OpenAI’s AI agent coding tool Codex added a “locked-screen remote control” feature to its weekly Thursday updates in May, allowing users to remotely take over and operate computer applications on a Mac while it is in a locked, black-screen state via the ChatGPT iPhone or iPad app. The implementation uses a low-level accessibility plugin authorized by Apple; when an operation request is initiated from the mobile device, it temporarily unlocks the system.
How locked-screen remote control works: confirmed technical architecture
OpenAI has officially confirmed the complete workflow for this feature as follows:
After users enable the “lock computer usage” option in Codex settings, the mobile ChatGPT app can send an operation request to the Mac. The Mac-side Apple-authorized low-level accessibility plugin receives the request in the background, temporarily unlocks the system to run the target application, and simultaneously projects a pure-black overlay layer onto all connected displays (from the physical sensing perspective, the screen remains fully black). During this period, the system completely blocks input response to the local physical keyboard and mouse cursor. Once any local input is detected, it immediately triggers an emergency lock screen and pauses the automatic unlocking until the user is physically present and manually completes the unlock confirmation.
OpenAI confirms that this backend unlock channel opens only during the short control window authenticated securely on the mobile device; other local software or third-party processes cannot invoke the same channel. User data, credentials, permissions, and local settings remain on the Mac itself and are transmitted through a secure relay layer.
Security boundaries: confirmed prohibited actions in Codex lock-screen mode
Terminal: In this mode, it cannot take over the system Terminal application to prevent unrestricted command execution
Sudo/admin authentication: Cannot secretly perform administrator identity verification or approve system privacy/security pop-ups
Self-control: Cannot affect Codex’s own process or configuration
Cross-process invocation: Other local software or third-party processes cannot access the same backend unlock channel
Frequently asked questions
Does the locked-screen remote control mode require the Mac to stay online and awake?
Yes. OpenAI confirmed that users need to enable the “keep Mac awake” option in Codex settings, or use third-party tools such as Amphetamine to prevent the Mac from entering sleep. If the Mac enters sleep during Codex operation, the mobile app will show the desktop as offline, and remote operations will not be able to continue. This is one of the main known usage limitations for now; 9To5Mac reported that some users say the Mac sometimes still goes to sleep even when wake settings are enabled, and OpenAI has not yet released an official fix explanation for the issue.
How does Apple’s authorized low-level accessibility plugin ensure it can’t be maliciously exploited?
OpenAI’s official description confirms that the plugin is authorized through Apple’s macOS accessibility framework and is subject to multiple system-level restrictions: it only opens the backend unlock during the short window of mobile-side secure authentication, and cannot launch itself; it cannot execute Terminal, sudo, or approve system security pop-ups; other local processes cannot call the same channel. Notably, OpenAI recently issued a warning to Mac users about software supply-chain attacks that could sign certificates affecting OpenAI products (including Codex), and asked users to update to the latest version.
What is the fundamental difference between Codex’s locked-screen remote control function and existing remote desktop tools (such as TeamViewer, AnyDesk)?
Traditional remote desktop tools typically transmit the screen image when the user session is activated, and the remote operator and the local user share the same desktop session, with the local screen usually showing the operations in sync. The key design difference in Codex’s locked-screen remote control is that the screen remains fully black and opaque to the physically present person, and the system visually maintains a locked state. The feature is positioned for running backend long tasks for an AI agent, not for human remote control. The security boundaries are stricter as well (no Terminal or sudo); the design premise is to work with an AI agent workflow, not to enable broad system access.
