Can I just run Computer Use in my main user account?

You can, but you shouldn't. Any mis-click becomes a real problem — wrong email sent, wrong file deleted, wrong calendar event accepted. A dedicated user account (or a VM) costs 30 minutes to set up once and saves you from a catastrophe later.

Is a VM safer than a separate user account?

Yes. A VM is a full isolation boundary; a separate user account shares the hardware, kernel, and some system state. For anything touching sensitive data, use a VM or a cloud macOS instance. For logging receipts or internal dev tasks, a separate user account is usually enough.

Will Claude see my main account's data?

No — macOS user accounts are isolated at the filesystem and process level. Claude running as claude-runner cannot read files in your main account unless you explicitly share them (via the shared /Users/Shared folder or by copying). Keep that shared space empty for maximum isolation.

What macOS permissions does Computer Use need?

Accessibility (to control mouse and keyboard), Screen Recording (to see the screen), and usually Input Monitoring. All three are granted in System Settings → Privacy & Security, per-user. Grant them in the claude-runner account, not your main one.

Should I ever run Computer Use unattended?

Only for read-only workflows. For anything that creates, sends, or deletes, build an approval gate into the prompt: Claude prepares the state and stops, you review the screenshot and confirm before the final click. Fully unattended destructive automation is a risk not worth the convenience.

How Do I Set Up Claude Computer Use Safely on a Mac?

Computer use is the "Claude can drive your actual desktop" feature — screenshots, mouse clicks, keystrokes, across any native Mac app. It's also the capability most worth sandboxing carefully, because a Claude that can drive your desktop can also empty your Trash or send an email you didn't write. Here's the setup that gives Claude the superpower without giving it the run of your machine.

Why this matters

Browser automation with the Chrome extension is powerful, but it's confined to the browser. Computer use isn't. Claude can open Notes, type into your macOS Calendar, click through System Settings, operate a native app that has no API. For any workflow that's "five apps, mostly native, on repeat" — this is the tool.

And that's exactly why you want isolation. A misstep in a browser tab is cheap to recover from. A misstep that deletes files or sends a message as you is expensive. The safe setup below gives Claude a separate environment to operate in — either a dedicated macOS user, a VM, or a cloud instance — so mistakes stay contained.

Before you start

You need:

A Mac running macOS 13 (Ventura) or later. Earlier versions miss accessibility APIs the feature relies on.
Admin rights on the Mac — you'll be creating a new user or configuring a VM.
An hour. Most of the time is waiting for a VM to install.
A concrete task you want Claude to automate. "Open the expense tracker app, log yesterday's receipt" is a fine first one.

Step 1: Decide on an isolation model

Three options, in descending order of isolation and increasing order of convenience:

Cloud VM (most isolated). Spin up a macOS instance on MacStadium, Anka, or similar. Claude operates that VM via the computer-use tool. Your local machine never runs the automation. Best for anything that touches sensitive data.
Local VM (Parallels/UTM). Run a macOS VM on your Mac. Claude drives the VM; your host stays clean. Good middle ground.
Dedicated local user account. Create a second macOS user, grant it only the apps and files needed for the task, log in, and run Claude there. Lightest option; less isolation than a VM but dramatically more than "run as my main user."

For the rest of this guide, I'll walk through the dedicated-user setup — it's the one most people actually do. The VM approach is very similar; just substitute "on the VM" for "in the second user."

Step 2: Create the isolated user

System Settings → Users & Groups → Add User:

Name: claude-runner (something obvious).
Account type: Standard, not Admin. Never give the automation user admin rights.
Password: strong, stored in your password manager, not memorized.

Log out, log in as claude-runner. You're now in a fresh macOS account with no apps logged in.

Step 3: Provision only what the task needs

Install and sign into only the apps the task requires. For the "log yesterday's receipt in the expense tracker" task:

The expense tracker app.
The screenshot folder or Downloads where receipts land.
Claude Desktop.

That's it. No Gmail signed in. No Slack. No iCloud account with your personal photos. No files outside the automation scope.

This is the core security move. If Claude does something wrong — opens the wrong app, clicks the wrong button, types the wrong thing — the blast radius is limited to what you put in this account. A clicking-frenzy in an empty account does nothing. The same frenzy in your main account corrupts your calendar.

Step 4: Grant accessibility and screen recording permissions

Computer use needs macOS accessibility APIs. In the claude-runner account:

System Settings → Privacy & Security → Accessibility — add Claude Desktop. Toggle on.
System Settings → Privacy & Security → Screen Recording — add Claude Desktop. Toggle on.
System Settings → Privacy & Security → Input Monitoring (if present) — add Claude Desktop.

macOS will prompt you to restart apps or quit-and-reopen Claude Desktop after each grant. Do it.

These permissions grant Claude the ability to see the screen and drive mouse/keyboard. They apply only in this user account — your main account remains unaffected.

Step 5: Configure Claude Desktop to use computer use

Open Claude Desktop in the claude-runner account. The computer use capability is typically accessible via the app's settings or a connector. Check Anthropic's current docs for the exact toggle — the name has shifted a couple times (Computer Use, Desktop Control, etc.).

Authenticate with your Claude subscription. Confirm the capability is on by asking Claude: "Take a screenshot of the current desktop." You should see it take the screenshot and describe what's on screen.

Step 6: Run your first task — narrow scope

Now the payoff. In a new Claude chat:

"Open the Receipts folder in Finder. For each image file modified today, open it, note the merchant and amount. Then open the expense tracker app and log each one using the 'Add expense' form."

Watch Claude work. On the first few runs, do not do anything else on that machine. Watch every click. Stop the session if it looks about to do something unexpected — you can cancel with a keyboard interrupt in the Claude UI.

The first run will probably fumble. It might click the wrong button, mistake "Save" for "Cancel," misread an amount. Iterate on the prompt (be more specific: "the form has four fields; fill them in this order..."), and let it run again. After a handful of runs, it settles.

Step 7: Schedule carefully

Once the task is reliable, you can schedule it — but the safe version is "schedule a reminder that wakes you up to approve it," not "run fully unattended."

For non-destructive read/log tasks, unattended is fine. For anything that creates, sends, or deletes, the safer pattern is: Claude prepares the change, screenshots the final state, and waits for you to hit "confirm" before committing.

Build that approval step into the prompt: "After filling the form, take a screenshot and stop. Do not click Save until I explicitly say 'yes, submit.'"

Verify it worked

1. Claude sees the right screen. Ask it to take a screenshot. The content should match what's on the claude-runner desktop.

2. Task completes on a fresh run. Log out, log back in, start a clean chat, run the task. No residual state from prior runs should matter.

3. Your main account is untouched. After an hour of computer-use work in the claude-runner account, switch back to your main account. Nothing should have changed — no new Slack messages sent, no new browser history, nothing. Isolation is working.

Where this breaks

Signing into apps that have auto-forward or shared inboxes. If the expense tracker sends notifications to an email also on your main account, you undo some of your isolation. Use a dedicated email for the automation account.
Screen shares or screen recordings during a session. Claude will see whatever's on the screen, including overlays from Zoom, screen recorders, etc. Don't run a computer-use task while screen-sharing sensitive content.
Multi-monitor setups confusing the screenshot. Claude's screenshots default to the main display. If your automation runs across two screens, Claude misses half the context. Keep automation on a single screen.
Passwords saved in the user's keychain. If the claude-runner user has passwords auto-filled, Claude can potentially trigger them (by clicking the auto-fill suggestion). Either don't save passwords in this account, or lock the keychain before each session.
Claude clicking confirmation dialogs. macOS dialogs like "Are you sure you want to delete this?" are plain clickable buttons to Claude. Include explicit guardrails in your prompt: "Never click any dialog that says Delete or Remove unless I've explicitly told you to." This is a prompt-level control, not a system-level one — don't rely on it alone for anything truly destructive.

What to try next

How Do I Install Claude in Chrome and Schedule a Recurring Browser Task? — the browser sibling of computer use. Same workflow mental model, safer default because it's scoped to web.
How Do I Use Claude's New Memory Feature Without Leaking Client Data? — critical complement. A computer-use session that writes to global memory from an isolated user can still leak context elsewhere.
How Do I Schedule Claude Code to Run Maintenance Jobs Overnight? — for automations that don't need GUI, a headless Claude Code run is far safer than computer use. Default to headless when possible.