Extended Security by limiting ScreenSharing connections to localhost only - BlueSkyTools/BlueSkyConnect GitHub Wiki

If Screensharing is enabled to connect to clients, it's best practice to enforce a strong password. When it's not possible enforce a strong password and ScreenSharing is being used for Support only, one solution is to limit ScreenSharing to localhost only. This way you need to tunnel ScreenSharing connections through SSH (this is the default way BlueSkyConnect does it). This way there's less risk in Public Networks.

To limit ScreenSharing to localhost, use:

sudo defaults write /Library/Preferences/com.apple.RemoteManagement.plist VNCOnlyLocalConnections -bool yes

After that you need need to reload the service:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist && sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

More convenience (and additional trust) can be achieved by asking for a connection:

sudo defaults write /Library/Preferences/com.apple.RemoteManagement.plist ScreenSharingReqPermEnabled -bool yes

This can be used if clients are logged into the machine.

Additional ScreenSharing commands:

Enable Screensharing:

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

Disable Screensharing:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

A reload of the service is needed after every command.