Connection types
shft supports three connection methods between source and destination Macs. All connections are encrypted with TLS using self-signed certificates generated at first launch.
WiFi
Requirements
- Both Macs connected to the same WiFi network (same subnet)
- Bonjour/mDNS traffic allowed (UDP port 5353)
- TCP port 47810 not blocked by firewall
Expected speeds
- WiFi 6 (802.11ax): 200–600 Mbps typical (25–75 MB/s)
- WiFi 5 (802.11ac): 100–400 Mbps typical (12–50 MB/s)
- Actual throughput depends on signal strength, network congestion, and distance from the access point
When to use
WiFi is the most convenient option — no cables needed. Use it for migrations under 50 GB or when physical access to both Macs is limited. For larger migrations, Ethernet or Thunderbolt will save significant time.
Considerations
- WiFi speeds decrease with distance from the access point and with other devices competing for bandwidth
- Enterprise networks with client isolation enabled may block Bonjour — check with your network team
- If both Macs are on 5 GHz, throughput will be better than 2.4 GHz
Ethernet
Requirements
- Both Macs connected via Ethernet to the same switch/subnet, or connected directly with a crossover cable (auto-MDI/X handles this on all modern Macs)
- USB-C to Ethernet adapters work if the Mac doesn't have a built-in Ethernet port
- Bonjour/mDNS traffic allowed on the network segment
Expected speeds
- Gigabit Ethernet: up to 1 Gbps (125 MB/s)
- 10 Gigabit Ethernet: up to 10 Gbps (1.25 GB/s) — requires 10GbE adapters on both Macs
- Direct cable connection achieves full link speed with no switch or network congestion
When to use
Ethernet is the best option when Thunderbolt is not available and the migration is larger than 50 GB. A direct Ethernet cable between two Macs is simple to set up and provides consistent, full-speed transfers.
Switch vs direct connection
| Setup | Pros | Cons |
|---|---|---|
| Through a switch | No special setup; both Macs stay on the network | Speed shared with other traffic; must be on same VLAN |
| Direct cable | Full dedicated bandwidth; no switch needed; works even without network infrastructure | Macs lose their regular network connection unless they have a second network interface |
Thunderbolt
Requirements
- A Thunderbolt 3 or Thunderbolt 4 cable (USB-C to USB-C)
- Both Macs must have Thunderbolt ports
- Thunderbolt Bridge enabled on both Macs (enabled by default)
Cable types
Not all USB-C cables support Thunderbolt. Use a cable that is explicitly rated for Thunderbolt:
| Cable | Works? |
|---|---|
| Apple Thunderbolt 4 Pro Cable | Yes |
| Apple Thunderbolt 3 Cable | Yes |
| Third-party Thunderbolt 3/4 cable (with ⚡ marking) | Yes |
| USB-C charging cable | No — USB-only, no Thunderbolt data |
| USB-C to USB-C data cable (USB 3.x) | No — creates USB networking, not Thunderbolt Bridge |
Thunderbolt Bridge setup
Thunderbolt Bridge is enabled by default on macOS. To verify:
- Connect the Thunderbolt cable between the two Macs
- On either Mac, go to System Settings → Network
- Look for Thunderbolt Bridge — it should show with a self-assigned IP address (169.254.x.x)
- If you don't see it, click + to add the Thunderbolt Bridge service
shft automatically detects Thunderbolt Bridge connections and prioritises them over WiFi and Ethernet.
Expected speeds
- Thunderbolt 3: up to 40 Gbps (5 GB/s theoretical; ~2–3 GB/s real-world for file transfer)
- Thunderbolt 4: up to 40 Gbps (same throughput as Thunderbolt 3)
A 100 GB migration that takes 30 minutes over WiFi takes approximately 1–2 minutes over Thunderbolt.
When to use
Thunderbolt is the recommended method for any migration over 20 GB. It's dramatically faster than network-based transfers and requires no network infrastructure — just a cable.
How devices discover each other
Regardless of connection type, shft uses the same discovery mechanism:
- The source Mac starts advertising a Bonjour service of type
_shft._tcp - The destination Mac browses for
_shft._tcpservices on the local network - Discovered services include the source Mac's hostname, username, and pairing code
- The destination shows a list of discovered source Macs
When a Thunderbolt cable is connected, shft detects the Thunderbolt Bridge interface and promotes the Thunderbolt-discovered peer to the top of the list with a prominent indicator.
If the same Mac is discoverable over both WiFi and Thunderbolt simultaneously, shft deduplicates by hostname and shows only the Thunderbolt entry (since it's faster).
The pairing code flow
The pairing code is the critical trust moment in shft. It ensures the two Macs are connecting to each other intentionally — not to a rogue device on the network.
How it works
- The source Mac generates a cryptographic session key (256-bit) and derives a 6-digit pairing code from it
- The source Mac displays this code and advertises it via Bonjour
- The destination Mac discovers the source, reads the pairing code, and displays it
- Both Macs now show the same 6-digit code — the user visually confirms the codes match
- The user taps "Confirm" on both Macs within 60 seconds
- If both confirm, the session is established and all subsequent communication is encrypted with the session key
- If the countdown expires before both confirm, the session is invalidated and the user must retry
What admins should tell end users
"You'll see a 6-digit code on both Macs. Make sure they match. If they don't match, tap Cancel — it means you're not connecting to the right Mac. If they do match, tap Confirm on both Macs."
Security properties
- The pairing code is derived from the session key, not randomly generated separately — a matching code proves both devices hold the same key
- The session key encrypts all transfer data using AES-256-GCM
- TLS certificates are exchanged during the handshake and pinned for the session — if a different device tries to intercept, the connection fails
- Pinned certificates are discarded after the session ends — no trust persists beyond a single migration
Firewall and network segmentation
Same-segment requirement
shft uses Bonjour (mDNS) for device discovery. mDNS uses multicast, which is limited to a single network segment (Layer 2 broadcast domain). This means:
- Both Macs must be on the same VLAN and subnet
- If your network separates staff and guest VLANs, both Macs must be on the same one
- If you use network segmentation for security (e.g., PCI-DSS zones), plan which segment the migration happens on
Workarounds for segmented networks
| Approach | Description |
|---|---|
| Thunderbolt cable | Bypasses the network entirely. No VLAN, firewall, or switch needed. |
| Direct Ethernet cable | Creates a point-to-point link. Self-assigned IP addresses; no DHCP needed. |
| Temporary VLAN assignment | Move both Macs to a migration VLAN with Bonjour and shft traffic allowed. |
| mDNS gateway | Deploy an mDNS gateway/reflector (e.g., Avahi) to relay Bonjour across VLANs. More complex but allows WiFi-based migration across segments. |
Recommended approach for enterprise
Use Thunderbolt. It's the fastest connection type, requires no network infrastructure changes, bypasses all firewall and VLAN considerations, and is the simplest to troubleshoot. Keep a few Thunderbolt cables with your deployment kit.