped down to allow only screen sharing features.

Unlike previous generations of the operating system, in Leopard, screen sharing is built-in and easier to set up. It works more reliably and includes options not typically available through a standard VNC connection. As is typical of Mac OS X, there is more than one route to sharing a screen in Leopard. Here are your main choices:

Screen Sharing via iChat

iChat may not be the quickest way to make a screen sharing connection, but it's the best. What's especially cool about it is: (a) you don't need to know the person's IP address to make a connection; (b) you can instantly shift back and forth between having your screen or the other person's screen fill up your display; and (c) you can copy files from one computer to the other by dragging and dropping files from one screen to the other (when you do this, the transferred files wind up in Leopard's new Downloads folder).

To use this screen sharing variation, both machines must being running Leopard and have iChat open. Also, make sure Screen Sharing Enabled is checked in iChat's Video menu. Here's what to do next:

  1. If you and the other person are both on the same local network, find the other person in iChat's Bonjour List.

    For a remote connection, you'll both need to be logged into an iChat-compatible account. You should ideally have the other person's name in your Buddy List.

  2. Select the other person's name from the relevant list.

    Either (a) go to the Buddies menu and choose "Ask to Share (person's name)'s Screen..." or (b) select the same command from the pop-up menu accessed from the Screen Sharing icon the bottom of the List window, as seen in Figure 1.

  3. A message pops up on the screen of the other computer, asking for the person's permission for you to share their screen. Presumably they are expecting this and will click to Accept.

Figure 1. The command to request to access someone else's screen via iChat (in this case, both connected computers had my name).

Assuming nothing goes wrong, you should see the other person's screen on your Mac in short order. A large text message appears across the screen on the shared computer, notifying the user that the computer is now being shared.

To end a screen sharing session, type Command-Escape from either computer. Or, from the computer that is accessing the shared screen, click the X icon in the upper left of the currently smaller window.

Troubleshooting tip: When attempting to connect via screen sharing in iChat, you may get a "communication error" message. Assuming that all settings are correct and you have a viable Internet connection, restarting one or both Macs should fix the problem. If it doesn't, you may instead use the Finder screen sharing method, especially for a local connection. It can work even when the iChat method does not.

Screen Sharing via the Finder

If you can't or don't want to use iChat for screen sharing, your other option is to access screen sharing from the Finder. Actually, although you initiate screen sharing from the Finder, it is a separate program called Screen Sharing that does the heavy lifting (I'll talk a bit more about this shortly). This Finder method is a bit simpler than the iChat method, as it does not require launching a separate program and logging into an account. You can also use this method, unlike with iChat, to connect to a Mac running Tiger (assuming the Tiger Mac has enabled the Apple Remote Desktop service in Sharing System Preferences).

However, for a remote connection, the Finder method is more difficult to set up (as I will soon explain). Also, you can't swap views of the two screens nor can you drag and drop files from one screen to another, as you can do in iChat. What you can do is transfer the contents of the Clipboard from one machine to the other. To do this, once a connection has been made, go to Screen Sharing's Edit menu and select Get Clipboard or Send Clipboard, as appropriate (or, if Show Toolbar has been enabled in the View menu, perform the same actions via a pair of icons in the toolbar).

Troubleshooting warning: The Screen Sharing program does not use the Command-Q (quit) or Command-W (close) shortcuts. If you enter these commands when Screen Sharing is the active application, they will instead affect the shared machine. That is, the result will be to quit or close whatever application or document is active in the shared window. To instead quit Screen Sharing, either go to its menu and select the Quit Screen Sharing command or click the Close box in the upper left of the shared window.

How you create a screen sharing connection via the Finder depends upon whether you are making a connection on your local network or to a remote computer (via the Internet). In either case (and unlike with iChat), you have to start by setting up Screen Sharing in the Sharing System Preferences pane.

Preliminary setup. Before you attempt a screen sharing connection, the person who will be sharing their screen with you should do the following:

  1. Open the Sharing System Preferences pane (see Figure 2). At the top of the Services list is Screen Sharing. Select it and turn it On.

  2. For the moment, where it says "Allow access for:", select "All users." This makes connections easier to accomplish. However, leaving it at this setting is a security risk (as I will explain shortly), so you might want to change this later.

  3. Click the Computer Settings button.

From the sheet that drops down, enable the "Anyone may request permission to control screen" option. This is not a requirement, but can allow for a successful connection in situations when other options are not working.

Optionally, from the same sheet, enable the "VNC viewers may control screen with password" option and assign a password. This allows computers running VNC software, such as Chicken of the Sea, to connect to the machine. This is not relevant for the setups covered in this article, but may be useful for people who want to connect to a Leopard machine from a machine running Tiger.

Figure 2. The Sharing System Preferences pane with the Computer Settings options for Screen Sharing shown.

This other computer is now ready for you to attempt to connect to it. Troubleshooting tip: When you select to enable the Screen Sharing service, you may see an error message stating: "Screen Sharing is currently being controlled by the Remote Management service." Don't worry. To fix this, locate the Remote Management item in the Service list and turn it off. Screen Sharing can now be enabled successfully. You can only use one service or the other. You need Remote Management enabled if you are using Apple Remote Desktop software (which I am not covering in this article).

Make a local connection. If the computer to be shared is on your local network:

  1. On your Mac, open any Finder window and look for the Shared section in the Sidebar. Assuming the computer to which you want to connect is running and awake, with its sharing options enabled as described above, its name should be in the list. Select it.

    Troubleshooting tip. If you don't see a Shared section in the Sidebar, try one or more of the following, as needed: (a) Go to the Sidebar section of the Finder's Preferences and enable the relevant choices in the Shared sub-section; (b) Have the other computer turn off all currently enabled sharing services and then turn them back on; (c) restart your computer.

  2. The Finder window should now show a "Share Screen..." button in the upper right (as seen in Figure 3). Click it.

    Figure 3. A Finder window: The Shared section of the Sidebar (on the left) and the Share Screen button (on the right)

  3. Unless you are using Back to my Mac (as explained below), you should now see a dialog with two options: to connect to the other computer either "As a registered user" or "By asking for permission."

    If you select the former, you must enter a name and password for an account that is on the other person's computer. It does not have to be the name and password of the currently logged in account. As you will often not have access to any account on someone else's computer, the permission option is the one you will likely use most often. In this case, similar to what I described for iChat, the recipient sees a message asking them to give permission for you to share their screen. They should do so.

    Troubleshooting tip: The permission option is not only more likely to be the appropriate choice, it may sometimes be the only choice that works. In particular, I have been unable to get the password option to work when attempting to connect to a computer running Tiger (with Apple Remote Desktop sharing enabled). Neither an account password nor the VNC password (as entered in the Access Privileges settings for Apple Remote Desktop sharing) permitted a connection. Instead, an "Authentication failed" error pops up. I am not sure why. However, switching to "Asking for permission" was successful. Both the permission and password options were successful when connecting two machines running Leopard.

Make a remote connection. Remote computers are not listed in the Sidebar. Thus, to connect to a remote computer:

  1. Select "Connect to Server..." from the Finder's Go menu.

  2. From the window that appears, locate the Server Address text box and enter vnc:// followed by IP address of the computer to which you want to connect (as given to you by the other person).

  3. Click the Connect button.

  4. If successful, you should be presented with the same options to connect either as a registered user or by asking for permission, as described above for a local connection. Choose the desired option.

As an alternative to using Connect to Server, you can instead launch the Screen Sharing program directly. The program is located in /System/Library/CoreServices. If you wish, for easier access, you can make a copy of the program and place it on your Desktop (or wherever else you want); the program should still work. To use it, enter the needed IP address in the Host text box, but without the vnc:// prefix.

Troubleshooting tip: A successful remote connection is far from guaranteed. The first problem will be identifying the correct IP address. If the other person is using a router, such as an AirPort Base Station, the needed IP address is typically not the one listed in the Sharing System Preferences pane. That is the local IP address for the machine. What you need is the public WAN IP address. This is the address listed in the Internet settings of the router itself (as accessed via AirPort Utility for an Airport Base Station).

An additional problem occurs if the other person has more than one computer connected to their router. In this case, even if you use the correct public IP address, the other person's router does not necessarily know which machine to direct your sharing request. The common solution here is for the other user to set up their router using either Port Mapping or DMZ Host. Details on how to do this go beyond the scope of this article.

That's the way it's supposed to work. Personally, even after fiddling with all of the above settings, I have never been able to make a successful remote connection. Suffice it to say that for remote connections, you should probably use iChat instead.

Important security warning: If a user attempts to access screen sharing via the Finder with the password option, no alert appears on the other computer that a connection is being attempted. If the attempt is successful, there is similarly no message that a connection has been made. This means that someone could connect to your computer via screen sharing without your even knowing it.

The implications here are even worse than you may think. For example, I was able to access another computer via screen sharing by using the name and password for a standard account on that computer, even though the currently logged-in account was for a different (admin) user. Once the connection was made, I apparently had almost complete access to the other person's account. For example, I could delete files from their Home directory! Certainly, I had more access than I would have had if I logged into the standard account on the machine itself.

I was given this access without the user's awareness or direct permission?and without my needing to know the user's password. To me, this is a serious security weakness that Apple should close up. In the meantime, assuming you want to have Screen Sharing enabled at all, you can limit the risks by going to the "Allow access for" section of the Screen Sharing preferences and changing "All users" to "Only these users." Then list only those users who you trust to have this access.

NOTE: For more security considerations, see the "Secure It" section at the end of the article.

Back to My Mac

If you are a MobileMe subscriber, Leopard includes a feature that was introduced back when MobileMe was .Mac?called Back to My Mac?that allows you to instantly connect, via screen sharing, to any other computer that is running Leopard and is logged in to your MobileMe account. You might use this feature, for example, to access your home computer from your laptop while you are on a trip. Back to My Mac is really a special case of the just described method of using the Finder and the Screen Sharing program. To use it:

  1. On both computers (the one to be shared and the one that will access the shared computer), go to the MobileMe System Preferences pane. From the Account subpane, click Sign In to login to your account. While still in the MobileMe System Preferences pane, click the Back to My Mac button. From here, click the Start button.

  2. From the computer to be shared, go to the Sharing System Preferences pane and, if not already done, enable Screen Sharing as described in the relevant previous section of this article.

  3. From the other computer, open a Finder window. The to-be-shared computer should be listed in the Shared section of the Sidebar. Apple claims this works the same way for local and remote connections. That is, even a remote computer is listed in the Shared section of the Sidebar via Back to My Mac, eliminating the need to finagle with an IP address.

  4. Select the computer name in the Sidebar and click the "Share Screen..." button that appears.

Assuming all goes well, you should be instantly connected to the other computer. There is no need to request permission or enter a password.

Troubleshooting warning: When I tested this feature, I found two significant problems:

First, Back to My Mac did not work for remote connections. In particular, the remote Mac never even appeared in the Shared section of the Sidebar. Others have reported this as well. One cause may be incompatible router hardware, as described in an Apple Knowledge Base article (with more information in a related Knowledge Base article).

The second problem is almost the opposite of the first one: For local connections, I could not turn Back to My Mac off. That is, with both computers connected to my AirPort Extreme Base Station, I successfully used Screen Sharing and Back to My Mac to access my MacBook Pro from my desktop Mac G5 (and vice versa). I next went to the MobileMe System Preferences pane and clicked the Stop button for Back to My Mac. It had no effect. You may think this is due to Back to My Mac still being active, but for local connections Apple uses Bonjour networking to establish connections, so even though Back to My Mac is off you will still see local computers present a "Share Screen" option.

Further Customization

Even though the built-in screen sharing client is stripped down, a few of the features from the advanced Apple Remote Desktop software are available. The following are ways to enable some of these features:

  1. Show "Bonjour Browser"
    Entering the following command into the "Terminal" will enable the Bonjour browser in the screen sharing client. This will show a small window that will automatically detect computers on the local network that have screen sharing enabled, and will display their names. This can be handy when working with multiple computers.

    defaults write ShowBonjourBrowser_Debug 1

  2. Turn on advanced options:
    In Apple's Remote Desktop package, you have the option to customize your viewer window. These options are available in the Screen Sharing application if you enable them by entering the following command in the Terminal (copy and paste all three lines).

    defaults write
    'NSToolbar Configuration ControlToolbar' -dict-add 'TB Item Identifiers'

    This will add options to limit the image quality with a slider, which can be beneficial for some network situations. It also allows for observing as well as controlling other computers, enabling or disabling the remote computer's keyboard, taking snapshots of the remote screen, swapping clipboard contents, and displaying the remote computer at full screen on the local computer.

Speed Considerations

Since this technology sends images of the screen over the network or internet, there will be some performance degradation if the connection is slow, regardless of the means of connection (ie: iChat vs Back to My Mac). The main factor in speed for any connection is basically how much information is being changed on the screen at any one time. Therefore, one way to reduce network load is to make windows smaller when moving them around. This can be impractical in some situations, but can be useful when, for instance, you are copying many files around.

The "Screen Sharing" client that comes with OS X does have a few additional options that you can take advantage of for either increasing quality or network speed. By default, the screen is set to be adaptive to network conditions, and only updates enough to show what's going on, and then updating more when the network resources are available to do so. This can be set to run at full quality (for people on high-speed local networks) by starting a sharing session and from the "Screen Sharing" preferences choose the option to "Show the screen at full quality". Optionally, you can enable an image quality slider (see the "Further Customization" section) For the most part, broadband internet connections should keep the adaptive quality settings and expect up to a half-second lag in the response time.

Firewall and Router Settings

As with any other network service, Screen Sharing has a set of virtual "ports" which isolate network traffic for that protocol since it and web traffic and other network services are all using the same IP address and connections. These ports must be opened in all network devices for all computers involved in the screen sharing sessions. This means firewalls on the local computer, as well as any routers or hardware firewalls must also be set up to pass traffic on the following ports:

TCP: 5900 - 5902, (3389 for connecting to Windows machines)
UDP: 4500 (for Back to My Mac users)

Depending on the network devices used, these ports can either be opened completely, or forwarded to the local IP address for the desired computer, but you will have to consult the documentation for your router to see about how to change these ports. Additionally, if your router supports "UPNP" (Universal Plug & Play) or "NAT-PMP" (NAT Port Mapping Protocol), then it should work for Back to My Mac. The list of routers in this Apple Knowledgebase article are some that support Back to My Mac and other screen sharing.

Beyond the Mac

Remote Desktop can be exceptionally useful for connecting to other platforms besides OS X. On Intel macs Apple claims that access to PC programs can be done via Bootcamp or virtualization solutions such as Parallels or VMware; however, a more simpler solution is available if you have a Windows PC that is already set up with the software you need. Microsoft has implemented its own version of Remote Desktop into Windows XP and later versions of the Windows operating system. By enabling screen sharing on those systems, you can connect to them using Microsoft's "Remote Desktop Connection" software package. This is available at the following website, and can be installed and run on practically any OS X machine (PowerPC or Intel). All you will need to know is the IP address, DNS name, or local name of the computer to which you are trying to connect.

Securing It

By default VNC is not encrypted, and therefore is not as secure as some people may want. A common workaround for this is to have SSH establish a secure tunnel either directly to the computer you want to control, or to a computer on a "trusted" network. This will be done by using the "ssh" command in the terminal to create a secure port-forwarding session with a remote computer, and then connecting to the forwarded port using "Screen Sharing". Keep in mind that the following is a bit complicated to understand, but overall is a fairly simple process; however, if you are not prepared for setting this up then you can skip this section and continue exploring screen sharing without the added security. The first thing you will need is to ensure the SSH server is running on the computer to which you are creating the "tunnel". To do this, if the computer is a Mac go to the "Sharing" system preferences and check the "Remote Login" option. Then launch the Terminal on your current Mac to enter commands for creating the secure tunnel to the ssh server.

The following Terminal command is an example of a secured port forwarding session for VNC:

ssh -N user@hostname -L 1212/vnc_computer_ip/5900

Overall, what this command does is establish an SSH session with the "hostname" computer (the one on which you enabled "Remote Login"), which will be used to tunnel port 1212 (though this can be any unused port number) from the local machine (the one in front of you) to port 5900 (the default VNC port) on a remote computer designated by the "vnc_computer_ip" address. This remote computer can be the same one as "hostname" if you are trying to screen share with "hostname" (by either using its IP/URL or "localhost" as the address), or it can be another computer in instances where the "hostname" computer is just there to connect you to a trusted network (as might be the case with connecting to Windows computers that might not have an SSH server installed--see below). With the SSH connection established, the local port "1212" will be connected to for the VNC session, and SSH will manage the actual connectivity instead of the screen sharing program managing the connection (in a less secure way).

Another way to look at this is the command takes the remote computer and port (vnc_computer_ip/5900), and presents it via an encrypted connection to a local port. Therefore you're using the VNC program to connect to "yourself", but From this point, in order to connect to this port you will need to reference it on the local machine (the one in front of you; not the SSH computer) by entering the URL as follows either in Safari or in the Finder's "Connect to Server..." option (in the "Go" menu):


This will have the built-in "Screen Sharing" VNC program use the local computer's established SSH connection, which will then securely transfer data for the VNC session as opposed to using a direct and unsecured connection using the "Screen Sharing" program itself. Now you can create a shortcut or bookmark to the "vnc://localhost:1212" URL so whenever you set up the tunnel you can easily open this link to start the secure VNC session.

The specifics of the Terminal command break down as follows:

"ssh" is the secure shell command that we'll use to set up the tunnel.

"-N" tells ssh to not allow any commands, reserving this ssh session just for the tunnel.

"user@hostname" is the account name and computer URL or IP to which we will be making the secure ssh connection "tunnel". This can be any computer that is running the "sshd" daemon ("Remote Login") to which you want to create the "tunnel", and not necessarily be the same computer to which you will be running VNC, though for maximum security it's preferable that they are the same computer.

"-L 1212/vnc_computer_ip/5900" is the port forwarding definition, where 1212 is the local port reference (can be any unused port number between 1 and 65535) that will be converted to port 5900 on the remote computer ("vnc_computer_ip") via the secure SSH connection (the one to "hostname"). The "vnc_computer_ip" part is the URL or IP address for the computer of which you are trying to see the screen (not necessarily the same as the SSH computer). If this is not the same one you are logging into with SSH (the tunnel), the SSH computer will be making an unsecured connection from this point to the VNC computer, which may be fine in some cases, especially if the SSH computer is on a trusted network.

The key here is to understand there are two connections. The first is the secure SSH connection (user@hostname) to the server that's hosting the SSH daemon. The second is the port forwarding connection (1212/vnc_computer_ip/5900) that will link one local port to VNC server's IP/port combination. The secure tunnel ends at the computer hosting the SSH daemon, so if you are looking for complete security, ensure the daemon computer is the same one you're trying to see the screen of. This concept may be more clear if you look at one way you would secure a remote desktop connection to a Windows machine.

To do this on a Windows machine, you would set things up in a similar way as mentioned above. If your windows computer has an SSH server running, you can connect directly to it; however, if not (which is most likely the case) then you will have to connect to another computer (preferably one on a trusted network) that will then make a port-forwarding connection to the windows machine. As an example of this, consider the following setup:

There is one mac running SSH, and one windows machine with "Remote Desktop" turned on. To connect to the mac securely from a remote location and have it port-forward to the Windows machine, the following would have to be done on your computer.

  1. Enter this Terminal command (using proper IP addresses or URLs):

    ssh -N user@MacIP -L 1212/WinIP/3389

  2. Then open Microsoft's Remote Desktop Connection and enter the following URL:


Provided there are no errors, Remote Desktop Connection will work and the connection will be secure.

  • More from Tutorials