Unauthorized Screen Sharing on MacBook Air

My questions...how can I tell if and where to my screen was being shared.

Your screen is being observed. "Where to" is an open question I'll get to presently.

There have been some semi-recent concerns about a person close to me potentially accessing/spying etc. that were never confirmed. The person is on the same home network and would have access to my computer.

This is a major red flag. That Mac has been compromised, that much is certain. What you do about that fact is for you to decide now. Consider the legal implications, which I will not go into here.

Explanation: Given physical, hands-on access to a Mac makes it possible for someone to create an account with Admin privileges that can be difficult to find. Doing that requires zero programming effort and only a few minutes of time. Such an effort cannot even reasonably be described as "hacking".

I will not provide further details but the following salient points are relevant. Such an unauthorized user will not:

• appear at the login screen
• appear in System Settings
• appear in the User dropdown menu in a Mac's menu bar

How would you like to proceed?

Before you answer, consider the fact that you are using a compromised Mac and that whatever you say (do, write, etc) with it can be used by that unauthorized individual or entity for whatever purpose that may entail.

If I were you I'd stop using that Mac, right now. Unplug it, put it away.

The macOS application firewall has nothing to do with it. It and related settings have zero bearing on the situation and cannot possibly help. Before you ask, neither do any non-Apple "anti-virus" or "security" software efforts so don't bother looking for a solution there.

Stop using that Mac.

As much as this is a last option would wiping it clean and starting over fix this?

It will remove all User Accounts and data. You don't need an Apple Store to do that.

You must separately secure your Apple Account information as well as your network.

Erase your Mac and reset it to factory settings - Apple Support

If you think your Apple Account has been compromised - Apple Support

Once you have secured the Mac itself, use a different password than you have been using:

Change the login password on Mac - Apple Support

Change passwords for every other service you may use that require login credentials and similar authorization. I realize it's probably a long list that will be time-consuming to review.

Restricting physical access to devices (Macs, network devices, your iPhone) is also a requirement.

Using a compromised Mac to determine who else has been using it is not practicable nor is it advisable due to the likelihood that you are using the very equipment that itself may be considered evidence in a criminal investigation.

Other than those mundane technical aspects of device security that's all I can recommend on this site.

CanNeverPickANameForThese wrote:

I googled a bit and it says to check the activity monitor app, which I don't seem to have. I thought I did at some point. I checked activity logs a few months ago but I don't remember how I accessed them.

You will find the Activity Monitor application inside of the Utilities folder inside of the Applications folder.

However, it doesn't sound like Activity Monitor is the application that you want. It shows things like CPU usage, memory usage, disk usage, and network usage that can help in figuring out performance problems.

Should there be an administrator set up on a computer that no one else should be accessing? How can I find out who that administrator is?

There should definitely be a local administrator set up for the computer – you. Check System Settings > Users & Groups. As for allowing any sort of sharing (System Settings > General > Sharing), you can carefully review all of the types of sharing you do, or simply turn sharing off.

Make sure that you have your own Apple ID that you are not sharing with anyone else, and that the password is one that nobody else knows. Anyone who knew your Apple ID and Apple ID password would have the ability to log into iCloud and view any data you synchronized to iCloud – no hacking skills required.

If you think your Apple Account has been compromised - Apple Support

All Macs running macOS / Mac OS X should have at least one user with Admin privileges. Normally, when you set up a new Mac, that user would be you. If you added other users, you could decide which should have Admin privileges, and which shouldn't. You really don't want to strip Admin privileges from all users – and hopefully the system would not let you. Then you could be locked out of installing applications and changing certain System Settings.

macOS accounts can have one of four basic privilege levels;

• root. In Unix systems, root is the superuser. It "owns" the entire machine and can do anything with the machine that it likes. By default, macOS disables interactive logins to root, although large parts of macOS run at the root level.
• Admin. An Admin user normally runs as a regular user, without privileges, but can temporarily gain privileges by authenticating themselves. When you install an application, try to change permissions, or try to change certain System Settings, and you get a prompt asking you to authenticate as an Admin user, that's what's going on. An Admin user might also have more privileges to modify certain files than a Regular or Guest user would have, due to the way that file permissions are set.
• Regular. A user with no special privileges, not even the ability to temporarily assume elevated ones.
• Guest. A special kind of user who is more restricted even than a regular user. When a Guest user logs out, the Mac wipes all of the files in their account. (See: Change Guest User settings on Mac - Apple Support)

This is what the setup on my Mac looks like. I did not create the Guest User account. The Mac set up one, but left it disabled.

I believe this would be the default setting for Screen Sharing.

It's turned off, but if it was turned on, the "Only these users" selection would restrict access to Administrators, as opposed to allowing it for "All users".

Interpreting logs can be hard even for software developers. Especially if they are ones who are not familiar with the subsystem(s) in question, and who do not have access to source code.

The idea behind many log messages is to provide some visibility into which code paths are being taken, but the rate at which computers process instructions and can generate log messages is such that it is very easy for the messages to overwhelm the capacity even of the original developer to read them all.

I don't know where to go for a log of screen sharing activity (if such even exists), but poking around random logs will be an exercise in wasting your time, and possibly in getting alarmed for no good reason.