Disable Screen Sharing

What the Screen Sharing Disabler does

This Automox Worklet™ disables the macOS screen sharing service on your endpoints. The Worklet prevents users and external actors from remotely connecting to the Mac display using the built-in Screen Sharing service (which uses VNC protocol).

The Worklet checks the current state of the screen sharing daemon and, if enabled, unloads the com.apple.screensharing launch daemon. Once disabled, the screen sharing service will not restart unless explicitly re-enabled by an administrator.

Why prevent unauthorized screen access

Screen sharing services give remote users complete visual access to the endpoint desktop. Attackers who compromise network credentials or exploit authentication weaknesses can use screen sharing to observe user activity, capture sensitive data displayed on screen, and interact with applications as if they were sitting at the physical endpoint. Screen sharing exploits have resulted in major data breaches and credential theft incidents.

Organizations that use modern remote access solutions through secure VPN connections do not need macOS built-in screen sharing enabled. Leaving this service active creates an alternative remote access path that may bypass your organization's security controls, logging mechanisms, and authentication requirements. Each additional remote access method increases your attack surface.

How screen sharing disabling works

1. Evaluation phase: The Worklet queries the system launch daemon list using launchctl print-disabled system to check if the com.apple.screensharing service is already disabled. If found, the Worklet reports success and no remediation is needed.

2. Remediation phase: If screen sharing is enabled, the Worklet executes launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist to unload the service and persist the change across system restarts.

Screen sharing disabling requirements

• macOS 10.13 (High Sierra) or later

• Administrator or root privileges to run launchctl commands

• No active screen sharing sessions during remediation

• Supported on both macOS workstations and servers

Expected screen sharing state

After remediation, macOS endpoints no longer accept screen sharing connections. Remote users cannot view or control the endpoint desktop through Apple's built-in screen sharing protocol. Your organization's approved remote access and endpoint management platforms continue functioning normally.com.apple.screensharing daemon will no longer start on boot.

The Worklet verifies screen sharing is disabled through its evaluation check. IT operations teams can confirm the setting by reviewing System Preferences under Sharing or checking Worklet execution results in the Automox console.launchctl print-disabled system | grep com.apple.screensharing. If the output shows => true, screen sharing is disabled as intended.

How to validate disable screen sharing changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable screen sharing.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as exit, else, launchctl, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable screen sharing. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as exit, else, launchctl. Use these indicators to verify that endpoint changes match intended policy outcomes.