VShell and HearthGate: An Honest Look at Where an Enterprise SSH Server Ends and a Mac Screen Gateway Begins

It is tempting to line up VShell and HearthGate side by side and score them like two versions of the same thing. That comparison is misleading, because they are not the same kind of product. VShell is a general-purpose secure server: SSH, SFTP, SCP, FTPS, HTTPS, shell access, and port forwarding, with access control lists and event triggers, sold to organizations that need a serious managed file-transfer and SSH service. It runs on Windows, Linux, and macOS, and it has been doing this for more than twenty years.

HearthGate is narrower and deliberately Mac-specific. It does not try to be a file-transfer server. It wraps the native macOS Screen Sharing path in managed SSH, restricted keys, connection packages, firewall-enforced VNC lockdown, live session visibility, and one-click revocation. If you score the two feature for feature as SSH servers, HearthGate loses, because being a general SSH server is not the job it set out to do.

So the honest comparison is not "which one wins." It is "which job do you actually have."

VShell earns real respect, and pretending otherwise would be dishonest. It supports a broad set of protocols in one server, it gives administrators fine-grained access control lists, it can run commands and scripts on server events through its trigger system, and it scales from a small workgroup license to unrestricted enterprise connections. It is the kind of vendor a regulated organization can put through procurement without raising eyebrows, with a track record that reaches back to the early 2000s and a customer base that includes large, security-serious institutions.

If your problem is "serve files securely across a fleet, with audited transfers and managed SSH on many machines," VShell is a legitimate, mature answer. HearthGate is not trying to take that job away from it, and this article is not going to pretend the two are interchangeable.

Apple already ships two useful pieces on every Mac: Screen Sharing and OpenSSH. What Apple does not ship is the operational layer around them. Out of the box, you are the one who decides how the screen service is exposed, which keys may connect, whether VNC is reachable directly or only through a local tunnel, how to hand a working connection to a non-technical colleague, how to see who is connected right now, and how to revoke access the moment someone leaves.

HearthGate is that operational layer, built natively for macOS. It keeps Apple Screen Sharing as the server and adds the parts that turn it into a managed gateway: per-key profiles that can be restricted to VNC-only tunneling; SSH-gated localhost VNC, so the screen port is never directly exposed; connection packages and scripts for Windows, macOS, Linux, FreeBSD, iOS, and Android clients; firewall-enforced VNC lockdown; live session and connection history; one-click disconnect and key revocation; System Controls for services and processes during a support session; and connection hooks for connect and disconnect events.

That is a different shape of problem than secure file transfer across a fleet. It is also the shape that Mac-centric teams actually run into most often.

The numbers are striking, so it is worth stating them plainly rather than hinting at them. VShell server lists at $599 for the Workgroup edition (25 concurrent connections), $999 for the Enterprise edition (unrestricted connections), and $1,499 for the Enterprise edition with HTTPS, each per license with one year of updates.

HearthGate is $39 at launch for Personal Standard on one Mac, including every 1.x update; $149 for Personal Lifetime; and $99 per protected Mac for Commercial Host.

This is not an argument that cheaper is automatically better. It is an argument about fit. VShell is priced for organizations that need a fleet file-transfer server and have a procurement process to match. HearthGate is priced for the studio, the solo operator, the small IT shop, and the homelab, where a four-figure server license per machine makes no sense and was never the point. The right tool is the one priced and shaped for the problem in front of you.

Here is the part most small products skip, so we will say it directly: HearthGate is not SOC 2 certified. The reason is not a secret. HearthGate is built by a solo developer, and SOC 2 is a five-figure, time-consuming external audit that a one-person product has not undertaken. Claiming otherwise would be exactly the kind of dishonesty this site is trying to avoid.

What HearthGate does have is continuous, deliberate alignment work, done as part of normal development rather than as a marketing afterthought. The codebase is reviewed against NIST SP 800-53 control families and against specific weakness classes: CWE-672 for the reuse of revoked or expired credentials; CWE-532 for sensitive information written to logs; CWE-552 for files that should not be externally accessible; CWE-200 for information exposure; and CWE-345 for insufficient verification of authenticity. Access removal follows SOC 2-style patterns, and data handling uses GDPR Article 32-style security-of-processing language.

To be precise about the claim: this is alignment and engineering discipline, not a compliance certificate, and we will not blur that line. In a period where a large number of products are generated quickly and never measured against any security canon, "we align to named standards, and we will tell you exactly which controls and weakness classes we target" is a more honest signal than a badge you cannot independently verify. If you need a certified vendor for a procurement checklist, that is a real requirement, and enterprise vendors with formal certifications exist for exactly that. If you need a Mac screen gateway built by someone who reads the standards while writing the code, that is a different and equally real need.

Abstract positioning is easy to nod along to and hard to act on, so here are four concrete situations. None of them is "deploy a fleet file-transfer server." All of them are ordinary reasons someone reaches for HearthGate.

One: the shared, license-locked Mac. A six-person design or print shop owns a single Mac that runs an expensive node-locked application: a RIP, a CAD seat, or a plugin tied to a dongle. Three people need it at different hours. Today they either fight over who is physically at the desk or leave a consumer remote-desktop tool running all day. With HearthGate, each person gets a scoped, VNC-only key; the owner can see who is connected right now; and when a freelancer finishes a job, one click revokes their access for good.

Two: the overnight render you babysit from the couch. A solo motion designer starts a nine-hour render on a Mac Studio at the office and goes home. At eleven at night, it might have stalled. They do not want VNC port 5900 sitting on the public internet, and they do not want a cloud relay sitting in the middle of client work. HearthGate gives them SSH-gated screen access over their existing route, a connection hook that pings their phone when a session opens, and System Controls to restart a stuck render daemon without driving back to the office.

Three: the MSP with eight client Macs. A freelance IT person looks after Macs for a dental office, a law office, and a couple of startups. They need access that is auditable and revocable per client, they cannot justify a $999 enterprise server on each machine, and they need something they can hand to a client office manager without running a training session. HearthGate Commercial Host, at $99 per Mac, gives them per-key scope, a connection log that can show access happened only during the agreed support window, and immediate revocation when a client relationship ends.

Four: the local-AI Mac as a private inference box. Someone runs local language models, image generation, or a private agent on a Mac Studio specifically so that client data never leaves for a cloud API. On the road, they need to reach it: restart a model server that hung, watch the logs, or kick off a quick job. The entire point is privacy, so a cloud remote-desktop product would undo the reason the box exists in the first place. HearthGate keeps it self-hosted, with no relay and the screen kept behind SSH.

VShell secures SSH and file-transfer services across a fleet, and it is genuinely good at it. HearthGate secures the Mac remote-screen workflow, as well as the SSH access around it, for the people and teams that a $1,499 enterprise server was never priced or shaped to serve.

If you need a managed, certified, multi-protocol file-transfer server, buy VShell; it is the right answer. If your actual problem is "make this Mac screen reachable, scoped, logged, and revocable without a cloud account," that is HearthGate, and it costs less than a single VShell connection tier.