Is there any way to change it from the default 5900 to some other port?


You actually can switch the default port for Apple's VNC server on Mac OS 10.7 Lion and 10.8 Mountain Lion. To change the port, you need to edit the server's plist file /System/Library/LaunchDaemons/com.apple.screensharing.plist (this file doesn't exist in systems prior to 10.7 Lion).

Editing the file requires root (sudo) privileges. In the terminal, if you are familiar with vi or vim, you can type:

sudo vim /System/Library/LaunchDaemons/com.apple.screensharing.plist

or if you're not, you'd better use nano:

sudo nano /System/Library/LaunchDaemons/com.apple.screensharing.plist

Now, all you have to do is change line 34 (the one that reads <string>vnc-server</string>) to <string>nnnn</string> where nnnn is the port number you wish to use. I know it seems weird changing a name like "vnc-server" to a number, but that's the way you have to do it. I've included an example below in case anything's not clear.

To change the default port to 54321, you would edit the plist file to look like this:

          <string>54321</string>            <!-- Change this line! -->

After saving the file, to make the change take effect, turn Screen Sharing off and then on again in the Sharing preference pane, or alternatively unload and re-load the service using these commands:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.screensharing.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
  • If you're still around -- once you've done this, is there a comparable way to get the built-in Mac screensharing app to connect to that port, or are you stuck using third-party vnc apps that let you specify the port?
    – Jim Miller
    Commented Sep 19, 2013 at 14:11
  • 2
    Answer to above: In "Connect to server...", specify vnc://yourserver.com:54321 (following the earlier example re port number)
    – Jim Miller
    Commented Sep 19, 2013 at 14:36
  • If this works (I can't check until tonight) you deserve a whole lot more upvotes. Commented Oct 11, 2013 at 10:14
  • 1
    To confirm, yes you would need to do this after each OS update (including incremental updates). Commented Oct 24, 2013 at 6:54
  • 1
    To add one more note to this, the new 'rootless' feature of OS X 10.11 El Capitan means it is no longer possible to save this particular file without disabling the rootless feature, which is not recommended. Anyone know a workaround without disabling rootless? Commented Oct 4, 2015 at 9:31

I can confirm after finding this thread via Google that editing /etc/services for the "rfb" ports will change the included VNC server's listening ports.

I edited the file and rebooted (usually I'd try restarting services or unloading the launchdeamon but I was having some other issues as well and didn't bother). iTeleport on my iPad then failed to connect on 5900 and succeeded on the high unprivileged port I chose.

  • This answer may now be the solution to use with El Capitan 10.11. Commented Oct 6, 2015 at 7:46
  • To confirm, this is now probably the best solution for El Capitan 10.11 without disabling rootless. Commented Oct 7, 2015 at 19:44
  • This worked for File Sharing (smb) as well! I changed the port for "Microsoft-DS" Commented Sep 2, 2017 at 15:24
  • @PaulSkinner Doesn't rootless protect everything in /etc? (I have it disabled so I wouldn't know) Commented Sep 2, 2017 at 15:26
  • @Wowfunhappy amazingly, no. Commented Sep 2, 2017 at 15:27

This has been discussed on various forums at apple.com and on macosxhints.com. The short answer is "you can't change it".

The longer answers suggest ways around it -- three possibilities:

  • Use alternate VNC server software
  • Use an ssh tunnel to redirect traffic from your custom port to 5900
  • Configure port mapping in your router to take incoming traffic on a different port to go to port 5900 on your mac.
  • Just for the sake of completeness: some suggest that changing the ports in /etc/Services might do the trick. I tried that (I even rebooted my Mac after changing it) to no avail. And giving it some more thought, it might even be a bad idea to mess with that file, as other applications might also use it to get the well-known port number if they want to connect to some third-party using a specific protocol. (Like: changing the SSH port in that file might seem to work but is a bad idea.)
    – Arjan
    Commented Dec 1, 2010 at 11:07
  • 1
    Note the answer by Greg Canty -- it can be changed on OS X releases after Snow Leopard. This answer was originally written before OS X Lion was released. Commented Nov 21, 2013 at 18:36

Based on the info provided by Greg in this thread I wrote a bash script that will automate the process of changing your system's VNC listening port. Works well in my tests. Let me know if anyone has any issues with it.


#Created by Will D. on 04/10/2015
#If you find it useful (or have suggestions, feedback, etc.), shoot me an email at [email protected].
#Requires Mac OS 10.7.x or later (tested up to and including 10.10.3)
#02/02/2016 - Updated Script to alert for SIP status

#Setting Static Variables
port=`less $sourcepath$filename | awk 'f{print $1;f=0} /SockServiceName/ {f=1}' | awk -F "<|>" '{print $3}'`
os_version=`sw_vers -productVersion`
os_version_aug=`sw_vers -productVersion | awk -F "." '{print $1$2}'`
sip_status=`csrutil status | awk '{print $5}'`
light_red='\033[1;31m' #Light Red
yellow='\033[1;33m' #Yellow


#Check the script is being run by root
if [ "$EUID" -ne 0 ];then
    printf "${light_red}This Script Must Run As Root${nc}\n"
    exit 0

printf ${yellow};echo "---------------------------------------------------------------"
echo "---                                                         ---"
echo "--- This Script Will Change Your Systems VNC Listening Port ---"
echo "---             Hit Ctrl + c to exit at anytime             ---"
echo "---                                                         ---"
echo "---------------------------------------------------------------";printf "${nc}\n"

#Check System Version
sleep 1
if [ "${os_version_aug}" -lt "107" ]; then
echo ""
echo "System OS Must Be Greater Than 10.7.x.  Aborting Script."
exit 0
echo ""
echo "System OS Version is" $os_version
echo "OS Requirement Met √"
echo "--------"

if [ "${os_version_aug}" == "1011" ]; then
    if [ "${sip_status}" == "enabled." ]; then
        echo ""
        printf "${light_red}••• System Integrity Protection is Enabled •••${nc}\n"
        echo ""
        echo "This script modifies /System/Library/LaunchDaemons/com.apple.screensharing.plist"
        echo "Please Disable System Integrity Protection Before Running"
        echo ""
        exit 0

#Give Feedback on Current Port
sleep 1
if [ "${port}" == "vnc-server" ]; then
echo ""
echo "The System's VNC Port is Currently"
echo "Set to the System Default Port of 5900."
echo "--------"
elif [ "${port}" != "vnc-server" ]; then
echo ""
echo "The System's VNC Port is Currently"
echo "Set to a Non-default Port of" $port"."
echo "--------"

#Updating Port
echo ""
printf "What Port Would You Like VNC to Listen On? "
read newport
echo ""
echo "The Following Action Requires an Admin Password."
echo "Note: Your Password Will Be Visible When You Type It"
echo ""
printf "Admin Password? "
read admin_pass
sleep 1
echo ""
echo "Created" $filename".bak."
sleep 1
echo ""
echo "Updating VNC Port to" $newport"..."
echo $admin_pass | sudo -S sed -i.bak -e "s|$port|$newport|g" $sourcepath$filename
sleep 1
echo "Done"
echo ""
sleep 1

#Restarting screensharing process
echo "Restarting Screen Sharing Service..."
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.screensharing.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist
echo "Done"
sleep 1
echo ""
echo "Your System's VNC Port is Now Set to" $newport"."
echo ""
echo "Update Complete.  All Done."

if [ "${os_version_aug}" == "1011" ]; then
    echo ""
    echo "Since you're running El Capitan"
    echo "be sure to re-enable System Integrity Protection"
    exit 0

exit 0
  • When i tried to access the link - i got the error This server could not prove that it is getsome.homeftp.net; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
    – Prasanna
    Commented Apr 10, 2015 at 8:08
  • Sorry about that Mureinik. Code posted instead of a link.
    – Will
    Commented Apr 10, 2015 at 15:22

To change the default port and/or the binding address without disabling System Integrity Protection, you need to create a new LaunchDaemon in /Library.

Unfortunately the screen sharing agent will not work properly when assigned a different label. That means the daemon has to be "shadowing" the original using the same name. That causes it's own problems because on reboot, the system will load the original in /System and ignore the modified version in /Library.

The solution is to disable the LaunchDaemon and use a "launcher" daemon that will forcibly load the modified LaunchDaemon. However care must be taken to still activate Screen Sharing through the preferences orelse it will endup in observe only mode.

Step by step

  1. Activate Screen Sharing in the System Preferences
  2. Execute

    sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
  3. Execute

    sudo cp /System/Library/LaunchDaemons/com.apple.screensharing.plist /Library/LaunchDaemons/com.apple.screensharing.plist
  4. In /Library/LaunchDaemons/com.apple.screensharing.plist, edit the Sockets section to look how you want it to. For example listening on localhost:5901:

  5. Create /Library/LaunchDaemons/com.apple.screensharing.launcher.plist with the following content:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
  6. Execute

    sudo launchctl load -w /Library/LaunchDaemons/com.apple.screensharing.launcher.plist

After this, the Screen Sharing rights will be provisioned properly, the default daemon will not load automatically, and our launcher will forcibly start our customized daemon.


Note that the solution proposed by @MichaelM and edited by @shrmn still works under Mac OS Sonoma. The original solution does not due to the 'rootless' feature introduced with El Capitan.

Open a terminal and then execute:

sudo vim /etc/services

or if you are more comfortable with nano:

sudo nano /etc/services

The privileged ports are listed in numerically ascending order. Scroll down to the following entries:

rfb             5900/tcp    vnc-server # VNC Server
rfb             5900/udp    vnc-server # VNC Server

Change the '5900' to your port number of choice. Note that both port numbers must be identical.

Reboot and your new ports should be in effect. Tested with Sonoma 14.4

