oam/knowledge base/mac os x/README.md

Mac OS X

1. TL;DR
2. Hidden settings
3. Image manipulation
4. Resize PDF files
5. Manage tags
6. Update the OS from CLI
7. Keychain access from CLI
8. Mount an NFS share
9. Use TouchID to authenticate in the terminal
   1. Fix iTerm2
10. Xcode CLI tools
    1. Headless installation
    2. Removal
    3. Upgrade
11. Boot keys cheatsheet
12. Further readings
    1. Sources

TL;DR

# Install Xcode CLI tools.
xcode-select --install

# Show Xcode tools's path.
xcode-select -p

# Remove Xcode tools.
sudo rm -rf $(xcode-select -p)


# List all available updates.
softwareupdate --list --all

# Install all recommended updates, agreeing to software license agreement
# without interaction, and automatically restart if required.
softwareupdate --install --recommended --restart --agree-to-license

# Download (but not install) recommended updates.
softwareupdate --download --recommended


# Keep the system awake.
caffeinate
caffeinate -t '600'

# Perform network speed tests.
networkquality -sv

# List open ports.
netstat
netstat -n -p 'tcp'
lsof -n -i ':443'
sudo lsof -n -i 'TCP' -s 'TCP:LISTEN'

# Get the PID of processes using specific ports.
lsof -nt -i ':443'

# Clear the DNS cache.
sudo dscacheutil -flushcache; sudo killall -HUP 'mDNSResponder'


# Check NFS shares are available on the network.
showmount -e 'host'

# Mount NFS shares.
sudo mount -t 'nfs' 'host:/path/to/share' 'path/to/mount/point'
sudo mount -t 'nfs' -o 'rw,resvport' 'host:/path/to/share' 'path/to/mount/point'


# Install .pkg files from CLI.
# 'target' needs to be a *device*, not a path.
installer -pkg '/path/to/nonroot-package.pkg' -target 'CurrentUserHomeDirectory'
sudo installer -pkg '/path/to/root-needed-package.pkg' -target '/'


# Add passwords to the default keychain.
# The password needs to be left last.
security add-generic-password -a 'johnny' -s 'github' -w 'b.good'
security add-generic-password -a 'johnny' -s 'github' -l 'work' \
  -j 'my key for work' -w 'b.good'

# Update passwords' value.
security add-generic-password -a 'johnny' -s 'github' -l 'work' -U -w 'new-pass'

# Print passwords to stdout.
security find-generic-password -w -a 'johnny' -s 'github'
security find-generic-password -w -l 'work'
security find-generic-password -w -l 'work' -s 'github'

# Delete passwords from the default keychain.
security delete-generic-password -a 'johnny' -s 'github'


# Get the host's computer name.
scutil --get 'ComputerName'
/usr/libexec/PlistBuddy -c "Print :System:System:ComputerName" \
  '/Library/Preferences/SystemConfiguration/preferences.plist'

# Set the host's computer name.
scutil --set 'ComputerName' 'newComputerName'

# Get the host's bonjour name.
scutil --get 'LocalHostName'
/usr/libexec/PlistBuddy -c "Print :System:Network:HostNames:LocalHostName" \
  '/Library/Preferences/SystemConfiguration/preferences.plist'

# Get the host's bonjour name.
scutil --set 'LocalHostName' 'newLocalHostName'
scutil --set 'LocalHostName' \
  "$(defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName)"

# Get the host's netbios name.
defaults read '/Library/Preferences/SystemConfiguration/com.apple.smb.server' 'NetBIOSName'
/usr/libexec/PlistBuddy -c "Print :NetBIOSName" \
  '/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist'


# Get environment variables from inside launchd.
launchctl getenv 'key'
launchctl export

# Set environment variables inside of launchd.
launchctl setenv 'key' 'value'
launchctl unsetenv 'key' 'value'

# List all loaded jobs.
launchctl list

# List Mach bootstrap services only.
launchctl bslist
launchctl bstree

# Start jobs.
launchctl start 'job_label'

# Stop jobs.
launchctl stop 'job_label'


# Enable file trimming on SSD.
sudo trimforce enable


# Get information about users.
dscl '.' -read "/Users/$USER" 'UserShell'

Hidden settings

See the defaults command.

Image manipulation

Use Preview to perform basic image manipulation through the GUI.
See Resize, rotate, or flip an image in Preview on Mac.

See sips for the command line utility shipping with OS X by default.
Install ImageMagick if you need something more powerful.

Resize PDF files

In the Preview app:

1. Open the PDF file you want to compress.
2. Choose File > Export.
   Do not choose Export as PDF.
3. Click the Quartz Filter pop-up menu, then choose Reduce File Size.
4. Click the Export button.

Alternatively, check ImageMagick or Ghostscript out.

Manage tags

Tags are stored both in a file's or folder's com.apple.metadata:_kMDItemUserTags extended attribute.

Avoid using the xattr tool, as it almost always returns the hex dump of a plist file, which needs to be converted:

$ xattr -px com.apple.metadata:_kMDItemUserTags 'path/to/file' \
| perl -wane 'print chr hex for @F' | plutil -p -
[
  0 => "test"
]

mdls returns a more readable output, but still is not really useful for other actions than read:

$ mdls -raw -name kMDItemUserTags 'path/to/file'
(
    test
)

See jdberry/tag for a more versatile command line utility.
See Tagging files from the macOS command line for more information.

Update the OS from CLI

# List all available updates.
softwareupdate --list --all

# Install all recommended updates.
# Agree to software license agreement without interaction.
# Automatically restart if required.
softwareupdate --install --recommended --restart --agree-to-license

# Download (but not install) recommended updates.
softwareupdate --download --recommended

Keychain access from CLI

Save a password with the following settings:

• user (a.k.a. account): johnny
• password: b.good
• service name: github
• [optional] entry name (a.k.a. label): work; if not given, the service name will be used
• [optional] comment: my key for work; if not given, it will be left blank

The password's value needs to be given last.

# Add the password to the default keychain.
security add-generic-password -a johnny -s github -w 'b.good'
# Also give it some optional data.
security add-generic-password -a johnny -s github -l work \
  -j 'my key for work' -w 'b.good'
# Update passwords' value.
security add-generic-password -a johnny -s github -l work -U -w 'new-pass'

# Print the above password to stdout.
security find-generic-password -w -a johnny -s github
security find-generic-password -w -l work
security find-generic-password -w -l work -s github

# Delete it.
security delete-generic-password -a johnny -s github

Mount an NFS share

1. Check the share is available on the network:

   showmount -e 'host'
   

2. Mount the share:

   • Using the CLI:

     mkdir -p 'path/to/mount/point'
     sudo mount -t 'nfs' 'host:/path/to/share' 'path/to/mount/point'
     sudo mount -t 'nfs' -o 'rw,resvport' 'host:/path/to/share' 'path/to/mount/point'
     

Use TouchID to authenticate in the terminal

Add the pam_tid.so module as sufficient to /etc/pam.d/sudo:

# sudo: auth account password session
+auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so

This file is normally read-only, so saving your changes may require you to force the save (e.g. vim will require the use of wq! when saving).

Fix iTerm2

iTerm2 from version 3.2.8 comes with a reattach advanced feature which is incompatible with the addition of the pam_tid.so module alone.

You can either:

• disable the feature: iTerm2 > Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in

• install and enable the pam_reattach.so module as optional to /etc/pam.d/sudo:

  # pick one
  brew install pam-reattach
  sudo port install pam-reattach
  

  # sudo: auth account password session
  +auth       optional       /opt/local/lib/pam/pam_reattach.so ignore_ssh
  +auth       sufficient     pam_tid.so
  auth       sufficient     pam_smartcard.so
  auth       required       pam_opendirectory.so
  

  Note that when the module is not installed in /usr/lib/pam or /usr/local/lib/pam (e.g. on M1 Macs where Homebrew is installed in /opt/homebrew), you must specify the full path to the module in the PAM service file.

Xcode CLI tools

xcode-select --install

The tools will be installed into /Library/Developer/CommandLineTools by default, with the binaries being available at $(xcode-select -p)/usr/bin/.

Headless installation

# Force the `softwareupdate` utility to list the Command Line Tools.
touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress

# Get their label.
CLI_TOOLS_LABEL="$(/usr/sbin/softwareupdate -l \
 | grep -B 1 -E 'Command Line Tools' \
 | awk -F'*' '/^ *\\*/ {print $2}' \
 | sed -e 's/^ *Label: //' -e 's/^ *//' \
 | sort -V \
 | tail -n1)"

# Install them.
/usr/sbin/softwareupdate -i --agree-to-license "$CLI_TOOLS_LABEL"

Removal

sudo rm -rf "$(xcode-select -p)"
sudo rm -rf '/Library/Developer/CommandLineTools'

Upgrade

See How to update Xcode from command line for details.

# Remove and reinstall.
sudo rm -rf "$(xcode-select -p)"
xcode-select --install

Boot keys cheatsheet

Only available on Intel based Macs.

To use any of these key combinations, press and hold the keys immediately after pressing the power button to turn on your Mac, or after your Mac begins to restart. Keep holding until the described behavior occurs.

Combination	Behaviour
⌥ Option or Alt	Start to Startup Manager, which allows you to choose other available startup disks or volumes. If your Mac is using a firmware password, you're prompted to enter the password
⌥ Option + ⌘ Command + P + R	Reset the NVRAM or PRAM. If your Mac is using a firmware password, it ignores this key combination or starts up from Recovery
⇧ Shift	Start in safe mode. Disabled when using a firmware password
⌘ Command + R	Start from the built-in Recovery system
⌥ Option + ⌘ Command + R or ⇧ Shift + ⌥ Option + ⌘ Command + R	Start from Recovery over the Internet. It installs different versions of macOS, depending on the key combination you use while starting up. If your Mac is using a firmware password, you're prompted to enter the password
⏏ Eject or F12 or mouse button or trackpad button	Eject a removable media, such as an optical disc. Disabled when using a firmware password
T	Start in target disk mode. Disabled when using a firmware password
⌘ Command + V	Start in verbose mode. Disabled when using a firmware password
D	Start to Apple Diagnostics
⌥ Option + D	Start to Apple Diagnostics over the Internet. Disabled when using a firmware password
N	Start from a NetBoot server, if your Mac supports network startup volumes. Disabled when using a firmware password
⌥ Option + N	Start from a NetBoot server and use the default boot image on it. Disabled when using a firmware password
⌘ Command + S	Start in single-user mode. Disabled in macOS Mojave or later, or when using a firmware password

Further readings

• Time Machine
• tag
• sips
• defaults
• pam_reattach
• launchctl's man page
• mdls
• xattr
• macports
• openssl-osx-ca
• Little Snitch
• macOS default values command reference

Sources

• Boot a Mac from USB Drive
• Mac startup key combinations
• Xcode Command Line Tools Installation FAQ
• How to update Xcode from command line
• Command line access to the Mac keychain
• Installing .pkg with terminal?
• Using Terminal to Find Your Mac's Network Name
• List of Xcode Command Line Tools
• Can Touch ID for the Mac Touch Bar authenticate sudo users and admin privileges?
• Caffeinate your Mac
• MacOS network quality tool
• How to Clear DNS Cache in MacOS Ventura & MacOS Monterey
• Compress a PDF in Preview on Mac
• Resize, rotate, or flip an image in Preview on Mac
• Who is listening on a given TCP port on Mac OS X?
• Tagging files from the macOS command line