Screen sharing security?

Similar Messages

• IChat screen sharing security/encryption

  I'm going to be using iChat for the first time and want to use the screen sharing feature between two computers running 10.6. iChat's documentation says:
  "While every screen sharing connection uses encryption, the highest level of security requires both participants to have MobileMe subscriptions with encryption enabled. If this is the case, you will see a lock icon in the screen sharing window."
  Neither I nor the person I'm going to do screen sharing with has a MobileMe account. I'm wondering:
  1. What is the difference between the encryption that "every screen sharing connection uses" and the enhanced security allowed with MobileMe accounts? How does this compare with, say, doing VNC over an SSH connection? Is it adequate for the usual "family help desk" tasks, which may involve typing passwords?
  2. I understand that one can get a free MobileMe account which only has iChat capabilities. Does this free MobileMe account enable iChat encryption, or do I have to pay to get that?
  Thanks!

  re 1)
  I am not aware that Screen Sharing is claiming to be Encrypted in each and every connection.
  As far as I am aware it uses a modified Apple Remote Desktop engine and is a VNC connection tied together with a Audio Chat (two separate Ports/Data streams in tandem) and that a problem connecting either part will result in failure of the whole connection.
  It is claiming to be encrypted in each and every connection -- as I quoted in the original post, "While every screen sharing connection uses encryption..." This is from http://docs.info.apple.com/article.html?path=iChat/5.0/en/17157.html

• Screen sharing security question

  I recently set up my imac to allow screen sharing from my MBP. On my iMac I randomly see the screen sharing icon appear in the menu bar despite not being connected. Is this normal?
  Also i setup security so that it should only be me that is able to connect via password to my iMac, yet there is aslo an option to connect as a guest which connects & shows the imac screen & allows me to do things.
  I thought the whole point of setting access only to me was that no-one else ( eg guest) could connect.
  i am a bit baffled here, can anyone help me out?
  TIA,
  john

  I would not consider the presence of the screen sharing icon normal. I encourage you to open terminal and run the command
  netstat | grep vnc
  the next time you see it. This will return either nothing (bringing you back to the prompt ending in $, or return a line such as this:
  tcp4 0 39 10.0.42.116.vnc-server 10.0.42.243.54233 ESTABLISHED
  In this case, my Macintosh is 10.0.42.116, and the computer connected to it is 10.0.42.243.
  By this method you can determine if there is a glitch causing the icon to appear or if there is actually a connection being made to your Macintosh.
  What you are probably experiencing with the guest account is a bit of confusion related to how Finder thinks of computers.
  The Guest/User Account is not for Screen Sharing, but for File Sharing.
  When you clicked "Share Screen..." the first time, regardless of if you connected to file sharing as Guest or Registered User, you got a box requesting "the username and password to share the screen of (computer name)." There, you probably selected remember password in keychain, and that is why you are not being prompted again, and why you are connecting to screen sharing as a guest. (You're actually connecting to screen sharing as your registered user, but you are connected to file sharing as a guest).
  To change this behavior, (on the client Mac) navigate to Applications, Utilities, Keychain Access. There, you will find an entry with a blue @ sign as an icon, and your destination PC's name. The Kind will be Network Address and when you select the line the "Where" in the info viewer panel will begin with vnc://. When you find this line, press the delete key to remove the saved password, and don't tick the "remember" checkbox again.

• Screen Sharing Security Hole!!

  At my school we use remote desktop and also the computers have screen sharing on. today i learned that if you type in a persons username without their password it will first say username or password is invalid then if you do it agien without changing any thing it will grant you access. ***

  Don't know much about screensharing but did a search and found this article.
  It may have some more information for you, sorry I can't be of more help.
  http://www.peachpit.com/guides/content.aspx?g=mac&seqNum=232

• Having security issue with SL Screen Sharing

  Hello,
  Maybe I am missing some new setting in Snow Leopard that increases screen sharing security, but as it is, screen sharing is now insecure on my network.
  Prior to Snow Leopard I would log into my Mac from another without selecting the "remember this password in my keychain"... after finishing the session, I would again be asked for my password before ropening a new screen sharing session. All machines on the network were Leopard.
  Now, with all macs on the network Snow leopard, on one of the machines I can log on in the morning, work for a while, quit screen sharing, and go back in an hour and start sharing that mac's screen with no password required. Anoyone else can can do this also! I have checked the keychain on the Mac I am viewing from and there does not seem to be an entry there for screen sharing.
  On another of the Snow machines it always asks for the password, but on 2 of them, once I have started viewing another Mac's screen a password is no longer required regardless of the fact that I haven't checked that "remember password" .
  This means that after I leave a Mac from screen sharing it, someone else has full access to that machine just by clicking on the Share Screen button... unless I can close the hole somehow.
  Any ideas or a way to fix this would be appreciated.
  Thanks
  Jamy

  Hi all,
  I just upgraded to Snow 10.6.2 so through 2 separate updates, this security hole on all 3 Macs on my network exists.
  To test it I went to an office and opened a screen on another (Snow Leopard) Mac that was set up to allow users only to connect. I then quit Screen sharing, and returned 3 hours later, only to be able to open the Hard Disk window and return to that Mac's screen without any passwords required. I was very careful not to allow the Keychain to remember me.
  Since I originally posted I see another thread has begun up expressing essentially the same issue.
  I would strongly advise anyone who uses Snow Leopard in a secure environment , at least through 10.6.2, to disable screen sharing or risk unauthorized access, or monitoring, of their Macs from within their networks. Screen Sharing's security settings (if they work at all) do not work on Snow Leopard the same as they worked on Leopard.
  I have not found a fix for this in the 3 weeks since I first noticed it other than to disable it, or restart the Mac I started the session from, then it will ask for a password, but that is hardly an acceptable fix in some secure or corporate environments (akin to having to restart in order to empty the browser cache when accessing webMail lol)
  Regards,
  Jamy

• How secure is screen sharing?

  Hi: I have set up my MacPro 2008 to accept screen sharing for one user (me) and I access it from my MacBook Pro via airport/AP extreme (protected by WPA2 Personal) and built-in VNC. Everything works perfectly fine and just as smooth as can be expected from a Mac. My only concern is, whether the connection is safe enough such that my passwords cannot easily be intercepted, or if I need to set up an SSH connection. Any suggestions?
  Thanks.

  WPA2 offers its own encryption, so it's basically secure against anyone not on your LAN so long as they don't have (or break) you WPA2 encryption key.
  That said, you might presume that someone has breached the WPA2 encryption or otherwise gained access to your LAN, in which case the VNC login (and frame buffer data) isn't secure. In that case, what you want is to setup SSH and use the Mac firewall tools to block access to VNC from any host other than localhost.

• Screen Sharing problem - is it a security problem?

  OK, so I'm having the same screen sharing bug with remote machines.... except when I have my VPN active. Then the remote machines work exactly as normal. With the VPN off, I get the Screen Sharing only error. Anyone who is more familiar with VPNs know what is up?
  Thanks!
  -c

  You may be interested in this helppage<br>
  http://support.mozilla.com/en-US/kb/Is%20my%20Firefox%20problem%20a%20result%20of%20malware<br>
  If you recently had a crash and have sent the crashreport to Mozilla, then you can post a crashreport ID on the forum. Sometimes we can see signs of a virus in the crashreport.

• Is it possible for multiple users to use a "generic" account simultaneously without screen sharing?

  Hey and thanks for checking out the thread.
  I am wondering if it is possible to have users use a generic account at the same time without any sort of screen sharing.
  I have set up a generic user account (for example useraccount, password 1234) for users to use in the time before I can set up a custom user name for them. However, I have run into some issues with this.
  When multiple users log on using this generic account, their applications seem to be shared on each screen. In the room with multiple Mac workstations, if someone starts working on Photoshop, Photoshop will open on every one elses screen who is logged on under that generic account.
  Is it possible for users to log on using a generic network account and have their own isolated work environment or is this sort of sharing a feature? I am new to Mac servers and am not sure.
  Thanks for reading the thread.

  That shared-account approach seems impractical for the various reasons you've identified, as well as the inevitable issue of cleaning up the detritus that'll inevitably build up in a shared account, and for the lack of accountability for activities occuring under the shared account for both auditing and security, and sharing directories would tend to introduce obscure conflicts around which-file-version-wins file updates when the same file is used in several places, and would probably be contrary to any per-user application software licensing agreements that might be involved.
  Put another way, get unique accounts created for folks, and work toward the ability to create accounts for arriving folks, and — if it's applicable here — talk to management about getting any per-user software licensing issues sorted out, whether that's having spare copies purchased and ahead or some advanced notice on accounts, or establishing group software licensing where that's available.
  AFAIK, there are tools around which can automate account creation, too.  Either generic, a tool such as Passenger, or it's certainly feasible to script the account creation sequence.
  Trying this shared-access generic-account approach just looks like it can create more work and more hassles and more effort to me...

• Screen Sharing and Virtual Desktop

  Is there a way to force a new remote screen sharing connect to a "Virtual Desktop"?
  In my experience, if another user is logged into the computer the new remote screen connection will be forced or given the option to connect to a virtual desktop. This will allow the new connection to run in the "background" without the first connection being influenced.
  The issue is when a new remote connection is initiatied and no other connections are active the new connection will be shown on the computer's hardware monitor. i.e. No option is given to connect via a virtual desktop.
  This is a security issue because a user can connect remotely and if he is the only connection on the computer he will have all his work shown on the hardware display.
  I am hoping to find a way to force all remote connections to be on virtual desktops.

  I guess its worth mentioning that although you can indeed screen share from Leopard to Tiger, it only works when you are on the same network. But Remote Desktop works across the internet...
  Of course the trick to using Remote Desktop from a truly "remote" location elsewhere on the internet is that you have to be able to reach the IP of the computer you want to control, which can be tricky if its behind a NAT and the person your trying to reach is my Mom who has no idea how to configure her NAT, or firewall, or even find her IP address without my help.
  Screen sharing Leopard to Leopard via iChat should be much more straight forward... translation: this will make my life much easier the next time my mom needs help.

• Screen sharing and the existing plug-in

  I'm thinking about building a nice e-learning solution but
  screen sharing is essential. Can someone explain to me why it's
  technically impossible to use the screen sharing api like it is
  being used by ConnectNow? I don't mind that my users will have to
  download the plug-in just like the ConnectNow users have to do.
  Given the fact that CoCoMo is a hosted service it should be good
  for the Adobe business and the technology is already
  there...

  Nothing (or almost nothing) is technically impossible :)
  The problem here is the addin has access to the client system
  resources (screen and keyboard) and so for security reason it only
  runs signed applications (and the only application we sign today is
  ConnectNow).
  In order to enable SDK applications to run in the addin we
  should either forego the signing (not an option :) or we get into
  the business of validating and signing developer applications, with
  policies possibly even stricter than Apple AppStore :)
  We have some other ideas on how to offer this functionality
  but right now are just ideas, but we understand that this is a
  feature very appealing to many of you and and it's high in our list
  of most requested features.

• Screen sharing doesn't work in Yosemite

  Screen sharing gives this message on my iMac :
  Process:          
  Screen Sharing [46463]
  Path:             
  /Volumes/*/Screen Sharing.app/Contents/MacOS/Screen Sharing
  Identifier:       
  com.apple.ScreenSharing
  Version:          
  Build Info:       
  RemoteDesktop-3009915~3
  Code Type:        
  X86 (Native)
  Parent Process:   
  ??? [1]
  Responsible:      
  Screen Sharing [46463]
  User ID:          
  502
  Date/Time:        
  2015-01-27 13:31:28.148 +0100
  OS Version:       
  Mac OS X 10.10.1 (14B25)
  Report Version:   
  11
  Anonymous UUID:   
  7E87A766-A68F-42AB-5776-3EC4CEE0DBC9
  Sleep/Wake UUID:  
  E9049456-0F35-432F-A16C-0C7313FDA6B0
  Time Awake Since Boot: 1300000 seconds
  Time Since Wake:  
  3100 seconds
  Crashed Thread:   
  0
  Exception Type:   
  EXC_BREAKPOINT (SIGTRAP)
  Exception Codes:  
  0x0000000000000002, 0x0000000000000000
  Application Specific Information:
  dyld: launch, loading dependent libraries
  Dyld Error Message:
    Library not loaded: /System/Library/PrivateFrameworks/ScreenSharing.framework/Versions/A/ScreenShar ing
    Referenced from: /Volumes/*/Screen Sharing.app/Contents/MacOS/Screen Sharing
    Reason: no suitable image found.  Did find:
      /System/Library/PrivateFrameworks/ScreenSharing.framework/Versions/A/ScreenShar ing: mach-o, but wrong architecture
  Binary Images:
  0x8fe0c000 - 0x8fe3fe03  dyld (353.2.1) <EBFF7998-58E8-32F5-BF0D-9690278EC792> /usr/lib/dyld
  0x92b00000 - 0x92b00fff  com.apple.Carbon (154 - 157) <5A078967-8437-3721-A6B1-70CC00461D7B> /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
  0x9323b000 - 0x933ffff3  com.apple.QuartzCore (1.10 - 361.11) <9CED60CF-9B7F-3288-A7E9-3AE087F9E076> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
  0x9376c000 - 0x939e8ff3  com.apple.security (7.0 - 57031.1.35) <4721C22E-D6C2-3202-B80D-5E67169466D2> /System/Library/Frameworks/Security.framework/Versions/A/Security
  And a similar message on my MacBook Pro

  same here on a 2010 macbook pro. i routinely use screen sharing to access that MBP from a 2010 mac pro. but ever since installing lion on the MBP (now 10.7.1), i'm asked for my "Kerberos password" -- and i've never even heard of such a thing.
  so far, googling this has not led to anything helpful.
  i love my macs, but stuff like this that impedes our productivity is a monumental drag (to say the least).

• IChat screen sharing and video not working on MacBook but works on Mac pro

  I have a MacBook and MacBook pro. Both have the lion os 10.7.2. I can use iChat on the MacBook pro for screen sharing, video chat, and text chatting, with others remote to me. However, I can only do texting with the MacBook.  I can do screen sharing via Finder between my MacBook and MacBook pro. I can do FaceTime between both systems. I can also do FaceTime between the MacBook and anyone remotely.
  I also tried installing teamviewer on the MacBook, and on a remote MacBook..... And I get the same results where I cannot share the screen, from the one that has not been working.
  I have checked the settings under system preference and made sure screen sharing was enabled. I have checked under iChat under video to make sure screen sharing was checked.
  The macbook that is having this problem is configured for AIM for iChat
  I have run out of ideas. Any suggestions on what I might try?
  Thanks

  Ok,
  I will list the ports in greater detail and point out when iChat uses them.
  AIM Login and 1-1 Text Chatting
  iChat version 1  through 5 will Log in to the AIM server on port 5190 (TCP Protocol) by default.
  Since iChat 2 we have been posting here that the AIM servers allow a Login on almost any port and have been suggesting port 443.
  This is used by both Web Browsers for secure Login to some sites and by the Mail app with some mail servers.
  It is also below port 1024  (most domestic routers have the ports above this figure closed)  In some campus situations using port 443 will normally allow at least Login and Text chatting.
  iChat 6 uses port 443 by default.
  File Transfers (AIM)
  When doing File Transfers with AIM Buddies iChat will move to using Port 5190 on the UDP Protocol.
  This cannot be changed.  (This invokes the little Message about Starting Direct IM in an open Chat)
  It also uses this port for Pics-in-chats, dropping Files on a Buddy's name with out a Chat or sending other files that are not pics.
  In the case of Port Forwarding some devices don't like port 5190 being forwarded "twice" which is another reason for moving the login and Text chat port.
  Jabber Logins
  No matter what Jabber server you use ichat will use one of two ports (5222 and 5223)
  Which one it uses is dependent on whether it needs and is using an SSL Login or not.
  SSL Logins use port 5223 and NON SSL one use 5222 (ticking or Unticking the SSL box on a Jabber account will automatically change the port).
  Google Talk is the exception in that it allow a Login on port 443 as well.
  The First Apple Doc I linked you to says iChat uses port 5220 in Jabber.
  I run Little Snitch and have never seen any version of iChat use this port at any time.
  Bonjour
  Any Mac to Mac Connection or Mac to any Bonjour able peripheral will be on port 5353.
  This is normally opened (Preset) in the Mac Firewall for the Finder/System side of Sharing.
  iChat needs and uses two other ports  (5297 UDP and 5298 on both TCP and UDP)
  As they an LAN Side connections the router would normally pass them.
  At iChat 3 there were issues with the Mac Firewall (it included UDP set up and the preset in the firewall only listed them and TCP so we had people add all the iChat ports  (you had to manually enter them in Tiger)
  A/V Chats
  No matter which Buddy List you start from iChat will do A/V chats the same way.
  The Visible Invite you or your Buddy sends is on port 5678 (UDP)
  In iChat 3 and earlier iChat then moves to port 5060 to send the SIP Connection Process invite behind the scenes  (SIP = Session Initiation Protocol)
  Port 5060 is one of 4 ports internationally agreed for SIP (How VoIP phones connect) (5060-5063).
  Although ISPs were not supposed to block Through traffic many started blocking End users  and then Charging them to open these ports (Many ISP were telecom companies that were losing long distant Telephone calls monies).
  The SIP process then in iChat 3 contacts a server run by Apple for this purpose (Snatmap.mac.com to give it it's full name).
  This acts like a old fashioned telephone operator connecting the call.
  SIP is a text based process.
  Your end "Calls" the operator.
  The Operator "Calls" Buddy.
  Buddy Accepts
  iChat then negotiates the ports to be used.
  In iChat 2 and 3 it uses 4 ports (vid in Vid out, Audio In and Audio Out) from "the group of 20" starting at the bottom (16384 to 16387 normally)
  Three and 4 way chats uses more ports (which is why 20 are set aside)
  In iChat 4 Apple realised the issue with the 5060 port and changed the way iChat worked
  Since then it has Sent the invite on Port 5678 but then moved to port 16402 (it starts at the top of a smaller group of 20)
  All Video and Audio traffic is also now on one port  (so no need for 20 ports and iChat now lists 10).
  NOTES so Far.
  File Sharing during a Chat converts the Chat to Direct IM for AIM Logins
  This is Peer-to-Peer in AIM
  A/V Chats are Peer-To-Peer and you can actually log out of the Buddy list and continue the chat. (The exception is using iChat 6's  AIM Video relay option)
  Screen Sharing
  Screen Sharing is an Audio Chat with a VNC connection along side.
  Both bits have to wok to avoid the Pop-up to send to Apple and the Log that contains.
  The Audio part is on port 16402 and the VNC part is random. (So random it is different every time you do it)
  The reason it is classed as an Audio Chat+ is so the AppleScript for Auto Accept can  filter out Screen Sharing connection and Not Auto Accept them.
  This does have a knock on effect as far as your Router is concerned as already mentioned earlier.
  You cannot Forward or Trigger the random Port so you have to use UPnP in your router to open the ports.
  NOTES
  Jabber File sharing may possibly be on port 1080 as listed in the Server Article I linked you to (I have also seen it written about in other stuff I have come across)
  However Little Snitch does not seem to confirm this either.
  Most time it will be peer-to-peer like the AIM connections for this.
  However some Jabber servers do not seem to allow this and have this Jabber65 Proxy set up which passes things Server to Server in between it leaving your end and arriving at a Buddy.
  This on  Port 7777 but you do not need to open this port (unless you are running a Jabber server)
  I have yet to test File Transfers using a Yahoo Buddy List in iChat 6.
  AppleCare and Geniuses.
  Previously I have been contacted by Geniuses in Stores asking to test customer's iChat.
  They and the Applecare people have details about Apple wants an designed the App to work.
  What they don't have is the knowledge about what it takes to set it up in the "real world".
  There are literally thousands of Makes and Models of routers.
  Some like the Thomson-Alcatel brand state they are SIP/VoIP ready but this means the router strips out all SIP Data trying to send it to a Phone.
  Early models of Alcatels can get around this with a tweak. Later models can't.
  Motorola devices tend not to have UPnP.
  Apple Base Stations have Port Mapping Protocol instead of UPnP and this needs setting up.
  The Zyxel range definitely does not like the dual use of port 5190 and does much better using UPnP (You almost certainly have to do your AIM login on port 443 with these).
  1. I have two computers (MacPro and MacBook Pro) that are both running Lion 10.7.2 and both running iChat 6.0.1.  <<-- Fine
  2. The Netgear router model is: WNDR3700.    <<<<---  With any Brand there are exceptions and I do wonder about this one
  3. The firewall for both Macs is turned on and in the advanced area iChat is listed as being "allowed."  <<<<---- Fine
  4. In iChat, under the video options, "Screen Sharing Allowed" is checked.                                        <<<<<---- Fine
  5. In System Preferences, "Screen Sharing" is checked and this is for "All Users" at present.               <<<<<---- Not Required
  6. There are two separate AIM accounts being used for iChat purposes.                                            <<<<<----  OK
  7. In iChat preferences, each AIM account is "Enabled" under "Account Information" and the "Server Settings" show the Server as "api.oscar.aol.com" and the Port is "443" and "Use SSL" is checked.                                <<<<---- As it should be
  From this and the other info in the first port it was only the router set up that seem to throw some light on a possible cause (Port Forwarding and UPnP conflict)
  If just doing Port Forwarding the ports listed would have covered things (Except the Screen Sharing's random port)
  Regarding your latest post.
  I have  table similar to that on my Sagem 2504Fast Modem/router combined device and it too seems to list a different port on the external side on occasions.
  I would try the router with the Disable SIP ALG unticked (so it is not disabled). If the Help info on the right gives any info about what this Netgear version does it would be helpful.
  Some are like the Thomson-Alcatels I was talking about in that it points the SIP data to a specific place (Possibly a Phone socket on the device)
  Others seem to provide an "boost"  to enable SIP to work and don't seem to get in the way of iChat.
  Try adding the Names in Table 1 from this page and see if you can Video to those.
  There are 6 names in total (I am actually only seeing one on Line as I type)
  9:19 PM      Wednesday; January 25, 2012
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
    iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
  "Limit the Logs to the Bits above Binary Images."  No, Seriously

• I cant get screen sharing to work on my home network

  I am trying to connect my macbook pro to screen sharing so i can access it at my school computers, which are all iMacs running 10.6.6. When i was at school, and connected to the wireless network at my school i could screen sharing through the finder>go>connect to server. Once screen sharing was enabled i just entered the vnc address and it connected flawlessly. When i got home, and i set my netgear router( wireless-n 150 model: wnr100v2) for port forwarding start port: 5900 end port:5900 server name vnc, and set the ip address to my computer, and when i tried to screen share from another macbook within my network through the finder>go>connect to server, i could not connect. Oddly when i connected my mobile me, i cold screen share over the network. I want to do a WAN screen sharing and i cannot figure out how do do it. I would appreciate any help because it is very important that i enable this feature.

  I'm a little confused by your explanation (it's late), so I am going to say what I think I read:
  You want to set up your home computer so you can access it via screen sharing from school.
  The home computer needs sys prefs sharing screen sharing enabled, and sys prefs security firewall must allow it, too. You port forward port 5900 through your home router to that home computer, which may or may not require that you use a static "192.168.x.x" (or "10.x.x.x" -- whatever the router's LAN subnet is) LAN IP address on that computer -- some routers require that computers acting as servers have static IPAs -- some routers don't.
  You need to find out what is the public (internet-facing) WAN IP address that your ISP has assigned to your router; it is not the 192.168.x.x (or 10.x.x.x) address given to your home computer by your home router. You can find that by going to http://checkip.dyndns.com on your home computer. Unless you pay extra for a static public IP address from your ISP, ISPs may (and do) change it periodically on you without warning. So vnc://123.45.67.89 may work one day but not the next.
  Some routers have a built-in feature to work around this by allowing the router to advise dynamic DNS servers of any changes in the public-facing IP address of the router. Of course, you need to have established an account with a dynamic DNS provider so you have a host name (like lomberg.noip.com or lomberg.dyndns.com). These are generally free accounts unless you want a special name that doesn't have the dynamic DNS provider as part of your host name.
  If your router does not have this capability, these dynamic DNS providers have a piece of software that you will need to install on your home computer (the "VNC server") that reports changes in your public-facing IP address to their DNS servers.
  Once this is done, then from afar, you can ⌘k to vnc://lomberg.dyndns.com (or whatever you set up your host name to be with dyndns or equivalent outfit) and you don't need to worry about what your ISP has done to you with regards to your public-facing WAN IP address du jour.
  Note that with some (most?) routers, when you are on your home network, you will not be able to vnc to the host name or numeric WAN IPA in this manner. I don't know why it doesn't work, it just doesn't. I've had modems both ways -- my current ISP rental modem doesn't while the previous one (which broke so I had to replace it with my current POS modem) did. So in such case, you have to vnc://192.168.x.x of the "vnc server" computer when you are on the same LAN.
  You are aware that on the client (school) machine, screen sharing preferences can be set to encrypt all data on the connection, not just the username/password negotiation piece, right? I don't know whether that setting persists across sessions or only persists for the duration of the current session. I wouldn't want my client mouse/keyboard and "server" screen video to be transmitted in the clear; that's why I bring this up.
  Does that answer your question? Or did I totally misunderstand what you were asking?

• Screen Sharing / vnc with OS X 10.5.6 fails

  I can not get the Screen Sharing that comes with OS X 10.5.6 to work with any vnc client. The server is my laptop, an MBP 2.4 GHz Intel running OS X 10.5.6.
  *I enable Screen Sharing by doing the following:*
  1) +System Preferences > Sharing > Screen Sharing+ is checked
  2) +System Preferences > Sharing > Screen Sharing > Computer Settings > Anyone may request permission to control screen+ is checked
  3) +System Preferences > Sharing > Screen Sharing > Computer Settings > VNC viewers may control screen with password+ is checked and I've entered a password
  4) I also have Remote Login enabled for SSH access, but no other services are enabled.
  *I see two different behaviors depending on one of two clients that I try using:*
  1) +Chicken of the VNC v2.0b4+ running on same machine- Always says "Connection Terminated / Authentication Failed" without ever asking for a password. Logs the following in system.log (dates, hostnames and pids removed):
  Chicken of the VNC: Server reports Version RFB 003.889
  Chicken of the VNC: Bogus RFB Protocol Version Number from AppleRemoteDesktop, switching to protocol 003.007
  I believe that the information in system.log is OK, and is just warning me that Chicken of the VNC is working around Apple's strange protocol version.
  2) +TightVNC 1.3.9 on Windows XP sp2+- Says "Security type requested", then asks for a password. I enter it, click OK and tightvnc simply waits endlessly.
  *Other Notes:*
  1) I have tried configuring and starting the server using kickstart from the command line as suggested at http://support.apple.com/kb/HT2370 (+sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -activate -configure -access -on -restart -agent -privs -all+)
  2) I have tried unchecking +VNC viewers may control screen with password+, but in this case Chicken of the VNC says "Please configure Apple Remote Desktop to allow VNC Viewers to control the screen. Unknown authType 30,31,32" and TightVNC says "Server did not offer supported security type!"
  3) If I disable the Screen Sharing feature that comes out of the box with OS X, I CAN install and successfully run the OSXVnc server available at http://sourceforge.net/projects/osxvnc/. In this case, both Chicken of the VNC and TightVNC are able to connect.
  *So Apple's Screen Sharing does not work. Does anyone know what the problem is? Are there any log files I can look at, or is there another way I can debug this? I'm not impressed. :)*

  Thanks for the suggestion. It was possible that one of these files had become corrupted, so I tried moving each of these files to another directory but unfortunately I'm still seeing the same behavior.
  Here's what happens with each of these files individually after they're moved:
  1) When I set the VNC password in the system prefs, com.apple.VNCSettings.txt gets re-created (with the same contents as the original unless I change the password, so that just looks like a hash of the password).
  2) com.apple.RemoteManagement.plist also gets recreated when I change the system prefs. If I use "sudo plutil -convert xml1 com.apple.RemoteManagement.plist" I get the following:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>ARD_AllLocalUsers</key>
  <true/>
  <key>ARD_AllLocalUsersPrivs</key>
  <integer>2</integer>
  <key>ScreenSharingReqPermEnabled</key>
  <true/>
  <key>VNCLegacyConnectionsEnabled</key>
  <true/>
  </dict>
  </plist>
  3) For me, com.apple.RemoteDesktop.plist does not exist.
  4) Interestingly, com.apple.ARDAgent.plist does not get created until I run "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -activate -configure -access -on -restart -agent -privs -all". Its XML contents are as follows:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>AdminConnectInfoList</key>
  <dict/>
  <key>AgentLogLevel</key>
  <integer>3</integer>
  <key>ServerConnectInfoList</key>
  <dict/>
  <key>Version</key>
  <real>3</real>
  </dict>
  </plist>
  Looking at this, I tried setting ScreenSharingReqPermEnabled to false, but that didn't help. Then I increased AgentLogLevel to 100 and got a lot of output in system.log (12:28:45 is when I restart the server and 12:29:34 is when I try to connect):
  Feb 24 12:28:45 ARDAgent [749]: ******ARDAgent Launched******
  Feb 24 12:28:45 ARDAgent [749]: got a sessionDict, onConsoleRef is 0xa04cd400
  Feb 24 12:28:45 ARDAgent [749]: grUserOnConsole is 1
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 122
  Feb 24 12:28:45 ARDAgent [749]: LoadMenuExtra: Attempting to unload menu extra
  Feb 24 12:28:45 ARDAgent [749]: PostNotificationForced: Going to send notifation value 9
  Feb 24 12:28:45 ARDAgent [749]: UpdatePrefs: versionFlt : 0.000000 kCurrentPrefsVersion : 3.000000
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 44
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 22
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 100
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 94
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 96
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 18
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 106
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 74
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 130
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 60
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 45
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 65
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 66
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 105
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 115
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 38
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 12
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 61
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 20
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 62
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 39
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 30
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 101
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 53
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 103
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 107
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 109
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 135
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 41
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 110
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 111
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 28
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 36
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 48
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 59
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 57
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 116
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 58
  Feb 24 12:28:45 ARDAgent [749]: InitAppUsageHandlers: Called gTrackingDays is set to 0
  Feb 24 12:28:45 ARDAgent [749]: CheckRFBServerPIDFile: return 679
  Feb 24 12:28:45 ARDAgent [749]: RemoteCommandListenerThread init communications
  Feb 24 12:28:45 ARDAgent [749]: RFBServerStart - did not kill 679
  Feb 24 12:28:45 ARDAgent [749]: DOCStartDOC: No serial number. Task Server not started.
  Feb 24 12:28:45 ARDAgent [749]: DT_InitLocalProcessing: Loading existing tasks from disk.
  Feb 24 12:28:45 ARDAgent [749]: DT_InitLocalProcessing: Found 0 tasks
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 158
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 117
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 118
  Feb 24 12:28:45 ARDAgent [749]: AddHandler: Added handler for cmdCode 162
  Feb 24 12:28:45 ARDAgent [749]: ARD Agent: RFB Server exited quickly after starting - probable failure.
  Feb 24 12:28:45 ARDAgent [749]: PostNotificationForced: Going to send notifation value 6
  Feb 24 12:28:45 ARDAgent [749]: PostNotificationForced: Setting lastNotification to value 6
  Feb 24 12:28:45 ARDAgent [749]: ******ARDAgent Ready******
  Feb 24 12:29:34 Chicken of the VNC[693]: Server reports Version RFB 003.889
  Feb 24 12:29:34 Chicken of the VNC[693]: Bogus RFB Protocol Version Number from AppleRemoteDesktop, switching to protocol 003.007
  Feb 24 12:29:36 ARDAgent [749]: PostNotificationForced: Going to send notifation value 1
  Feb 24 12:29:36 ARDAgent [749]: PostNotificationForced: Got request for kCurrentStateNotification. Sending value 6
  Interesting that it says "ARD Agent: RFB Server exited quickly after starting - probable failure." That doesn't sound too good.
  I will try to watch fs_usage more closely to see what else gets modified and accessed, but I'm increasingly suspicious that there's simply a bug which is showing up under whatever specific conditions I have on my machine. Perhaps the included log info will trigger an idea for someone.

• Screen sharing- not showing who is on my mac

  i've got screen sharing setup on all our macs and works great- HOWEVER, on occasion, a number of things can happen:
  1- i am unable to access a computer even though i accessed it earlier; i need to restart the computer and then it works
  2- when i shut down the computer, a message pops up that 2users are accessing the computer though there is only one or even none on the network that can do so and the remote computer icon shows only 1computer address or no icon present (does that mean someone is hacking my computer?)
  3- when i shut down the computer, a message pops up that there is a user and there is no remote computer icon visible (again, is someone hacking my computer?)
  2 and 3 above concern me the most especially since at times i don't see the screen sharing icon, so don't know who's accessing the computer... and no one knows how to access my main computer which is where this problem occurs. 1 happens on the other macs when trying to access the main computer.
  i've got my network running on a timecapsule with WPA2 personal security, password for timecapsule disk, password for computers, screen sharing set to admin only with no other people listed for access so a bit concerned about this would GREATLY appreciate the help/information anyone has!
  thanks
  ps- i also had this problem in snow leopard

  The upgrade just showed up for me when the criteria was met. Try reindexing your Mac.
  Spotlight: How to re-index folders or volumes -
  http://support.apple.com/kb/ht2409