From Coding Assistant to Remote Computer Use AI
OpenAI Codex is evolving from a code-focused assistant into a broader Computer Use AI capable of remote desktop control. Originally centered on cloud-based coding help inside chat and IDEs, Codex now sits at the core of OpenAI’s push into AI agent automation on personal machines. OpenAI has already tied Codex into the ChatGPT mobile app, allowing users to review outputs, approve commands, and dispatch new tasks from a phone to a Mac running the Codex desktop app. The next step is more ambitious: letting Codex operate desktop applications even when the host laptop is locked or asleep. That shift would move Codex from a tool that only works in active sessions to an always-on automation layer that can open apps, run builds, and access data sources in the background, blurring the line between development tooling and full-system remote control.
Remote Desktop Control Without SSH – Even on Locked Machines
The emerging Computer Use capability is designed to give Codex direct remote desktop control without relying on SSH tunnels or traditional remote-login tooling. On macOS, the current limitation is that Computer Use requires an unlocked, awake session to see the screen, move the cursor, and type into applications. OpenAI is testing ways to lift that restriction so a phone could instruct Codex to open a simulator, test a GUI build, or hit a local data source while the laptop remains locked or asleep. This would streamline remote workflows and close a gap with rivals that already offer phone-to-machine control but lose access when the screen locks. At the same time, it challenges the long-standing assumption that a locked desktop session is inert, raising security and UX questions about how an AI agent should behave when the human isn’t present.
Windows Sandbox Security: Offline Identities and DPAPI Controls
As Codex gains more powerful Computer Use abilities, OpenAI is tightening Windows sandbox security to keep AI-controlled operations governed. On Windows, Codex now runs under two separate local users, CodexSandboxOffline and CodexSandboxOnline, allowing the offline identity to be fully cut off from outbound network traffic unless a user explicitly opts in. This design is layered with DPAPI-protected credentials, firewall checks, and a codex-command-runner executable that orchestrates a four-step execution path before any child process runs. Earlier attempts relied on environmental tricks like proxy overrides, which could be bypassed by tools that open sockets directly. The new Windows sandbox security model moves enforcement deeper into the OS, following the entire command tree across package managers, scripts, and test runners. In effect, it gives Codex room to automate local development tasks while maintaining strong Windows sandbox security boundaries around files, processes, and the network.
AI Agent Automation Across Multiple Desktop Devices
Beyond single-machine setups, OpenAI is exploring multi-device AI agent automation, where one Codex instance can orchestrate others. Users will be able to install the Codex app on additional desktops, such as a Mac Mini, and control those machines remotely from a main device through Computer Use. This model treats each desktop as a specialized worker that can run test suites, simulations, or data-processing jobs on demand, with Codex coordinating tasks between them. It positions Codex as infrastructure for distributed automation rather than just an assistant tied to one IDE session. For enterprises, the same principles underpinning the Windows sandbox—centralized policy, tool access controls, and consistent network boundaries—become critical when multiple Codex-controlled devices are online. The challenge is to deliver seamless remote desktop control while keeping each node’s permissions and connectivity tightly scoped and auditable.
Governance Pressure: Balancing Power and Safety for Computer Use AI
The expansion of Codex’s Computer Use capabilities is happening under growing pressure to prove that powerful AI agents can be governed safely. OpenAI’s recent work on the Windows sandbox illustrates how security has become a product differentiator: Codex must read and write local files, spawn child processes, and run for longer durations, yet remain boxed in by firewall rules, DPAPI-protected credentials, and offline-by-default network identities. As Codex moves into threat modeling, dependency analysis, and continuous local automation, rivals such as other coding agents are competing on governance as much as on code quality. Remote desktop control when a machine is locked or asleep heightens both the utility and the risk profile of Computer Use AI. The winners in this space will likely be the systems that can prove not just what their agents can do, but where, when, and under which enforceable policies they are allowed to do it.