AWS : Create a macOS Desktop


You ever wanted to play around with a Macintosh environment and never had the opportunity nor the money, you tried to virtualize one but never managed to get it working ? The good news is Amazon did it for you ! But, how to make it working ?!? AWS recently launched the macOS AMI as part of their  bare metal service. It can be leased for a minimum of 24 hours and it cost USD 25.00 for 24 hours and next, it is USD 1.083 per extra hour. The machines are Intel Core i7 Mac mini with 32GB of RAM for the moment. If you do the math, this is actually very expensive if you plan to use it on a long term. Some other websites are saying that after 77 days of rent, you actually match the price of a real Mac mini. So, use this with caution, for a week or so just a quick test, I think this is valuable.

Let's macOS in the Cloud !

Firstly, of course, you need an AWS account. Free tier is not eligible because you need a dedicated host. In an Enterprise environment is easy because you usually have an "unlimited" subscription and you can test any AWS features for a couple of days and then throw it away.

I struggled a full day to find all the right parameters, by googling a bit I was able to ssh on the machine, the tricky part was to remotely access the graphical desktop. I have collected all the information from various websites (this one in Japanese is one of the key sites) and I'm explaining all the relevant key steps in this blog post.

Go to EC2 and launch a new instance, you can choose between 2 AMIs (Catalina or Mojave). The biggest difference is the applications you can run. If you still have 32 bits apps, chose Mojave since Catalina only supports 64 bits. 

Let's go with Catalina in our case. Next step, is the Instance Type, no choice, it will be mac1 / mac1.metal. Indeed, Amazon bought an impressive quantity of Mac Mini (see picture above). Your instance will actually be a real bare metal Mac Mini hardware. 

The next screen is important. Choose your network, your subnet and a dedicated host. If you do not have one, you have to create a new one with the right type. This is where I spent most of my morning trying to figure out which one is the right one.

Click Allocate, when done, go back to the Instances screen and re-launch a new one, with Catalina AMI and mac1.metal machine type. On the Configure Instance Details screen, be sure to select the VPN where your Dedicated Host has been created above. You should then be able to select the dedicated host. Pay attention to the availability zone. It has to be in the same availability zone of your bare metal instance !

Next screen is about storage. I choose 128 GB encrypted (with default key). You can add an additional EBS volume if you want but of course it has extra cost. For the sake of this example, I'll go with a 128 GB HDD.

Next step is adding a tag, always easier to give a friendly name to an instance.

You can now click review and Launch, and finally Launch. You will be prompted to create or use existing Key pair to authenticate on your new machine.

Now, you can take a break and come back later, it will take time to provision the machine. In this example, it took 10 minutes to have the machine ready.

While waiting, this is the perfect time to fine tune the security group and  open tcp/ssh and tcp/vnc ports.

Go to Network / Security Group and create a new one. Here is mine for your reference : 

This is probably not really secured since I have opened from anywhere, but for testing purpose this is ok. Now, go back to your instance and apply the security group to it.

In the next screen, you just need to remove the default security group and add the new one we just created. Once completed, you should be able to access your machine with your key (be sure to change the security settings of the private key)

If this is not working you probably need to wait a little bit further for the creation process to be completed. 

 MacBook-Air:~$ chmod 400 Fred.pem
 MacBook-Air:~$ ssh -i "Fred.pem" ec2-user@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:tQit9ZPrQrw7fBfuG8evuYV2rUw8ILNzQ3dnEc5zPWI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.

         __ :'__       __|  __|_  )
      .'`  `-'  ``.    _|  (     /
     :          .-'   ___|\___|___|
     :         :
      :         `-;   Amazon EC2
       `.__.-.__.'    macOS Catalina 10.15.7

ec2-user@Mac-mini ~ %

Graphical Desktop

Ok, that was the easy part! Now that you have CLI access to the machine, you can enable the remote desktop. It will use VNC and there is a client on each known OS so far, so this is handy. I will use my Mac to connect on this Mac Mini, you may use the client you like.

The below procedure is enabling remote access to the macOS environment, which is disabled by default.

You need to type the following command to have it working : 

ec2-user@Mac-mini ~ % sudo /System/Library/CoreServices/RemoteManagement/ -configure -allowAccessFor -allUsers -privs -all

Setting allow all users to YES.
Setting all users privileges to 1073742079.
ec2-user@Mac-mini ~ % sudo /System/Library/CoreServices/RemoteManagement/ -configure -clientopts -setvnclegacy -vnclegacy yes

Set the client options.
ec2-user@Mac-mini ~ % sudo /System/Library/CoreServices/RemoteManagement/ -configure -clientopts -setvncpw -vncpw XXXXXX

Set the client options.
ec2-user@Mac-mini ~ % sudo /System/Library/CoreServices/RemoteManagement/ -restart -agent -console

Stopped ARD Agent.
ec2-user@Mac-mini ~ % sudo /System/Library/CoreServices/RemoteManagement/ -activate

Warning: macos 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.
Activated Remote Management.

Note : the last command is giving an error message (in red in your console), there is a way to get rid of this limitation with those 2 additional commands : 

ec2-user@Mac-mini ~ % sudo defaults write /var/db/launchd.db/ -dict Disabled -bool false

ec2-user@Mac-mini ~ % sudo launchctl load -w /System/Library/LaunchDaemons/

/System/Library/LaunchDaemons/ service already loaded

Now, you can set the VNC password (I know it has been set above to XXXXXX, but easier to understand with the below command)

ec2-user@Mac-mini ~ % sudo /usr/bin/dscl . -passwd /Users/ec2-user PasswOrd!

and change the ec2-user password too

ec2-user@Mac-mini ~ % sudo passwd ec2-user
Changing password for ec2-user.
New password:
Retype new password:

Next and last step is accessing the desktop. Start your VNC client and enter the IPv4 IP of your instance (you can find it in the instance details on the AWS console).

On a Mac, simply go to the Finder and push Cmd + K, it will open a window where you can enter the following command : vnc://<ip>

If you have followed all the steps above carefully, you should be able to reach your VNC server and you will be prompted for the password entered above : 

Next, you should see the macOS Catalina logon screen : 

Enter the password that you entered above while resetting the ec2-user and you should be able to reach the desktop : 

Final note : the dedicated host in AWS leaves for a minimum of 24 hours. So, when you delete/terminate the instance, you cannot expect to see it removed from the list until the next 24 hours.

AWS is announcing the new M1 support for early 2021. I'm very curious to see this in action. AS of today (Dec '20), this Mac offering is not present in each AWS regions : US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Ireland) and Asia Pacific (Singapore), other regions to follow soon.

I hope this helps other people, I really struggled to make this working ;-)

(And you know what ? you can backup this machine with Rubrik, but this is probably another blog post ;))

That's all folks !


  1. Hello, have you find out how to change the resolution for something bigger? I'm stuck at 1024x768, thank you.

    1. Unfortunately, there isn't currently no way to change the resolution least for now.

  2. Hi, Thank you for sharing the article. Really helpful. But I am getting an error as `Invalid endpoint: port not correctly specified`. Do you know how to fix it?

  3. I don't understand why do you want to connect a macOS from another macOS?
    What's the point here?


Post a Comment

Thank you for your message, it has been sent to the moderator for review...

What's hot ?

ShredOS : HDD degaussing with style

Wallbox : Get The Most Of It (with API)