#10631: docs: add MDM stealth mode workaround guide
docs
app: macos
stale
Cluster:
Security Enhancements and Fixes
## Summary
Adds a guide for remotely accessing MDM-managed Macs that have Stealth Mode enabled (common with JAMF/corporate deployments).
## The Problem
Macs with MDM-enforced Stealth Mode drop all inbound packets silently, breaking:
- SSH
- VNC/Screen Sharing
- Tailscale routing
- Even basic pings
## The Solution
Use [bore](https://github.com/ekzhang/bore) to create reverse tunnels. Since the Mac initiates the outbound connection, the firewall allows traffic to flow back through.
## What's Included
- Explanation of why Stealth Mode breaks remote access
- Step-by-step bore tunnel setup
- LaunchAgent configs for persistence
- Troubleshooting tips
## Testing
Tested on a Mac Mini with JAMF MDM and Stealth Mode enabled. Successfully accessed via SSH and VNC through bore tunnels from a different network.
---
Co-authored-by: Kevin Ward <kevin@telnyx.com>
Co-authored-by: Warden (OpenClaw) 🛡️
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
- Adds a new Mintlify doc page under `docs/platforms/mac/` describing how to regain SSH/VNC access to MDM-managed Macs with macOS Stealth Mode enabled.
- Recommends using `bore` reverse tunnels (Mac initiates outbound connection to a relay) and includes scripts plus `launchd` LaunchAgents for persistence.
- Provides troubleshooting and alternative options (self-host bore, Cloudflare Tunnel, ngrok) for stable endpoints.
- No code changes; documentation-only update scoped to a single new file.
<h3>Confidence Score: 4/5</h3>
- Safe to merge after fixing a small doc correctness issue.
- Documentation-only PR; the main issue found is an inconsistency between where the scripts write logs vs where the LaunchAgents write logs, which makes the port-discovery steps unreliable depending on how the user starts bore.
- docs/platforms/mac/mdm-stealth-mode.md
<!-- greptile_other_comments_section -->
<sub>(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!</sub>
**Context used:**
- Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8))
- Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13))
<!-- /greptile_comment -->
Most Similar PRs
#11915: Docs: Docker + reverse proxy deployment notes and pairing pitfalls
by walshd1 · 2026-02-08
72.2%
#18792: docs: add macOS source-run troubleshooting for setup/auth issues
by yash27-lab · 2026-02-17
71.2%
#14579: docs: add guide for openclaw-bridge-remote (MCP)
by lucas-jo · 2026-02-12
71.2%
#13864: fix(docs): update macOS VM installation instructions for clarity an...
by skmpf · 2026-02-11
69.5%
#10514: Security: harden AGENTS.md with gateway, prompt injection, and supp...
by catpilothq · 2026-02-06
68.9%
#14538: docs: recommend Tailscale Serve for HTTPS access (#14513)
by lailoo · 2026-02-12
68.5%
#10894: Docs: fix legacy branding, add config reference, expand cron troubl...
by biv0711 · 2026-02-07
68.1%
#12842: Docs: add DigitalOcean deployment options (1-Click + App Platform)
by adugan-do · 2026-02-09
68.0%
#9829: Fix MCP transport reconnect and SSE header handling
by mabengda · 2026-02-05
67.8%
#7252: docs: align config examples and tool docs with current runtime
by nice-and-precise · 2026-02-02
67.4%