This is a known issue that multiple Apple users have reported over time. Unfortunately, Apple’s support team has not effectively addressed it yet.
I cannot connect to my Mac mini through a remote VNC connection
Requirements
- Be the Owner of the Organization in which the actions will be performed, or an IAM user with the necessary permissions
- A Scaleway account logged into the console
- A Mac mini
VNC (Virtual Network Computing) is a system that lets users remotely access and control another computer’s desktop.
For those using Scaleway’s rented Mac mini, VNC can be activated by turning on either the “Screen Sharing” or “Remote Management” options in the system preferences. Once set up, you can connect to the Mac mini from another device using its IP address or hostname through VNC clients like RealVNC, TightVNC, and others.
However, some users who have updated their macOS have faced issues with this feature, receiving error messages like Connection failed to <Mac_mini_address>
and Make sure Screen Sharing or Remote Management is enabled on the remote computer
under the Sharing section of System Preferences.
Upon further analysis, we found a design flaw in macOS, where brute-force attacks performed by malicious actors could result in the service halting. Find out more about this issue on our blog.
As a precaution, every Mac mini comes with a preinstalled fail2ban
service (a tool that parses logs, notices authentication failures, and configures the firewall. Refer to our fail2ban tutorial for further information). For added security and to ensure VNC service reliability, you can restrict access to macOS Screen Sharing to certain static IPs. This can be done by tweaking your network settings and using macOS’s inbuilt firewall, pf
(Packet Filter), to manage incoming connections.
Enable and configure pf (Packet Filter)
You have to create a custom rule set for pf
to only allow incoming Screen Sharing connections from your static IP.
We strongly advise using SSH for this procedure to prevent any risk of losing connection to your machine in the event of a malicious configuration.
- Run the following command to connect to your Mac mini:
ssh@<your_mac_mini_ip>
- Backup the original
pf.conf
file by copying it to a different location.sudo cp /etc/pf.conf /etc/pf.conf.backup - Edit the
pf.conf
file with a command likesudo nano /etc/pf.conf
. - Add the following lines to write rules that block all incoming connections on the Screen Sharing port, except for the desired IP.
In the example above,[...]## Add these lines to block connections to port 5900 except from your static IPblock in on en0 proto tcp from any to any port 5900pass in on en0 proto tcp from <static IP> to any port 5900
en0
should be replaced with the network interface you are using (you may discover the name of your network interface using theifconfig
command), and<static IP>
should be the static IP address you are allowing. Port 5900 is typically used for VNC/screen sharing services. - Save and close the file (if you are using
nano
: type Y to confirm your changes, Enter to save, and Control-X to close). - Run
sudo pfctl -f /etc/pf.conf
to load the newpf
configuration. - Initiate a Screen Sharing session from the approved IP address and ensure it connects. Also, test from a different IP address to confirm it does not allow the connection.
- Any changes in your network configuration or the external static IP might require updates to this configuration. Keep this in mind, and adjust as necessary.
- Remember that this setup can cause issues if the static IP changes for some reason. You can access your Mac mini using SSH to update the configuration.
Restarting screen sharing via SSH
If your Mac’s screen-sharing service stops responding, you can restart it from SSH.
-
Run the following command to connect to your Mac mini:
ssh@<your_mac_mini_ip> -
Execute the command below to force termination of the Screen Sharing daemon:
sudo killall screensharingdThe
screensharingd
service will automatically restart upon the next incoming connection.
Troubleshooting connection issues
Verify your latest upgrade has not reset your system preferences
Even though it is uncommon for system preferences to be reset during an upgrade, double-checking is always best practice. Make sure there was no reset due to compatibility issues or significant changes between the old and new versions of the OS.
Verify whether Screen sharing or Remote management is enabled
Make sure that either “Screen sharing” or “Remote management” are enabled on your Mac mini. Go to System Settings > General, then verify that Sharing is ticked.
Verify that incoming VNC connections are not blocked by the firewall
Make sure that your Mac mini firewall allows incoming connections for your VNC client. Go to System Settings and then, depending on the OS version, Firewall will be located in either Network or Security & Privacy.