I want to control my Mac Studio from my iPhone: run commands, vibe code, kick off builds, restart services, check logs — without opening my home network to the internet.
This was inspired by OpenClaw-style “agents controlling a machine”, but I’m intentionally not running OpenClaw (or similar agent runners) on my personal Mac because:
- They’re too powerful for my needs (large surface area = more ways to shoot myself).
- The ecosystem is young, changes fast, and “skills/tools” are an easy supply-chain footgun.
- I’d rather start from a small, boring, battle-tested foundation and build only what I need.
One important correction though: “lightweight” doesn’t automatically mean “secure.”
SSH is also “way too much power” if you leave it open. The difference here is control: we keep the surface area small and we lock it down with keys + private networking.
What we set up/built today
A boring but rock-solid foundation:
- Tailscale (tailnet): puts my Mac + iPhone on a private network.
- SSH: secure remote shell into the Mac (key-based).
- tmux: keeps long-running sessions alive when the phone drops the connection.
This isn’t new tech. The difference is how easy Tailscale makes it: no port forwarding, no public exposure.
1) Install Tailnet (Tailscale)
On the Mac Studio:
brew install --cask tailscale-app
open -a Tailscale
Use the Mac app to sign in to your account + grant VPN permissions.
That’s it. Your Mac is now on your tailnet.
2) Install Tailscale on iPhone
Similarly,
- Install Tailscale from the App Store
- Sign in with the same account
- Allow VPN permissions
Once both are online, your iPhone can reach the Mac via its Tailscale IP (usually 100.x.y.z) or MagicDNS name (if enabled).
3) (Optional) Hardening SSH
Optional but highly recommended. You should disable password SSH logins so only your key works:
sudo code /etc/ssh/sshd_config
# Ensure these exist:
PasswordAuthentication no
PubkeyAuthentication yes
# Restart SSH:
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
4) SSH from iPhone using Termius
This is the “control my Mac” part.
On macOS, enable SSH:
- System Settings → General → Sharing → Remote Login → ON
- Allow access for: Only these users (add your user)
On iPhone, generate an SSH key in Termius:
- Create / import an SSH key (ed25519)
- Copy the public key (starts with ssh-ed25519 …)
Back to macOS, add the public key:
code ~/.ssh/authorized_keys
# Paste the public key on its own line, save
chmod 600 ~/.ssh/authorized_keys
Back to iPhone, in Termius, add a host. It can detect the Mac and basically configure it as:
- Host: your Mac’s Tailscale IP (100.x.y.z) or MagicDNS name (ralph.tailfde47b.ts.net)
- Port: 22
Connect. You now have a shell on your Mac Studio from your phone.
5) (Bonus) tmux: keep sessions alive on mobile
Phones disconnect. Apps get backgrounded. Networks switch. SSH drops. tmux solves that.
# on Mac
brew install tmux
# on iPhone SSH, start a named session
tmux new -s phone
# Run whatever you want inside (builds, logs, scripts).
# Detach (leave it running): Press Ctrl-b, then d
# Reconnect later, resume the session
tmux attach -t phone
That’s the whole “secret sauce”: your work keeps running even when your phone doesn’t.
What’s Next?
This setup gives me full control with a small, understandable surface area:
- Private network first (tailnet)
- Key-based SSH (no passwords)
- Persistent sessions (tmux)
With that, I can already run Codex/Claude over SSH on my Mac, running projects on my local environment.
It lays the foundation for more.
Bonus: tmux lets both iPhone & Mac share a terminal session
This is a killer feature of tmux: start work on your Mac in iTerm, then later attach from your iPhone (or another mac) and continue in the exact same shell session (same output, same running jobs, same state).
Your phone is just another viewer/controller.
# Start a named session on your Mac (in iTerm)
tmux new -s work
# Do your stuff inside tmux. When you want to leave it running:
# Detach: Ctrl-b then d
# Attach from your iPhone (over SSH)
# You will have the shared view with mac!
tmux attach -t work
# Or you can also be the single-controller (steal the session):
# This will DETACH the other clients, and you take over:
tmux attach -d -t work
# Kill the session when you’re done
tmux kill-session -t work
# List sessions (to confirm names):
tmux ls