New features here: New HearthGate version is live

Control returns to your Mac.

Reach your Mac mini, iMac, and MacBook from the systems your people already use.

WindowsApple devicesAndroidLinuxFreeBSD

Meet HearthGate: the Mac-side server layer for secure VNC over SSH. It can use OpenSSH's hybrid ML-KEM key exchange when supported, enforce VNC lockdown through the firewall, and keep familiar RFB/VNC viewers, including full legacy client support, in your workflow. It's also an SSH server you can enforce, key by key: grant one key full SSH and VNC, lock another to VNC-only, so a leaked key exposes the screen and nothing else.

Full SSH server for macOSPer-key SSH + VNC scopePost-quantum ML-KEM key exchangeExpiring keys & session capsInstant revoke with live session kickBrute-force auto-blockSSH port & hardening from the UIConnection hooksEncrypted policy backupAudit trail exportCross-platform connection kitsFull SSH server for macOSPer-key SSH + VNC scopePost-quantum ML-KEM key exchangeExpiring keys & session capsInstant revoke with live session kickBrute-force auto-blockSSH port & hardening from the UIConnection hooksEncrypted policy backupAudit trail exportCross-platform connection kits

Start your full-featured 30-day trial today.

or download the DMGmacOS 14+ · Intel & Apple silicon
HearthGate main screen showing gateway monitor, connection settings, and security statusSILA Security Integration and Lifecycle Architecture teaserHearthGate Guest Access release teaser
Post-quantum-ready SSHOpenSSH's hybrid ML-KEM key exchange is used automatically when the installed SSH stack supports it.
Firewall VNC lockdownThe screen port can stay reachable only through the SSH-gated localhost path.
RFB/VNC viewer compatibilityKeep using common third-party viewers such as RealVNC, Remmina, TigerVNC, TightVNC, MobaXterm, AVNC, and Screens.
Keys scoped to where they belongCreate keys for LAN-only access, internet-only access, or both, with generated authorized_keys constraints enforcing the boundary.
Scripts on connect and disconnectTrigger your own automation when a tunnel opens or closes, with delayed execution, timeouts, and loop protection built in.
SSH hardening from the UIMove the SSH port, bind IPv4/IPv6, set idle timeouts, disable password/root login, and let heartbeat cleanup handle wake events.

Features

Remote Mac access without surrendering the keys.

Admin-requested controls

HearthGate

System Controls let an authorized remote session inspect Mac services, running processes, and live system logs, then start, stop, restart, enable, or disable services without leaving the secure connection.

Services
Restart controls
System logs
HearthGate System Controls showing services, process controls, and system logs