OpenClaw browser automation on US East and APAC remote Mac: 2026.5.x managed profiles, CDP ports, attachOnly troubleshooting, and M4 lease matrix

Running an OpenClaw browser agent on a 24/7 or short-to-mid-term leased bare-metal remote Mac is a common 2026 topology for growth, QA, and RPA teams: your laptop holds orchestration while gateway and a managed Chromium profile stay in the data center. The stable line is 2026.5.2 per docs.openclaw.ai browser documentation. This article covers greenfield deploy, CDP/attachOnly troubleshooting, TCC acceptance, and lease/hardware decisions — not loopback token wiring (see loopback token cross-checks with doctor and probe) or remote-gateway lease basics (see short-to-mid remote Gateway Mac leasing).

1. Scope: managed profile vs attachOnly vs Remote CDP

When not to use attachOnly on day one: since 2026.3.22 the Chrome extension relay is gone — existing-session cannot cross an SSH-only headless session; use Node host or Remote CDP instead. If you only need isolated automation, do not attach a personal Chrome profile.

2. Greenfield deploy on US East / APAC remote Mac (2026.5.x)

1. Node 22 or 24 with a single global npm prefix.
2. Install: curl -fsSL https://openclaw.ai/install.sh | bash or npm i -g openclaw@latest.
3. openclaw onboard: set browser.enabled; add tools.alsoAllow: ["browser"] for agents that need the tool.
4. launchd for always-on Gateway (default 18789); browser control service is roughly gateway.port + 2.
5. openclaw gateway probe for liveness.
6. openclaw browser --browser-profile openclaw doctor → start → status --json.

3. browser.profiles and per-profile CDP port plan

Local pools allocate from 18800–18899. Multiple Gateways on one host must stagger ports. For stale cdpUrl after restarts: remove expired WebSocket URLs from config, gateway restart, then browser start. Loopback Browserless on the same host needs attachOnly: true or OpenClaw may treat the port as a managed profile and report ownership conflicts.

4. TCC and Screen Recording: SSH-only vs VNC

See macOS TCC, Node 24, and remote Gateway workflow; SSH/VNC delivery is in the help center.

5. doctor / status / probe and CDP troubleshooting tree

• L0 Gateway:openclaw doctor → gateway status → gateway status --require-rpc → gateway probe
• L1 Browser:openclaw browser --browser-profile <name> doctor [--deep] → status --json
• L2 CDP HTTP:curl -s http://127.0.0.1:<cdpPort>/json/version

6. Reference workflows (architecture only)

• Competitive monitoring: managed profile + Cron → snapshot → object storage; keep large artifacts off the operator laptop.
• Form-fill QA: separate work profile; on failure, reproduce headed over VNC.
• Skill batch jobs: scale out to multiple machines — do not stack many profiles on one host all fighting for 18800.

7. Same-host split: browser agent vs Xcode / Runner

Keep browser agents on a lower-tier M4 with large disk; spill xcodebuild Archive and heavy compiles to a high-memory node. If you must co-locate, separate user data directories and stagger launchd schedules. Disk queue patterns: enterprise Mac CI cache partitions and NVMe FAQ。

8. US East vs APAC: latency and screenshot/PDF egress

Large PDF or screenshot pulls hurt more on high RTT — place storage close to the browser host, not your laptop.

9. Three M4 tiers + 1TB/2TB parallel vs single M4 Pro

Pricing and stock: pricing page and checkout — figures here are decision framing, not quotes.

10. SSH tunnel vs Tailscale Serve (browser angle)

SSH -L forwarding for 18789 and 18800 lets your laptop call remote Gateway/CDP locally; carry the gateway token on every client. Tailscale Serve suits stable team entry points. The standalone loopback browser HTTP API does not honor Tailscale identity headers — you still need shared-secret auth (see site Tailscale articles for install; this post only compares browser access patterns). Do not expose CDP ports on the public internet.

11. Upgrade and rollback

1. openclaw update → backup create → doctor --fix → gateway restart
2. Per profile: browser stop → start
3. Rollback: restore backup and pin version; avoid copying profile dirs across major versions

Blue/green on long leases: remote Mac blue/green rolling on port 18789. Multi-team isolation: shared remote Mac gateway boundaries.

12. FAQ

• Is one week enough to validate? Yes if onboard + single-profile snapshot passes doctor and probe.
• attachOnly says not running? curl /json/version first; upgrade to 2026.5.2+; clear stale cdpUrl.
• Can we skip VNC? Gateway can stay CLI-only; first TCC grants need graphics.
• Multiple profiles in parallel? Limited by RAM and tabCleanup — prefer separate hosts.
• Headless on remote Mac? Without DISPLAY, managed profiles may auto-headless; screenshots still need Screen Recording.
• Coexist with Runner? Separate users or machines; do not share disk with DerivedData.
• US East or APAC? Section 8; mainland/SEA teams usually pick APAC.
• 1TB vs 2TB? Choose 2TB if you keep 30+ days of snapshots.
• Missing openclaw browser? Check plugins.allow includes browser and browser.enabled.
• All CDP dead after upgrade? doctor --fix, restart Gateway, rebuild profiles one by one.
• When not to run two tier-A hosts? Single light profile and no compile spill — one M4 Pro is simpler but costly when idle.

Why a remote Mac mini fits always-on browser agents

Apple Silicon unified memory helps multi-tab Chromium; Mac mini power draw suits 24/7 Gateway; macOS keeps TCC and VNC delivery consistent with what operators already know. You need isolated profiles plus disk headroom for cache and snapshots, not a second laptop left open.

Compare US West and APAC nodes, three M4 tiers, and 1TB/2TB expansion on the Macstripe home page; list prices on the pricing page; SSH/VNC setup in the help center.