We have a Mac user that needs remote access to their desktop Mac at the church from their Mac laptop at home. My initial thought was to use a VPN connection to the firewall and vnc://. I am looking for what others are using. My four concerns are security, how to manage if the user leaves employment, cost, and ease of use.
Will they be connecting through a personal Mac? Is the VPN user based access?
User-based VPN access. It’s a work Mac.
We use user based OpenVPN on our firewall and allow people to install the VPN client on their personal PCs and Macs. Many on our A/V team use the VPN + vnc:// method to remote from the personal Macs at home to the ProPresenter machines in the sanctuary.
Since everyone’s VPN is user based, I just disable their client/account when their employment ends.
Internally on-site our users were already using vnc:// to remote desktop to the presentation Macs anyway, so the only additional setup for them was adding the VPN client on their personal/remote Macs and making sure they were connected. Then they remote to the Mac just as usual.
We follow best practices for OpenVPN and I think it is relatively secure. OpenVPN was already built into our Firewall and part of our license, so there was no additional cost for us.
I hope that helps!
Are both devices work Macs? If so, you have very little to worry about using your proposed method. If the home device is a personal, you may have to worry about retaining org data on a personal device, but that would be all. That’s essentially my workflow for managing desktops from home. I VPN in and connect through a vnc type service (I use Jamf Remote, but Apple Remote Desktop, Screen Sharing on the network, or VNC will all work as well). It is simple and fast. It doesn’t cost anything additional on top of what we’re already paying, and if I were to leave, I would be turning all equipment back in.
We are using VPN for all our retained staff currently during the UK Covid-19 lockdown. We have a Draytek router that is set up for VPN and each member of staff has their own VPN access channel, so we can turn each individual VPN on or off as required. These staff members are using our own Macs at home, linking to the VPN and our AD domain.
Once connected they can access the on-site servers and work as normal using SMB, AFP or HTTP(S).
One user needs to access on on-site machine, which is a Mac. This is done by enabling Screen Sharing on the target machine (Apple Menu/System Preferences/Sharing). You need to allow access for all users on the target machine or specifically add the user’s login account to the access list. The user then connects their VPN link and in the Finder selects Go/Connect to Server, where they type the command vnc://, which brings up a login window. They type in their normal login credentials and a remote screen window is established to the target machine. They then login on the target machine as if they were at their office desk.
We are using RealVNC for this using the cloud connect option that allows us to bypass the need for the VPN. Prior to the cloud connect option, we used VPN & RealVNC Direct Connect.
We have lots and lots of churches using ConnectWise Control for this. They even have a free version with up to like 3 device licenses.
I’d highly recommend something like this rather than supporting or allowing VPN from personal devices. Lots of security risk and technical challenge supporting VPN on devices you don’t own and manage.
We use LogMeIn for anyone that has to access an onsite device. It works well for those that do use it but it is around $1000 a year for 25 computers.