How to Check If Someone Is Remotely Accessing Your Mac

Quick answer: To check if someone is remotely accessing your Mac, open System Settings > General > Sharing and confirm Screen Sharing, Remote Management, and Remote Login are all off. Then look for the screen-sharing icon in your menu bar, check active connections with who and lsof -i in Terminal, and review which apps have Screen Recording permission.

Your cursor moved on its own for a second. Or a setting changed overnight that you swear you never touched. The first thought everyone has is the worst one: *is someone else on my Mac right now?*

Most of the time, the answer is no. Cursors drift and macOS updates quietly flip settings. But "probably not" isn't "definitely not," and the good news is that your Mac keeps clear records of who can connect and whether anyone currently is. You don't need special software to read them.

> Prefer not to dig through Terminal? Run a free CoreLock Security Score to see every app with screen, mic, camera, or full-disk access in about 60 seconds.

Here's how I check, in roughly the order I'd do it on a machine I was actually worried about.

Start With the Sharing Settings

This is the single most important screen, because remote access on a Mac is *off by default*. If someone is connecting legitimately (or otherwise), one of these toggles almost always has to be on.

Go to System Settings > General > Sharing. Look at three entries in particular:

• Screen Sharing — lets another Mac view and control your screen.
• Remote Management — the more powerful version, used by Apple Remote Desktop and a lot of IT/MDM tools. It can do everything Screen Sharing does and more.
• Remote Login — enables SSH, which gives command-line access to your Mac.

On a personal Mac that you've never deliberately set up for remote support, all three should be off. If any are on and you didn't turn them on, that's the most concrete sign worth taking seriously.

Click the little (i) info button next to Screen Sharing or Remote Management. It shows *which users* are allowed to connect. If you see an account you don't recognize, or "All users" when you expected a single name, tighten it or turn the whole thing off.

While you're here, also glance at Remote Login. If it's on, it lists the users permitted to SSH in. Turning it off closes that door entirely.

Look for the Live Indicators

macOS is actually pretty loud about active screen sharing — you just have to know what to look for.

When someone is currently viewing or controlling your screen, you'll see a purple/blue screen-sharing icon in the menu bar (two overlapping rectangles). Click it and macOS tells you a session is in progress and lets you disconnect. If that icon isn't there, no one is screen-sharing through the built-in macOS feature right now.

There's also the orange and green camera/mic dots. These don't mean remote access on their own, but they're related and worth understanding:

• A green dot near the menu bar means your camera is active.
• An orange dot means your microphone is in use.

If either lights up when you're not on a call and haven't opened anything that should need them, note which app is responsible. Click the Control Center icon in the menu bar and it'll name the app currently using your camera or mic. (Here's a deeper walkthrough on apps recording you.)

Check Who's Actually Logged In

Settings tell you who *can* connect. Terminal tells you who *is*. Open Terminal (Applications > Utilities > Terminal) and run:

who

This lists every user session currently active on your Mac. You'll usually see your own username next to console — that's you, sitting at the physical keyboard. What you're looking for is a second entry, especially one with an IP address in parentheses, which indicates a remote session.

For a fuller picture, try:

w

It shows logged-in users plus what they're running. Again, on a single-person Mac, you should basically only see yourself.

Look at Live Network Connections

Remote access means an open network connection. You can list them directly:

lsof -i | grep LISTEN

This shows processes *listening* for incoming connections. The ports that matter for remote access:

• 5900 — Screen Sharing / VNC
• 22 — SSH (Remote Login)
• 3283 — Remote Management

If you see something listening on port 5900 or 22 and you've confirmed those features are supposed to be off in Sharing settings, that's a contradiction worth running down.

To see *established* connections that are live right now:

lsof -i | grep ESTABLISHED

Plenty of legitimate apps hold network connections — browsers, Dropbox, Messages, backup tools. So this list will look busy and that's normal. What you're hunting for is an unfamiliar process tied to a remote IP, particularly one matching the ports above. A quick search of any process name usually tells you whether it's a known macOS service or something that shouldn't be there.

Scan the Process List

While you're in Terminal, see everything that's running:

ps aux | grep -v grep | sort

Remote-access tools leave processes behind. Names worth knowing: screensharingd and ARDAgent are Apple's own (they run when Screen Sharing or Remote Management is enabled). Third-party remote tools like TeamViewer, AnyDesk, Chrome Remote Desktop, or RealVNC show up under their own names. If you find one of those and never installed it, that's your lead.

You can do the same thing visually in Activity Monitor (Applications > Utilities). Open it, click the Network tab, and sort by data sent or received. Something quietly streaming your screen will usually move a noticeable amount of data. Double-click any process to see its full path and what it's connected to.

For more on telling normal background activity from the suspicious kind, I wrote a whole guide on hidden processes that pairs well with this one.

Review Screen Recording Permission

Even without "remote access" in the classic sense, an app with Screen Recording permission can capture what's on your display. Go to System Settings > Privacy & Security > Screen & System Audio Recording.

This lists every app allowed to record your screen. Go through it honestly — do you recognize each one, and does it make sense? A video-call or screenshot tool, sure. A random utility you barely remember installing? Toggle it off. Revoking here is instant and safe; if an app genuinely needs the permission later, it'll just ask again.

It's worth checking the neighboring lists too while you're on this screen: Accessibility and Input Monitoring. Both grant a lot of control, and remote-control or monitoring tools often request them. Anything unfamiliar can be switched off.

What These Findings Actually Mean

Here's the honest, non-alarmist read on what you might turn up:

• Everything off, nothing weird in Terminal, no menu-bar icon — you're almost certainly fine. The cursor blip was just a cursor blip.
• A sharing toggle is on that you don't remember enabling — this is the most common "real" finding, and it's usually mundane: an IT department's remote support setup, a tool you installed once for screen sharing, or a setting an installer flipped. Turn it off if you don't need it.
• An unknown remote login in who, or an unfamiliar remote-access app running — this is the one to take seriously and act on.

A changed setting by itself is not proof of a hacker. Software updates, family-sharing setups, and forgotten support tools account for the large majority of scares. Match what you find against what you remember installing before jumping to conclusions.

How to Cut Off Access Right Now

If you've found something you don't want, here's the order I'd shut it down:

1. Turn off the sharing toggles. Back in System Settings > General > Sharing, switch off Screen Sharing, Remote Management, and Remote Login. This severs the built-in pathways immediately.
2. Remove unknown users. If the (i) panel listed an account you don't recognize, remove it from the allowed list, then check System Settings > Users & Groups for any account that shouldn't exist.
3. Quit and uninstall unwanted remote tools. Force-quit the process in Activity Monitor, then delete the app and clear its leftover login items in System Settings > General > Login Items & Extensions.
4. Change your important passwords — from a different, trusted device — starting with your Apple Account and email. If anyone had access, assume they could have seen credentials.
5. Disconnect from the network if you need a moment of certainty. Turning off Wi-Fi instantly ends any active remote session while you sort the rest out.

After that, keep an eye on things for a few days. Watch for the sharing toggles flipping back on by themselves or unfamiliar processes returning — that would suggest something is reinstalling itself, which is when a deeper spyware check is worth running.

The Honest Limitations

Manual checks catch the overwhelming majority of real-world cases, because most remote access on a Mac runs through the standard features and tools above. That said, sophisticated malware can hide processes or disguise itself as a system service, and no single Terminal command guarantees a perfectly clean machine.

If you've gone through everything here and still feel uneasy, the next sensible step is to look at the broader signs of a compromised Mac rather than fixating on remote access alone. And if you'd rather not repeat this checklist by hand every time, a tool that watches permissions and access for you is reasonable peace of mind.

> Want the fast version? A free CoreLock Security Score surfaces every app with screen, mic, camera, or full-disk access in about a minute — a quick way to spot anything that could be watching before you go digging through Terminal.

Most of the time, the cursor really was just twitchy. But now you can prove it, instead of wondering.