├── LICENSE.md └── README.md /LICENSE.md: -------------------------------------------------------------------------------- 1 | # License 2 | 3 | ```text 4 | The MIT License (MIT) 5 | 6 | Copyright (c) 2020 Kenneth Endfinger 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy 9 | of this software and associated documentation files (the "Software"), to deal 10 | in the Software without restriction, including without limitation the rights 11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 | copies of the Software, and to permit persons to whom the Software is 13 | furnished to do so, subject to the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included in all 16 | copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | ``` 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MacHack 2 | 3 | A list of built-in tools in macOS that you probably didn't know about. 4 | 5 | ## Table of Contents 6 | 7 | - [MacHack](#machack) 8 | - [Table of Contents](#table-of-contents) 9 | - [Commands](#commands) 10 | - [java_home](#java_home) 11 | - [dot_clean](#dot_clean) 12 | - [SafeEjectGPU](#safeejectgpu) 13 | - [sharing](#sharing) 14 | - [remotectl](#remotectl) 15 | - [brctl](#brctl) 16 | - [sysadminctl](#sysadminctl) 17 | - [ckksctl](#ckksctl) 18 | - [otctl](#otctl) 19 | - [spctl](#spctl) 20 | - [networksetup](#networksetup) 21 | - [systemsetup](#systemsetup) 22 | - [airport](#airport) 23 | - [AssetCacheLocatorUtil](#assetcachelocatorutil) 24 | - [AssetCacheManagerUtil](#assetcachemanagerutil) 25 | - [seedutil](#seedutil) 26 | - [kmutil](#kmutil) 27 | - [profiles](#profiles) 28 | - [bputil](#bputil) 29 | - [nscurl](#nscurl) 30 | - [taskinfo](#taskinfo) 31 | - [taskpolicy](#taskpolicy) 32 | - [asr](#asr) 33 | - [shortcuts](#shortcuts) 34 | - [networkQuality](#networkquality) 35 | 36 | ## Commands 37 | 38 | ### java_home 39 | 40 | This tool queries the available Java Virtual Machines from `/Library/Java/JavaVirtualMachines`. 41 | 42 | ```text 43 | $ /usr/libexec/java_home --help 44 | Usage: java_home [options...] 45 | Returns the path to a Java home directory from the current user's settings. 46 | 47 | Options: 48 | [-v/--version ] Filter versions (as if JAVA_VERSION had been set in the environment). 49 | [-a/--arch ] Filter architecture (as if JAVA_ARCH had been set in the environment). 50 | [-F/--failfast] Fail when filters return no JVMs, do not continue with default. 51 | [ --exec ...] Execute the $JAVA_HOME/bin/ with the remaining arguments. 52 | [-X/--xml] Print full JVM list and additional data as XML plist. 53 | [-V/--verbose] Print full JVM list with architectures. 54 | [-h/--help] This usage information. 55 | ``` 56 | 57 | An example usage of this tool: 58 | 59 | ```text 60 | $ /usr/libexec/java_home -v 11 -a x86_64 61 | /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home 62 | ``` 63 | 64 | ### dot_clean 65 | 66 | This is an extremely useful built-in utility to delete all useless dot files that macOS creates, such as ._MyFile. 67 | 68 | Just point it at a folder, and it wipes it free of the cruft! 69 | 70 | ```text 71 | $ /usr/sbin/dot_clean 72 | usage: dot_clean [-fmnpsv] [--keep=[mostrecent|dotbar|native]] [directory ...] 73 | ``` 74 | 75 | An example usage of the tool: 76 | 77 | ```text 78 | $ /usr/sbin/dot_clean /Volumes/Shared/MyFiles 79 | ``` 80 | 81 | ### SafeEjectGPU 82 | 83 | This is a utility for managing GPUs, especially eGPUs. This is what is behind 84 | the safe eject functionality of the eGPU in the System UI. 85 | 86 | It is useful for: 87 | 88 | - Listing GPUs on the system. 89 | - Determining what applications are using a particular GPU. 90 | - Ejecting an eGPU safely. 91 | - Launching an application on a specific GPU. 92 | - Switching an application from one GPU to another. 93 | 94 | ```text 95 | $ /usr/bin/SafeEjectGPU 96 | usage: SafeEjectGPU [Commands...] 97 | Commands: 98 | gpuid # specify gpuid of following commands 99 | gpuids ,,... # specify list of gpuids for RelaunchPIDOnGPU command 100 | gpus # show all GPUs and their applicable properties 101 | apps # show all Apps on specified gpuid 102 | status # show status of all specified gpuid 103 | Eject # Eject (full eject sequence) on specified gpuid 104 | Initiate # Initiate eject sequence on specified gpuid 105 | Relaunch # Relaunch lingering AppKit apps on specified gpuid 106 | Finalize # Finalize eject sequence on specified gpuid 107 | Cancel # Cancel eject sequence on specified gpuid 108 | RelaunchPID # RelaunchPID can be used in app testing to send Relaunch stimulus in isolation 109 | RelaunchPIDOnGPU # Send Relaunch stimulus to an app with set of limited GPUs to select from, use gpuids 110 | LaunchOnGPU # Launch an app from given bundle path with set of limited GPUs, use gpuids 111 | zombies # show all zombies (apps holding reference to unplugged eGPU) 112 | zcount # show count of (unhidden) zombies 113 | Zkill # kill zombies 114 | Zrelaunch # relaunch zombies 115 | +fallbackGPUEjectPolicy # allow builtin fallbacks to take effect (default) 116 | -fallbackGPUEjectPolicy # deny builtin fallbacks 117 | 118 | Notes: 119 | Unspecified gpuid (==0) indicates all "removable" GPUs 120 | Capitalized commands may have system-wide effects 121 | Non-capitalized commands are informative only 122 | See description of Info.plist "SafeEjectGPUPolicy" key. Use values: 123 | "ignore", "wait", "relaunch", or "kill" for per-app policy 124 | +/-fallbackGPUEjectPolicy can appear multiple times on the commandline and applies to following commands 125 | ``` 126 | 127 | Example of the `gpus` command: 128 | 129 | ```text 130 | $ /usr/bin/SafeEjectGPU gpus 131 | gpus 132 | 2020-12-27 15:30:35.949 SafeEjectGPU[55941:9041424] Device PreExisted [00000001000008b2] AMD Radeon RX 570 133 | 2020-12-27 15:30:35.949 SafeEjectGPU[55941:9041424] Device PreExisted [00000001000008b5] AMD Radeon Pro 560X 134 | 2020-12-27 15:30:35.949 SafeEjectGPU[55941:9041424] Device PreExisted [0000000100000876] Intel(R) UHD Graphics 630 135 | gpuid 0x56ce - Intel® UHD Graphics 630 136 | registryID=0x0000000100000876 integrated 137 | location - BuiltIn 138 | locationNumber - 0 139 | maxTransferRate - 0 140 | gpuid 0x9f05 - AMD Radeon Pro 560X 141 | registryID=0x00000001000008b5 discrete 142 | location - BuiltIn 143 | locationNumber - 1 144 | maxTransferRate - 0 145 | gpuid 0x5d0e - AMD Radeon RX 570 146 | registryID=0x00000001000008b2 removable 147 | Razer Core X - enclosureRegistryID=0x0000000100000472 148 | location - External 149 | locationNumber - 1 150 | maxTransferRate - 5000000000 151 | ``` 152 | 153 | ### sharing 154 | 155 | This command gives information about File Sharing. It should look similar to the File Sharing section in the Sharing preference pane. 156 | 157 | ```bash 158 | $ /usr/sbin/sharing 159 | Usage: 160 | sharing -a [options] : create a sharepoint for directory specified by path 161 | sharing -e [options] : edit sharepoint named 162 | sharing -r : remove sharepoint with name 163 | sharing -l [-f json] : list existing sharepoints 164 | 165 | options: 166 | -A :use share point name for afp. Obsolete but left in for backwards compatibility. 167 | -F :use share point name for ftp. Obsolete but left in for backwards compatibility. 168 | -S :use share point name for smb. 169 | -s [] :enable sharing, restricted by flags if specified; 170 | flags = 000,001,010 ...111; 1 = share, 0 = do not share; 171 | with digits indicating afp (no longer supported), ftp (no longer supported) and smb in that order; 172 | default is 001 if -s is specified with no flags. 173 | -g [] :enable guest access, restricted by flags if specified; 174 | flags = 000,001,010 ...111; 1 = enabled, 0 = disabled; 175 | with digits indicating afp (no longer supported), ftp (no longer supported) and smb in that order; 176 | default 001 if -g is specified with no flags. 177 | -i [] :enable inherit privileges from parent (afp only). Obsolete but left in for backwards compatibility. 178 | -n :set record name to use (by default this is the directory name of the shared directory) 179 | -R <0/1> :make share read only for smb. 1 is enable, 0 is disable. 180 | -E <0/1> :make share encrypted for smb v3 and later. 1 is enable, 0 is disable. 181 | -f :when listing shares, outputs in specified format. Formats supported: json 182 | ``` 183 | 184 | ### remotectl 185 | 186 | The Apple T2 security chip (a built-in ARM chip in newer Intel Mac models) communicates with your system with a modified HTTP/2 protocol. There is also a command-line interface for various functions of the chip. 187 | Note that this chip is merged with the Apple Silicon chips, and remotectl is no longer used on Apple Silicon Macs. 188 | 189 | ```text 190 | $ /usr/libexec/remotectl 191 | usage: remotectl list 192 | usage: remotectl show (name|uuid) 193 | usage: remotectl get-property (name|uuid) [service] property 194 | usage: remotectl dumpstate 195 | usage: remotectl browse 196 | usage: remotectl echo [-v service_version] [-d (name|uuid)] 197 | usage: remotectl echo-file (name|uuid) path 198 | usage: remotectl eos-echo 199 | usage: remotectl netcat (name|uuid) service 200 | usage: remotectl relay (name|uuid) service 201 | usage: remotectl loopback (attach|connect|detach|suspend|resume) 202 | usage: remotectl bonjour ((enable|enable-loopback interface_name)|(disable)) 203 | usage: remotectl convert-bridge-version plist-in-path bin-out-path 204 | usage: remotectl heartbeat (name|uuid) 205 | usage: remotectl trampoline [-2 fd] service_name command args ... [ -- [-2 fd] service_name command args ... ] 206 | ``` 207 | 208 | Example of the `list` command: 209 | 210 | ```text 211 | $ /usr/libexec/remotectl list 212 | MY_UUID localbridge iBridge2,3 J680AP 5.1 (18P3030/18.16.13030.0.0,0) - 213 | ``` 214 | 215 | Example of the `show` command: 216 | 217 | ```text 218 | $ /usr/libexec/remotectl show MY_UUID 219 | Found localbridge (bridge) 220 | State: connected (connectable) 221 | UUID: MY_UUID 222 | Product Type: iBridge2,3 223 | OS Build: 5.1 (18P3030) 224 | Messaging Protocol Version: 2 225 | Heartbeat: 226 | Last successful heartbeat sent 8.825s ago, received 8.822s ago (took 0.003s) 227 | 64402 heartbeats sent, 0 received 228 | Properties: { 229 | AppleInternal => false 230 | CPUArchitecture => arm64 231 | ChipID => 32786 232 | EffectiveProductionStatusSEP => true 233 | HWModel => J680AP 234 | HasSEP => true 235 | LocationID => MY_LOCATION_ID 236 | IsUIBuild => true 237 | RegionInfo => LL/A 238 | DeviceSupportsLockdown => false 239 | EffectiveSecurityModeAp => true 240 | SigningFuse => true 241 | BuildVersion => 18P3030 242 | OSVersion => 5.1 243 | BridgeVersion => 18.16.13030.0.0,0 244 | SensitivePropertiesVisible => true 245 | BoardRevision => 1 246 | Image4CryptoHashMethod => sha2-384 247 | ProductType => iBridge2,3 248 | SerialNumber => MY_SERIAL_NUMBER 249 | BootSessionUUID => MY_BOOT_SESSION_ID 250 | BoardId => 11 251 | DeviceColor => black 252 | EffectiveProductionStatusAp => true 253 | EffectiveSecurityModeSEP => true 254 | UniqueChipID => MY_UNIQUE_CHIP_ID 255 | UniqueDeviceID => MY_UNIQUE_DEVICE_ID 256 | RemoteXPCVersionFlags => MY_XPC_VERSION_FLAGS 257 | CertificateProductionStatus => true 258 | CertificateSecurityMode => true 259 | DeviceEnclosureColor => black 260 | ModelNumber => Z0V16LL/A 261 | RegionCode => LL 262 | SecurityDomain => 1 263 | OSInstallEnvironment => false 264 | InterfaceIndex => 4 265 | HardwarePlatform => t8012 266 | Image4Supported => true 267 | } 268 | Services: 269 | com.apple.nfcd.relay.uart 270 | com.apple.bridgeOSUpdated 271 | com.apple.videoprocessingd.encode.remote 272 | com.apple.corespeech.xpc.remote.record 273 | com.apple.bootpolicyd.remote.internal 274 | com.apple.icloud.findmydeviced.bridge 275 | com.apple.xpc.remote.mobile_obliteration 276 | com.apple.bootpolicyd.remote 277 | com.apple.eos.BiometricKit 278 | com.apple.osanalytics.logTransfer 279 | com.apple.internal.xpc.remote.kext_audit 280 | com.apple.xpc.remote.multiboot 281 | com.apple.powerchime.remote 282 | com.apple.aveservice 283 | com.apple.recoverylogd.bridge 284 | com.apple.sysdiagnose.stackshot.remote 285 | com.apple.corespeech.xpc.remote.control 286 | com.apple.RestoreRemoteServices.restoreserviced 287 | com.apple.corecaptured.remoteservice 288 | com.apple.nfcd.relay.control 289 | com.apple.mobileactivationd.bridge 290 | com.apple.sysdiagnose.remote 291 | com.apple.CoreKDL.remoteXPC 292 | com.apple.eos.LASecureIO 293 | com.apple.multiverse.remote.bridgetime 294 | com.apple.lskdd 295 | com.apple.private.avvc.xpc.remote 296 | ``` 297 | 298 | ### brctl 299 | 300 | This is a utility related to "CloudDocs", also know as iCloud Drive. 301 | 302 | ```text 303 | $ /usr/bin/brctl 304 | Usage: brctl [command-options and arguments] 305 | 306 | -h,--help show this help 307 | 308 | COMMANDS 309 | 310 | diagnose [options] [--doc|-d ] [] 311 | diagnose and collect logs 312 | 313 | -M,--collect-mobile-documents[=] (default: all containers) 314 | -s,--sysdiagnose Do not collect what's already part of sysdiagnose 315 | -t,--uitest Collect logs for UI tests 316 | -n,--name= Change the device name 317 | -f,--full Do a full diagnose, including server checks 318 | -d,--doc= 319 | Collect additional information about the document at that path. 320 | Helps when investigating an issue impacting a specific document. 321 | -e,--no-reveal Do not reveal diagnose in the Finder when done 322 | [] 323 | Specifies the output path of the diagnosis; -n becomes useless. 324 | 325 | log [options] [] 326 | 327 | -a,--all Show all system logs 328 | -p,--predicate Additional predicate (see `log help predicates`) 329 | -x,--process Filter events from the specified process 330 | -d,--path= Use instead of default 331 | -S,--start="YYYY-MM-DD HH:MM:SS" Start log dump from a specified date 332 | -E,--end="YYYY-MM-DD HH:MM:SS" Stop log dump after a specified date 333 | -b     Only show CloudDocs logs 334 | -f     Only show FileProvider related logs 335 | -F Only show FruitBasket related logs 336 | -g     Only show Genstore related logs 337 | -i Only show SQL and CloudDocs logs 338 | -z,--local-timezone Display timestamps within local timezone 339 | 340 | dump [options] [] 341 | dump the CloudDocs database 342 | 343 | -o,--output= 344 | redirect output to 345 | -d,--database-path= 346 | Use the database at 347 | -i,--itemless 348 | Don't dump items from the db 349 | -u,--upgrade 350 | Upgrade the db if necessary before dumping 351 | 352 | [] the container to be dumped 353 | 354 | status [] 355 | Prints items which haven't been completely synced up / applied to disk 356 | 357 | [] the container to be dumped 358 | 359 | quota 360 | Displays the available quota in the account 361 | 362 | monitor [options] [ ...] 363 | monitor activity 364 | -g dump global activity of the iCloud Drive 365 | -i dump changes incrementally 366 | -S,--scope= 367 | restrict the NSMetadataQuery scope to docs, data, external or a combination 368 | 369 | [ ...] list of containers to monitor, ignored when -g is used 370 | ``` 371 | 372 | A pretty cool command here is a utility to get the quota left on your iCloud Drive: 373 | 374 | ```text 375 | $ /usr/bin/brctl quota 376 | 2098962726220 bytes of quota remaining 377 | ``` 378 | 379 | ### sysadminctl 380 | 381 | Basically an all around useful tool for managing users, as well as manage full-disk encryption (FileVault). 382 | 383 | ```text 384 | $ /usr/sbin/sysadminctl 385 | Usage: sysadminctl 386 | -deleteUser [-secure || -keepHome] (interactive || -adminUser -adminPassword ) 387 | -newPassword -oldPassword [-passwordHint ] 388 | -resetPasswordFor -newPassword [-passwordHint ] (interactive] || -adminUser -adminPassword ) 389 | -addUser [-fullName ] [-UID ] [-GID ] [-shell ] [-password ] [-hint ] [-home ] [-admin] [-roleAccount] [-picture ] (interactive] || -adminUser -adminPassword ) 390 | -secureTokenStatus 391 | -secureTokenOn -password (interactive || -adminUser -adminPassword ) 392 | -secureTokenOff -password (interactive || -adminUser -adminPassword ) 393 | -guestAccount 394 | -afpGuestAccess 395 | -smbGuestAccess 396 | -automaticTime 397 | -filesystem status 398 | -screenLock -password 399 | 400 | Pass '-' instead of password in commands above to request prompt. 401 | '-adminPassword' used mostly for scripted operation. Use '-' or 'interactive' to get the authentication string interactively. This preferred for security reasons 402 | 403 | *Role accounts require name starting with _ and UID in 200-400 range. 404 | ``` 405 | 406 | A pretty useful command in this tool is to check if FileVault is enabled: 407 | 408 | ```text 409 | $ sudo sysadminctl -filesystem status 410 | 2019-10-13 10:16:41.266 sysadminctl[61797:3404423] Boot volume CS FDE: NO 411 | 2019-10-13 10:16:41.298 sysadminctl[61797:3404423] Boot volume APFS FDE: YES 412 | ``` 413 | 414 | ### ckksctl 415 | 416 | CloudKit controls, probably useful for some advanced users. 417 | 418 | ```text 419 | $ /usr/sbin/ckksctl 420 | usage: ckksctl [-p] [-j] [-s] [-v arg] [status] [fetch] [push] [resync] [reset] [reset-cloudkit] [ckmetric] 421 | 422 | Control and report on CKKS 423 | 424 | positional arguments: 425 | 426 | optional arguments: 427 | -p, --perfcounters Print CKKS performance counters 428 | -j, --json Output in JSON format 429 | -s, --short Output a short format 430 | -v arg, --view arg Operate on a single view 431 | 432 | optional commands: 433 | status Report status on CKKS views 434 | fetch Fetch all new changes in CloudKit and attempt to process them 435 | push Push all pending local changes to CloudKit 436 | resync Resync all data with what's in CloudKit 437 | reset All local data will be wiped, and data refetched from CloudKit 438 | reset-cloudkit All data in CloudKit will be removed and replaced with what's local 439 | ckmetric Push CloudKit metric 440 | ``` 441 | 442 | ### otctl 443 | 444 | This is the Octagon Trust utility. It's a pretty neat view of the underlying trust network being used by your Apple Devices. 445 | 446 | ```text 447 | $ /usr/sbin/otctl 448 | usage: otctl [-s arg] [-e arg] [-r arg] [-j] [-i arg] [-E] [-P] [--altDSID arg] [--entropy arg] [--appleID arg] [--dsid arg] [--container arg] [--radar arg] [start] [sign-in] [sign-out] [status] [resetoctagon] [resetProtectedData] [user-controllable-views] [allBottles] [recover] [depart] [er-trigger] [er-status] [er-reset] [er-store] [health] [ckks-policy] [taptoradar] [fetchEscrowRecords] [fetchAllEscrowRecords] [recover-record] [recover-record-silent] 449 | 450 | Control and report on Octagon Trust 451 | 452 | positional arguments: 453 | 454 | optional arguments: 455 | -s arg, --secret arg escrow secret 456 | -e arg, --bottleID arg bottle record id 457 | -r arg, --skipRateLimiting arg enter values YES or NO, option defaults to NO, This gives you the opportunity to skip the rate limiting check when performing the cuttlefish health check 458 | -j, --json Output in JSON 459 | -i arg, --recordID arg recordID 460 | -E, --enable Enable something (pair with a modification command) 461 | -P, --pause Pause something (pair with a modification command) 462 | --altDSID arg altDSID (for sign-in/out) 463 | --entropy arg escrowed entropy in JSON 464 | --appleID arg AppleID 465 | --dsid arg DSID 466 | --container arg CloudKit container name 467 | --radar arg Radar number 468 | 469 | optional commands: 470 | start Start Octagon state machine 471 | sign-in Inform Cuttlefish container of sign in 472 | sign-out Inform Cuttlefish container of sign out 473 | status Report Octagon status 474 | resetoctagon Reset and establish new Octagon trust 475 | resetProtectedData Reset ProtectedData 476 | user-controllable-views Modify or view user-controllable views status (If one of --enable or --pause is passed, will modify status) 477 | allBottles Fetch all viable bottles 478 | recover Recover using this bottle 479 | depart Depart from Octagon Trust 480 | er-trigger Trigger an Escrow Request request 481 | er-status Report status on any pending Escrow Request requests 482 | er-reset Delete all Escrow Request requests 483 | er-store Store any pending Escrow Request prerecords 484 | health Check Octagon Health status 485 | ckks-policy Trigger a refetch of the CKKS policy 486 | taptoradar Trigger a TapToRadar 487 | fetchEscrowRecords Fetch Escrow Records 488 | fetchAllEscrowRecords Fetch All Escrow Records 489 | recover-record Recover record 490 | recover-record-silent Silent record recovery 491 | ``` 492 | 493 | Run the following command to list your peers: 494 | 495 | ```text 496 | $ /usr/sbin/otctl status 497 | ... Lots of Useful Output ... 498 | ``` 499 | 500 | ### spctl 501 | 502 | This is the System Policy management utility. You can enable and disable Gatekeeper and other code-signing features this way. 503 | 504 | ```text 505 | $ /usr/sbin/spctl 506 | System Policy Basic Usage: 507 | spctl --assess [--type type] [-v] path ... # assessment 508 | spctl --add [--type type] [--path|--requirement|--anchor|--hash] spec ... # add rule(s) 509 | spctl [--enable|--disable|--remove] [--type type] [--path|--requirement|--anchor|--hash|--rule] spec # change rule(s) 510 | spctl --status | --master-enable | --master-disable # system master switch 511 | 512 | Developer Mode Usage: 513 | spctl developer-mode 514 | enable-terminal 515 | Add Terminal as a developer tool. 516 | Kernel Extension User Consent Usage: 517 | spctl kext-consent ** Modifications only available in Recovery OS ** 518 | status 519 | Print whether kernel extension user consent is enabled or disabled. 520 | enable 521 | Enable requiring user consent for kernel extensions. 522 | disable 523 | Disable requiring user consent for kernel extensions. 524 | add 525 | Insert a new Team Identifier into the list allowed to load kernel extensions without user consent. 526 | list 527 | Print the list of Team Identifiers allowed to load without user consent. 528 | remove 529 | Remove a Team Identifier from the list allowed to load kernel extensions without user consent. 530 | ``` 531 | 532 | A useful command is to view the status of the system policy assesments: 533 | 534 | ```text 535 | $ /usr/sbin/spctl --status 536 | assessments enabled 537 | ``` 538 | 539 | ### networksetup 540 | 541 | Network setup is pretty much everything network-related minus some wireless stuff. 542 | 543 | ```text 544 | $ /usr/sbin/networksetup 545 | networksetup Help Information 546 | ------------------------------- 547 | Usage: networksetup -listnetworkserviceorder 548 | Display services with corresponding port and device in order they are tried for connecting 549 | to a network. An asterisk (*) denotes that a service is disabled. 550 | 551 | Usage: networksetup -listallnetworkservices 552 | Display list of services. An asterisk (*) denotes that a network service is disabled. 553 | 554 | Usage: networksetup -listallhardwareports 555 | Display list of hardware ports with corresponding device name and ethernet address. 556 | 557 | Usage: networksetup -detectnewhardware 558 | Detect new network hardware and create a default network service on the hardware. 559 | 560 | Usage: networksetup -getmacaddress 561 | Display ethernet (or Wi-Fi) address for hardwareport or device specified. 562 | 563 | Usage: networksetup -getcomputername 564 | Display the computer name. 565 | 566 | Usage: networksetup -setcomputername 567 | Set the computer's name (if valid) to . 568 | 569 | Usage: networksetup -getinfo 570 | Display IPv4 address, IPv6 address, subnet mask, 571 | router address, ethernet address for . 572 | 573 | Usage: networksetup -setmanual 574 | Set the TCP/IP configuration to manual with IP address set to ip, 575 | Subnet Mask set to subnet, and Router address set to router. 576 | 577 | Usage: networksetup -setdhcp [clientid] 578 | Set the TCP/IP configuration to DHCP. You can set the 579 | DHCP client id to the optional [clientid]. Specify "Empty" for [clientid] 580 | to clear the DHCP client id. 581 | 582 | Usage: networksetup -setbootp 583 | Set the TCP/IP configuration to BOOTP. 584 | 585 | Usage: networksetup -setmanualwithdhcprouter 586 | Set the TCP/IP configuration to manual with DHCP router with IP address set 587 | to ip. 588 | 589 | Usage: networksetup -getadditionalroutes 590 | Get additional IPv4 routes associated with 591 | Usage: networksetup -setadditionalroutes [ ]* 592 | Set additional IPv4 routes associated with 593 | by specifying one or more [ ] tuples. 594 | Remove additional routes by specifying no arguments. 595 | If is "", the route is direct to the interface 596 | Usage: networksetup -setv4off 597 | Turn IPv4 off on . 598 | 599 | Usage: networksetup -setv6off 600 | Turn IPv6 off on . 601 | 602 | Usage: networksetup -setv6automatic 603 | Set the service to get its IPv6 info automatically. 604 | 605 | Usage: networksetup -setv6LinkLocal 606 | Set the service to use its IPv6 only for link local. 607 | 608 | Usage: networksetup -setv6manual
609 | Set the service to get its IPv6 info manually. 610 | Specify
and . 611 | 612 | Usage: networksetup -getv6additionalroutes 613 | Get additional IPv6 routes associated with 614 | Usage: networksetup -setv6additionalroutes [ ]* 615 | Set additional IPv6 routes associated with 616 | by specifying one or more [ ] tuples. 617 | Remove additional routes by specifying no arguments. 618 | If is "", the route is direct to the interface 619 | Usage: networksetup -getdnsservers 620 | Display DNS info for . 621 | 622 | Usage: networksetup -setdnsservers [dns2] [...] 623 | Set the DNS servers to [dns2] [...]. Any number of dns servers can be 624 | specified. Specify "Empty" for to clear all DNS entries. 625 | 626 | Usage: networksetup -getsearchdomains 627 | Display Domain Name info for . 628 | 629 | Usage: networksetup -setsearchdomains [domain2] [...] 630 | Set the Domain Name servers to [domain2] [...]. Any number of Domain Name 631 | servers can be specified. Specify "Empty" for to clear all Domain Name entries. 632 | 633 | Usage: networksetup -create6to4service 634 | Create a 6 to 4 service with name . 635 | 636 | Usage: networksetup -set6to4automatic 637 | Set the service to get its 6 to 4 info automatically. 638 | 639 | Usage: networksetup -set6to4manual 640 | Set the service to get its 6 to 4 info manually. 641 | Specify for the relay address. 642 | 643 | Usage: networksetup -getftpproxy 644 | Display FTP proxy (server, port, enabled value) info for . 645 | 646 | Usage: networksetup -setftpproxy 647 | Set FTP proxy for with and . Turns proxy on. Optionally, specify or for to enable and disable authenticated proxy support. Specify and if you turn authenticated proxy support on. 648 | 649 | Usage: networksetup -setftpproxystate 650 | Set FTP proxy to either or . 651 | 652 | Usage: networksetup -getwebproxy 653 | Display Web proxy (server, port, enabled value) info for . 654 | 655 | Usage: networksetup -setwebproxy 656 | Set Web proxy for with and . Turns proxy on. Optionally, specify or for to enable and disable authenticated proxy support. Specify and if you turn authenticated proxy support on. 657 | 658 | Usage: networksetup -setwebproxystate 659 | Set Web proxy to either or . 660 | 661 | Usage: networksetup -getsecurewebproxy 662 | Display Secure Web proxy (server, port, enabled value) info for . 663 | 664 | Usage: networksetup -setsecurewebproxy 665 | Set Secure Web proxy for with and . Turns proxy on. Optionally, specify or for to enable and disable authenticated proxy support. Specify and if you turn authenticated proxy support on. 666 | 667 | Usage: networksetup -setsecurewebproxystate 668 | Set SecureWeb proxy to either or . 669 | 670 | Usage: networksetup -getstreamingproxy 671 | Display Streaming proxy (server, port, enabled value) info for . 672 | 673 | Usage: networksetup -setstreamingproxy 674 | Set Streaming proxy for with and . Turns proxy on. Optionally, specify or for to enable and disable authenticated proxy support. Specify and if you turn authenticated proxy support on. 675 | 676 | Usage: networksetup -setstreamingproxystate 677 | Set Streaming proxy to either or . 678 | 679 | Usage: networksetup -getgopherproxy 680 | Display Gopher proxy (server, port, enabled value) info for . 681 | 682 | Usage: networksetup -setgopherproxy 683 | Set Gopher proxy for with and . Turns proxy on. Optionally, specify or for to enable and disable authenticated proxy support. Specify and if you turn authenticated proxy support on. 684 | 685 | Usage: networksetup -setgopherproxystate 686 | Set Gopher proxy to either or . 687 | 688 | Usage: networksetup -getsocksfirewallproxy 689 | Display SOCKS Firewall proxy (server, port, enabled value) info for . 690 | 691 | Usage: networksetup -setsocksfirewallproxy 692 | Set SOCKS Firewall proxy for with and . Turns proxy on. Optionally, specify or for to enable and disable authenticated proxy support. Specify and if you turn authenticated proxy support on. 693 | 694 | Usage: networksetup -setsocksfirewallproxystate 695 | Set SOCKS Firewall proxy to either or . 696 | 697 | Usage: networksetup -getproxybypassdomains 698 | Display Bypass Domain Names for . 699 | 700 | Usage: networksetup -setproxybypassdomains [domain2] [...] 701 | Set the Bypass Domain Name Servers for to [domain2] [...]. Any number of 702 | Domain Name servers can be specified. Specify "Empty" for to clear all 703 | Domain Name entries. 704 | 705 | Usage: networksetup -getproxyautodiscovery 706 | Display whether Proxy Auto Discover is on or off for . 707 | 708 | Usage: networksetup -setproxyautodiscovery 709 | Set Proxy Auto Discovery to either or . 710 | 711 | Usage: networksetup -getpassiveftp 712 | Display whether Passive FTP is on or off for . 713 | 714 | Usage: networksetup -setpassiveftp 715 | Set Passive FTP to either or . 716 | 717 | Usage: networksetup -setautoproxyurl 718 | Set proxy auto-config to url for and enable it. 719 | 720 | Usage: networksetup -getautoproxyurl 721 | Display proxy auto-config (url, enabled) info for . 722 | 723 | Usage: networksetup -setautoproxystate 724 | Set proxy auto-config to either or . 725 | 726 | Usage: networksetup -getairportnetwork 727 | Display current Wi-Fi Network for . 728 | 729 | Usage: networksetup -setairportnetwork [password] 730 | Set Wi-Fi Network to for . 731 | If a password is included, it gets stored in the keychain. 732 | 733 | Usage: networksetup -getairportpower 734 | Display whether Wi-Fi power is on or off for . 735 | 736 | Usage: networksetup -setairportpower 737 | Set Wi-Fi power for to either or . 738 | 739 | Usage: networksetup -listpreferredwirelessnetworks 740 | List the preferred wireless networks for . 741 | 742 | Usage: networksetup -addpreferredwirelessnetworkatindex [password] 743 | Add wireless network named to preferred list for at . 744 | For security type, use OPEN for none, WPA for WPA Personal, WPAE for WPA Enterprise, 745 | WPA2 for WPA2 Personal, WPA2E for WPA2 Enterprise, WEP for plain WEP, and 8021XWEP for 802.1X WEP. 746 | If a password is included, it gets stored in the keychain. 747 | 748 | Usage: networksetup -removepreferredwirelessnetwork 749 | Remove from the preferred wireless network list for . 750 | 751 | Usage: networksetup -removeallpreferredwirelessnetworks 752 | Remove all networks from the preferred wireless network list for . 753 | 754 | Usage: networksetup -getnetworkserviceenabled 755 | Display whether a service is on or off (enabled or disabled). 756 | 757 | Usage: networksetup -setnetworkserviceenabled 758 | Set to either or (enabled or disabled). 759 | 760 | Usage: networksetup -createnetworkservice 761 | Create a service named on port . The new service will be enabled by default. 762 | 763 | Usage: networksetup -renamenetworkservice 764 | Rename to . 765 | 766 | Usage: networksetup -duplicatenetworkservice 767 | Duplicate and name it with . 768 | 769 | Usage: networksetup -removenetworkservice 770 | Remove the service named . Will fail if this is the only service on the hardware port that is on. 771 | 772 | Usage: networksetup -ordernetworkservices <...> 773 | Order the services in order specified. Use "-listnetworkserviceorder" to view service order. 774 | Note: use quotes around service names which contain spaces (ie. "Built-in Ethernet"). 775 | 776 | Usage: networksetup -setMTUAndMediaAutomatically 777 | Set hardwareport or device specified back to automatically setting the MTU and Media. 778 | 779 | Usage: networksetup -getMTU 780 | Get the MTU value for hardwareport or device specified. 781 | 782 | Usage: networksetup -setMTU 783 | Set MTU for hardwareport or device specified. 784 | 785 | Usage: networksetup -listvalidMTUrange 786 | List the valid MTU range for hardwareport or device specified. 787 | 788 | Usage: networksetup -getmedia 789 | Show both the current setting for media and the active media on hardwareport or device specified. 790 | 791 | Usage: networksetup -setmedia [option1] [option2] [...] 792 | Set media for hardwareport or device specified to subtype. Specify optional [option1] and additional options depending on subtype. Any number of valid options can be specified. 793 | 794 | Usage: networksetup -listvalidmedia 795 | List valid media options for hardwareport or device name. Enumerates available subtypes and options per subtype. 796 | 797 | Usage: networksetup -createVLAN 798 | Create a VLAN with name over device with unique tag . A default network service will be created over the VLAN. 799 | 800 | Usage: networksetup -deleteVLAN 801 | Delete the VLAN with name over the parent device with unique tag . If there are network services running over the VLAN they will be deleted. 802 | 803 | Usage: networksetup -listVLANs 804 | List the VLANs that have been created. 805 | 806 | Usage: networksetup -listdevicesthatsupportVLAN 807 | List the devices that support VLANs. 808 | 809 | Usage: networksetup -isBondSupported 810 | Return YES if the specified device can be added to a bond. NO if it cannot. 811 | 812 | Usage: networksetup -createBond <...> 813 | Create a new bond and give it the user defined name. Add the specified devices, if any, to the bond. 814 | 815 | Usage: networksetup -deleteBond 816 | Delete the bond with the specified device-name. 817 | 818 | Usage: networksetup -addDeviceToBond 819 | Add the specified device to the specified bond. 820 | 821 | Usage: networksetup -removeDeviceFromBond 822 | Remove the specified device from the specified bond 823 | 824 | Usage: networksetup -listBonds 825 | List all of the bonds. 826 | 827 | Usage: networksetup -showBondStatus 828 | Display the status of the specified bond. 829 | 830 | Usage: networksetup -listpppoeservices 831 | List all of the PPPoE services in the current set. 832 | 833 | Usage: networksetup -showpppoestatus 834 | Display the status of the specified PPPoE service. 835 | 836 | Usage: networksetup -createpppoeservice [pppoe service name] 837 | Create a PPPoE service on the specified device with the service name specified. 838 | The "pppoe service name" is optional and may not be supported by the service provider. 839 | 840 | Usage: networksetup -deletepppoeservice 841 | Delete the PPPoE service. 842 | 843 | Usage: networksetup -setpppoeaccountname 844 | Sets the account name for the specified service. 845 | 846 | Usage: networksetup -setpppoepassword 847 | Sets the password stored in the keychain for the specified service. 848 | 849 | Usage: networksetup -connectpppoeservice 850 | Connect the PPPoE service. 851 | 852 | Usage: networksetup -disconnectpppoeservice 853 | Disconnect the PPPoE service. 854 | 855 | Usage: networksetup -getcurrentlocation 856 | Display the name of the current location. 857 | 858 | Usage: networksetup -listlocations 859 | List all of the locations. 860 | 861 | Usage: networksetup -createlocation [populate] 862 | Create a new network location with the spcified name. 863 | If the optional term "populate" is included, the location will be populated with the default services. 864 | 865 | Usage: networksetup -deletelocation 866 | Delete the location. 867 | 868 | Usage: networksetup -switchtolocation 869 | Make the specified location the current location. 870 | 871 | Usage: networksetup -version 872 | Display version of networksetup tool. 873 | 874 | Usage: networksetup -help 875 | Display these help listings. 876 | 877 | Usage: networksetup -printcommands 878 | Displays a quick listing of commands (without explanations). 879 | 880 | Any command that takes a password, will accept - to indicate the password should be read from stdin. 881 | 882 | The networksetup tool requires at least admin privileges to change network settings. If the "Require an administrator password to access system-wide preferences" option is selected in System Preferences > Security & Privacy, then root privileges are required to change network settings. 883 | ``` 884 | 885 | ### systemsetup 886 | 887 | This utility provides a lot of simpler system setup options. 888 | 889 | ```text 890 | $ sudo /usr/sbin/systemsetup 891 | systemsetup Help Information 892 | ------------------------------------- 893 | Usage: systemsetup -getdate 894 | Display current date. 895 | 896 | Usage: systemsetup -setdate 897 | Set current date to . 898 | 899 | Usage: systemsetup -gettime 900 | Display current time. 901 | 902 | Usage: systemsetup -settime 903 | Set current time to . 904 | 905 | Usage: systemsetup -gettimezone 906 | Display current time zone. 907 | 908 | Usage: systemsetup -settimezone 909 | Set current time zone to . Use "-listtimezones" to list time zones. 910 | 911 | Usage: systemsetup -listtimezones 912 | List time zones supported by this machine. 913 | 914 | Usage: systemsetup -getusingnetworktime 915 | Display whether network time is on or off. 916 | 917 | Usage: systemsetup -setusingnetworktime 918 | Set using network time to either or . 919 | 920 | Usage: systemsetup -getnetworktimeserver 921 | Display network time server. 922 | 923 | Usage: systemsetup -setnetworktimeserver 924 | Set network time server to . 925 | 926 | Usage: systemsetup -getsleep 927 | Display amount of idle time until computer, display and hard disk sleep. 928 | 929 | Usage: systemsetup -setsleep 930 | Set amount of idle time until computer, display and hard disk sleep to . 931 | Specify "Never" or "Off" for never. 932 | 933 | Usage: systemsetup -getcomputersleep 934 | Display amount of idle time until computer sleeps. 935 | 936 | Usage: systemsetup -setcomputersleep 937 | Set amount of idle time until compputer sleeps to . 938 | Specify "Never" or "Off" for never. 939 | 940 | Usage: systemsetup -getdisplaysleep 941 | Display amount of idle time until display sleeps. 942 | 943 | Usage: systemsetup -setdisplaysleep 944 | Set amount of idle time until display sleeps to . 945 | Specify "Never" or "Off" for never. 946 | 947 | Usage: systemsetup -getharddisksleep 948 | Display amount of idle time until hard disk sleeps. 949 | 950 | Usage: systemsetup -setharddisksleep 951 | Set amount of idle time until hard disk sleeps to . 952 | Specify "Never" or "Off" for never. 953 | 954 | Usage: systemsetup -getwakeonmodem 955 | Display whether wake on modem is on or off. 956 | 957 | Usage: systemsetup -setwakeonmodem 958 | Set wake on modem to either or . 959 | 960 | Usage: systemsetup -getwakeonnetworkaccess 961 | Display whether wake on network access is on or off. 962 | 963 | Usage: systemsetup -setwakeonnetworkaccess 964 | Set wake on network access to either or . 965 | 966 | Usage: systemsetup -getrestartpowerfailure 967 | Display whether restart on power failure is on or off. 968 | 969 | Usage: systemsetup -setrestartpowerfailure 970 | Set restart on power failure to either or . 971 | 972 | Usage: systemsetup -getrestartfreeze 973 | Display whether restart on freeze is on or off. 974 | 975 | Usage: systemsetup -setrestartfreeze 976 | Set restart on freeze to either or . 977 | 978 | Usage: systemsetup -getallowpowerbuttontosleepcomputer 979 | Display whether the power button is able to sleep the computer. 980 | 981 | Usage: systemsetup -setallowpowerbuttontosleepcomputer 982 | Enable or disable whether the power button can sleep the computer. 983 | 984 | Usage: systemsetup -getremotelogin 985 | Display whether remote login is on or off. 986 | 987 | Usage: systemsetup -setremotelogin 988 | Set remote login to either or . Use "systemsetup -f -setremotelogin off" to suppress prompting when turning remote login off. Requires Full Disk Access privileges. 989 | 990 | Usage: systemsetup -getremoteappleevents 991 | Display whether remote apple events are on or off. 992 | 993 | Usage: systemsetup -setremoteappleevents 994 | Set remote apple events to either or . Requires Full Disk Access privileges. 995 | 996 | Usage: systemsetup -getcomputername 997 | Display computer name. 998 | 999 | Usage: systemsetup -setcomputername 1000 | Set computer name to . 1001 | 1002 | Usage: systemsetup -getlocalsubnetname 1003 | Display local subnet name. 1004 | 1005 | Usage: systemsetup -setlocalsubnetname 1006 | Set local subnet name to . 1007 | 1008 | Usage: systemsetup -getstartupdisk 1009 | Display current startup disk. 1010 | 1011 | Usage: systemsetup -setstartupdisk 1012 | Set current startup disk to . 1013 | 1014 | Usage: systemsetup -liststartupdisks 1015 | List startup disks on this machine. 1016 | 1017 | Usage: systemsetup -getwaitforstartupafterpowerfailure 1018 | Get the number of seconds after which the computer will start up after a power failure. 1019 | 1020 | Usage: systemsetup -setwaitforstartupafterpowerfailure 1021 | Set the number of seconds after which the computer will start up after a power failure. The value must be a multiple of 30 seconds. 1022 | 1023 | Usage: systemsetup -getdisablekeyboardwhenenclosurelockisengaged 1024 | Get whether or not the keyboard should be disabled when the X Serve enclosure lock is engaged. 1025 | 1026 | Usage: systemsetup -setdisablekeyboardwhenenclosurelockisengaged 1027 | Set whether or not the keyboard should be disabled when the X Serve enclosure lock is engaged. 1028 | 1029 | Usage: systemsetup -version 1030 | Display version of systemsetup tool. 1031 | 1032 | Usage: systemsetup -help 1033 | Display help. 1034 | 1035 | Usage: systemsetup -printCommands 1036 | Display commands. 1037 | ``` 1038 | 1039 | ### airport 1040 | 1041 | The Airport command-line utility can yield a lot of useful Wi-Fi info. 1042 | 1043 | ```text 1044 | $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport 1045 | Usage: airport 1046 | 1047 | 1048 | If an interface is not specified, airport will use the first AirPort interface on the system. 1049 | 1050 | is one of the following: 1122 | No options currently defined. 1123 | 1124 | Examples: 1125 | 1126 | Configuring preferences (requires admin privileges) 1127 | sudo airport en1 prefs JoinMode=Preferred RememberRecentNetworks=NO RequireAdmin=YES 1128 | 1129 | Sniffing on channel 1: 1130 | airport en1 sniff 1 1131 | 1132 | 1133 | LEGACY COMMANDS: 1134 | Supported arguments: 1135 | -c[] --channel=[] Set arbitrary channel on the card 1136 | -z --disassociate Disassociate from any network 1137 | -I --getinfo Print current wireless status, e.g. signal info, BSSID, port type etc. 1138 | -s[] --scan=[] Perform a wireless broadcast scan. 1139 | Will perform a directed scan if the optional is provided 1140 | -x --xml Print info as XML 1141 | -P --psk Create PSK from specified pass phrase and SSID. 1142 | The following additional arguments must be specified with this command: 1143 | --password= Specify a WPA password 1144 | --ssid= Specify SSID when creating a PSK 1145 | -h --help Show this help 1146 | ``` 1147 | 1148 | Probably my favorite use of this command is getting the current network: 1149 | 1150 | ```text 1151 | $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I 1152 | agrCtlRSSI: -40 1153 | agrExtRSSI: 0 1154 | agrCtlNoise: -91 1155 | agrExtNoise: 0 1156 | state: running 1157 | op mode: station 1158 | lastTxRate: 351 1159 | maxRate: 1300 1160 | lastAssocStatus: 0 1161 | 802.11 auth: open 1162 | link auth: wpa2-psk 1163 | BSSID: MY_BSSID 1164 | SSID: MY_SSID 1165 | MCS: 7 1166 | channel: 44,80 1167 | ``` 1168 | 1169 | Also, you can scan your local Wi-Fi networks by running: 1170 | 1171 | ```text 1172 | $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s 1173 | ... Networks Here ... 1174 | ``` 1175 | 1176 | ### AssetCacheLocatorUtil 1177 | 1178 | This tool fetches the available Content Caches available to your machine, and other Apple devices on the network. 1179 | Content Cache is available in Sharing inside System Preferences and allows you to cache System Updates and iCloud content on local machines for bandwidth reduction. 1180 | 1181 | ```text 1182 | $ /usr/bin/AssetCacheLocatorUtil 1183 | 2020-12-26 20:35:24.351 AssetCacheLocatorUtil[39485:7741115] AssetCacheLocatorUtil version 116, framework version 116 1184 | 2020-12-26 20:35:24.351 AssetCacheLocatorUtil[39485:7741115] Determining public IP address... 1185 | 2020-12-26 20:35:24.494 AssetCacheLocatorUtil[39485:7741115] This computer's public IP address is 8.30.97.117. 1186 | 2020-12-26 20:35:24.494 AssetCacheLocatorUtil[39485:7741115] --- Information for system services: 1187 | .... More Output 1188 | ``` 1189 | 1190 | The output from this command is pretty large but it will allow you to diagnose access to content cache. 1191 | 1192 | ### AssetCacheManagerUtil 1193 | 1194 | This tool manages the Content Cache service on your machine. 1195 | 1196 | ```text 1197 | $ /usr/bin/AssetCacheManagerUtil 1198 | 2020-07-04 01:26:37.394 AssetCacheManagerUtil[2835:949425] Usage: AssetCacheManagerUtil [options] command 1199 | 2020-07-04 01:26:37.394 AssetCacheManagerUtil[2835:949425] Options are: 1200 | -a|--all show all events 1201 | -j|--json print results in JSON 1202 | -l|--linger don't exit 1203 | 2020-07-04 01:26:37.394 AssetCacheManagerUtil[2835:949425] Commands are: 1204 | activate 1205 | deactivate 1206 | isActivated 1207 | canActivate 1208 | flushCache 1209 | flushPersonalCache 1210 | flushSharedCache 1211 | status 1212 | settings 1213 | reloadSettings 1214 | moveCacheTo path 1215 | absorbCacheFrom path read-only|and-destroy 1216 | ``` 1217 | 1218 | An example usage of this command is: 1219 | 1220 | ```text 1221 | $ /usr/bin/AssetCacheManagerUtil status 1222 | 2020-07-04 01:29:24.546 AssetCacheManagerUtil[3572:955073] Content caching status: 1223 | Activated: false 1224 | Active: false 1225 | CacheDetails: (none) 1226 | CacheFree: 293.24 GB 1227 | CacheLimit: unlimited 1228 | CacheStatus: OK 1229 | CacheUsed: Zero KB 1230 | Parents: (none) 1231 | Peers: (none) 1232 | PersonalCacheFree: 293.24 GB 1233 | PersonalCacheLimit: unlimited 1234 | PersonalCacheUsed: Zero KB 1235 | Port: 0 1236 | RegistrationError: NOT_ACTIVATED 1237 | RegistrationResponseCode: 403 1238 | RegistrationStatus: -1 1239 | RestrictedMedia: false 1240 | ServerGUID: [GUID HERE] 1241 | StartupStatus: FAILED 1242 | TetheratorStatus: 0 1243 | TotalBytesAreSince: 2020-07-03 17:22:37 1244 | TotalBytesDropped: Zero KB 1245 | TotalBytesImported: Zero KB 1246 | TotalBytesReturnedToChildren: Zero KB 1247 | TotalBytesReturnedToClients: Zero KB 1248 | TotalBytesReturnedToPeers: Zero KB 1249 | TotalBytesStoredFromOrigin: Zero KB 1250 | TotalBytesStoredFromParents: Zero KB 1251 | TotalBytesStoredFromPeers: Zero KB 1252 | ``` 1253 | 1254 | ### seedutil 1255 | 1256 | seedutil allows you to enroll and un-enroll from AppleSeed programs, such as Public Betas. 1257 | 1258 | ```text 1259 | $ sudo /System/Library/PrivateFrameworks/Seeding.framework/Resources/seedutil 1260 | usage: seedutil enroll SEED_PROGRAM 1261 | seedutil unenroll 1262 | seedutil current 1263 | seedutil migrate OLD_VERSION NEW_VERSION 1264 | seedutil fixup 1265 | ``` 1266 | 1267 | An example usage of this command is: 1268 | 1269 | ```text 1270 | $ sudo /System/Library/PrivateFrameworks/Seeding.framework/Resources/seedutil current 1271 | Currently enrolled in: (null) 1272 | 1273 | Program: 0 1274 | Build is seed: NO 1275 | CatalogURL: (null) 1276 | NSShowFeedbackMenu: NO 1277 | DisableSeedOptOut: NO 1278 | Asset Audience: c80fd46d-7cc7-487e-993c-3876697879dc 1279 | ``` 1280 | 1281 | ### kmutil 1282 | 1283 | kmutil is a tool for managing Kernel Extensions. 1284 | 1285 | ```text 1286 | $ /usr/bin/kmutil 1287 | OVERVIEW: kmutil: KernelManagement Utility (KernelManagement_executables-102.60.20) 1288 | 1289 | USAGE: kmutil 1290 | 1291 | OPTIONS: 1292 | -h, --help Show help information. 1293 | 1294 | SUBCOMMANDS: 1295 | create Create one or more new artifacts based on the arguments provided. 1296 | load Load one or more extensions based on the arguments provided. 1297 | unload Unload the named kexts and all personalities. 1298 | log Display logging information about the KernelManagement subsystem. 1299 | libraries Search for library kexts that define symbols needed for linking by a a kernel extension. 1300 | dumpstate Dumps kernelmanagerd(8) state for debugging 1301 | inspect Inspect & display a kext collection's contents according to the options provided. 1302 | clear-staging Clears all contents of the kext staging locations on the system 1303 | find Find kexts available on the operating system. 1304 | showloaded Show the loaded state of the extensions on the system, according to the options provided. 1305 | trigger-panic-medic Delete and disable loading of third party kexts in order to safely boot into a target volume. (can only be triggered in Recovery mode) 1306 | eg usage: `kmutil trigger-panic-medic --volume-root /Volumes/` 1307 | check Check the consistency of kext collections against each other and/or load information in-kernel. 1308 | print-diagnostics Perform all possible tests on a specified kext, and indicate whether the kext is loadable. 1309 | 1310 | See 'kmutil help ' for detailed help. 1311 | ``` 1312 | 1313 | An example of using kmutil is to list loaded kexts: 1314 | 1315 | ```text 1316 | $ /usr/bin/kmutil showloaded 1317 | No variant specified, falling back to release 1318 | Index Refs Address Size Wired Name (Version) UUID 1319 | 1 139 0 0 0 com.apple.kpi.bsd (20.2.0) 82E2050C-5936-3D24-AD3B-EC4EC5C09E11 <> 1320 | 2 11 0 0 0 com.apple.kpi.dsep (20.2.0) 82E2050C-5936-3D24-AD3B-EC4EC5C09E11 <> 1321 | 3 168 0 0 0 com.apple.kpi.iokit (20.2.0) 82E2050C-5936-3D24-AD3B-EC4EC5C09E11 <> 1322 | 4 0 0 0 0 com.apple.kpi.kasan (20.2.0) 82E2050C-5936-3D24-AD3B-EC4EC5C09E11 <> 1323 | ``` 1324 | 1325 | ### profiles 1326 | 1327 | profiles allows you to manage and inspect macOS profiles. This is most commonly used for MDM. 1328 | 1329 | ```text 1330 | $ /usr/bin/profiles help 1331 | profiles allows you access configuration or application provisioning profiles on macOS. 1332 | Use 'profiles help' for this help section, or use the man page for expanded instructions. 1333 | Basic usage is in the form: 'profiles []' 1334 | 1335 | Clients should use the Profiles System Preferences pane to install configuration profiles. 1336 | 1337 | Command Verbs: 1338 | status - indicates if profiles are installed 1339 | list - list profile information 1340 | show - show expanded profile information 1341 | remove - remove profile 1342 | sync - synchronize installed configuration profiles with known users 1343 | renew - renew configuration profile installed certificate 1344 | validate - validation of provisioning profile or DEP server enrollment information 1345 | version - display tool version number 1346 | 1347 | Options: (not all options are meaningful for a command) 1348 | -type= - type of profile; either 'configuration', 'provisioning', 'enrollment', or 'bootstraptoken' 1349 | -user= - short user name 1350 | -password= - password 1351 | -identifier= - profile identifier 1352 | -path= - file path 1353 | -uuid= - profile UUID 1354 | -enrolledUser= - enrolled user name 1355 | -verbose - enable verbose mode 1356 | -forced - when removing profiles, automatically confirms requests 1357 | -all - select all profiles 1358 | -quiet - enable quiet mode 1359 | ``` 1360 | 1361 | An example usage of profiles is viewing the status of profile enrollment: 1362 | 1363 | ```text 1364 | $ /usr/bin/profiles status -type enrollment 1365 | Enrolled via DEP: No 1366 | MDM enrollment: No 1367 | ``` 1368 | 1369 | ### bputil 1370 | 1371 | bputil is a tool for managing Boot Policy. This tool is only available on Apple Silicon. If you run this tool on x86_64, it will output: `bputil is not yet supported on this platform.` 1372 | 1373 | ```text 1374 | $ /usr/bin/bputil 1375 | 1376 | This utility is not meant for normal users or even sysadmins. 1377 | It provides unabstracted access to capabilities which are normally handled for the user automatically when changing the security policy through GUIs such as Startup Disk in macOS Recovery. 1378 | It is possible to make your system security much weaker and therefore easier to compromise using this tool. 1379 | This tool is not to be used in production environments. 1380 | It is possible to render your system unbootable with this tool. 1381 | It should only be used to understand how the security of Apple Silicon Macs works. 1382 | Use at your own risk! 1383 | 1384 | bputil v0.1.3 - a tool to modify boot policies 1385 | bputil ... 1386 | 1387 | Optional arguments: 1388 | -u, --username 1389 | Used to specify the username for a user with access to the signing key to authenticate the change 1390 | If this is specified, the below password option is required too 1391 | If this is not specified, an interactive prompt will request the username 1392 | -p, --password 1393 | Used to specify the password for a user with access to the signing key to authenticate the change 1394 | If this is specified, the above username option is required too 1395 | If this is not specified, an interactive prompt will request the password 1396 | -v, --vuid 1397 | Set the Volume Group UUID value 1398 | If no option is specified, the default value of Volume Group UUID will be set to the APFS volume group UUID of the running OS 1399 | Volume Group UUID for a given OS can be found with 'diskutil apfs listVolumeGroups' 1400 | -l, --debug-logging 1401 | Enables verbose logging to assist in debugging any issues associated with changing the policy 1402 | -d, --display-policy 1403 | Display the local policy. If the system has multiple bootable volumes, an interactive prompt will ask you to specify a volume 1404 | -f, --full-security 1405 | Changes security mode to Full Security. This option is mutually exclusive with all options below which cause security downgrades 1406 | -g, --reduced-security 1407 | Changes security mode to Reduced Security 1408 | Passing this option will explicitly recreate the LocalPolicy, only the options specified via this tool will exist in the output local policy 1409 | -n, --permissive-security 1410 | Changes security mode to Permissive Security 1411 | Passing this option will explicitly recreate the LocalPolicy, only the options specified via this tool will exist in the output local policy 1412 | -m, --enable-mdm 1413 | Enables MDM management of software updates & kernel extensions 1414 | Automatically downgrades to Reduced Security mode if not already true 1415 | -k, --enable-kexts 1416 | Enables trust in locally SEP-signed AuxilaryKernelCache that contains 3rd party kexts 1417 | Automatically downgrades to Reduced Security mode if not already true 1418 | -c, --disable-kernel-ctrr 1419 | Disables the enforcement of the Configurable Text Read-only Region that protects Kernel code 1420 | Automatically downgrades to Permissive Security mode if not already true 1421 | -a, --disable-boot-args-restriction 1422 | Enables sending custom boot args to the kernel 1423 | Automatically downgrades to Permissive Security mode if not already true 1424 | -s, --disable-ssv 1425 | Disables Signed System Volume integrity checks 1426 | Automatically downgrades to Permissive Security mode if not already true 1427 | NOTE: SSV cannot be disabled while FileVault is enabled 1428 | ``` 1429 | 1430 | ### nscurl 1431 | 1432 | nscurl is similar to curl but using macOS APIs. 1433 | 1434 | ```text 1435 | $ /usr/bin/nscurl -h 1436 | Usage: nscurl [options...] 1437 | Options: 1438 | -h --help Display help message 1439 | -bg --background Use the background transfer 1440 | API to execute the request 1441 | --discretionary Marks the transfer as 1442 | discretionary (only has an 1443 | effect if --background is 1444 | passed) 1445 | -D --dump-header [ARG] Write the response headers to 1446 | the specified file (pass '-' 1447 | for stdout) 1448 | -o --output [ARG] Write the response data to 1449 | the specified file (pass '-' 1450 | for stdout) 1451 | -i --include Include response headers in 1452 | output 1453 | -L --location Instruct nscurl to follow 1454 | redirects (this is the 1455 | default behavior) 1456 | --ignore-location Instruct nscurl to ignore 1457 | redirects 1458 | -H --header [ARG] Specify an additional HTTP 1459 | Header ("X-Header-Name: 1460 | Value") 1461 | -A --user-agent [ARG] Specify the User-Agent string 1462 | -u --user [ARG] Specify a username and 1463 | password 1464 | -dl --download Download the resource using a 1465 | download task 1466 | -dir --download-directory [ARG] Download the resource into 1467 | the specified directory 1468 | -T --upload [ARG] Upload the specified file 1469 | (with HTTP PUT request 1470 | -SU --streamed Use a streamed upload instead 1471 | of a file upload, when 1472 | --upload is passed 1473 | -k --insecure Disable cert checking when 1474 | using TLS 1475 | -ld --large-download Use 'large-download' 1476 | properties 1477 | --bg-traffic-class Use SO_TC_BK traffic class 1478 | -m --max-time [ARG] Timeout in seconds for the 1479 | entire request 1480 | --window-delay [ARG] Conditional connection window 1481 | delay for request 1482 | --window-duration [ARG] Conditional connection window 1483 | duration for request 1484 | -M --method [ARG] Set the HTTP method for the 1485 | request 1486 | -G --get Send a GET request 1487 | -I --head Send a HEAD request 1488 | --post Send a POST request 1489 | --put Send a PUT request 1490 | -r --range [ARG] Specify a byte range 1491 | --no-expensive Disallow the use of expensive 1492 | networks 1493 | --no-constrained Disallow the use of 1494 | constrained networks 1495 | --start-timeout [ARG] Sets a timeout on starting 1496 | the request (expressed in 1497 | seconds from now) 1498 | --fast-connect-timeout Fail quickly if the server is 1499 | unreachable 1500 | --payload-transmission-timeout [ARG] Sets a timeout on payload 1501 | transmission 1502 | 1503 | post-connection-establishment 1504 | -v --verbose Verbose output 1505 | --ats-diagnostics Display ATS diagnostic 1506 | information for URL 1507 | --fingerprint Display fingerprint of URL 1508 | TLS configuration 1509 | --ats-tls-version [ARG] Minimum TLS version used for 1510 | ATS configuration. Allowed 1511 | values: TLSv1.0, TLSv1.1, 1512 | TLSv1.2, or TLSv1.3 1513 | --ats-disable-pfs Do not require Perfect 1514 | Forward Secrecy for ATS 1515 | configuration 1516 | -ec --effective-configuration Exercise effective 1517 | configuration 1518 | --effective-configuration-dump [ARG] Write effective configuration 1519 | to plist 1520 | --effective-configuration-read [ARG] Read effective configuration 1521 | from plist 1522 | --http3 Enable HTTP/3 1523 | --http3-prior-knowledge Enable HTTP/3 racing without 1524 | service discovery 1525 | ``` 1526 | 1527 | An example of using nscurl is fetching your external IP from ipify.org: 1528 | 1529 | ```text 1530 | $ /usr/bin/nscurl 'https://api.ipify.org?format=json' 1531 | {"ip":"10.25.0.1"} 1532 | ``` 1533 | 1534 | ### taskinfo 1535 | 1536 | taskinfo is a tool for viewing detailed information about a process. 1537 | 1538 | ```text 1539 | $ /usr/bin/taskinfo -h 1540 | usage: 1541 | taskinfo [-h|--help] [--threads] [--dq] [--boosts] [process-name|pid] 1542 | ``` 1543 | 1544 | An example of using taskinfo is fetching information about the taskinfo process itself. 1545 | 1546 | ```text 1547 | $ sudo /usr/bin/taskinfo taskinfo 1548 | process: "taskinfo" [76355] [unique ID: 773167] 1549 | architecture: arm64e 1550 | coalition (type 0) ID: 30994 1551 | coalition (type 1) ID: 30995 1552 | suspend count: 0 1553 | virtual bytes: 389.20 GB; phys_footprint bytes: 832.69 kB; phys_footprint lifetime maximum bytes: 832.69 kB 1554 | run time: 0 s 1555 | user/system time (current threads): 0.000781 s / 0.011651 s 1556 | user/system time (terminated threads): 0.000000 s / 0.000000 s 1557 | interrupt wakeups: 0 (0 / nan% from platform idle) 1558 | default sched policy: POLICY_TIMESHARE 1559 | CPU usage monitor: none 1560 | CPU wakes monitor: 150 wakes per second (over system-default time period) 1561 | dirty tracking: untracked dirty 1562 | boosts: 0 (0 externalized) 1563 | requested policy 1564 | req apptype: TASK_APPTYPE_DAEMON_INTERACTIVE 1565 | req role: TASK_UNSPECIFIED (PRIO_DARWIN_ROLE_DEFAULT) 1566 | req qos clamp: THREAD_QOS_UNSPECIFIED 1567 | req base/override latency qos: LATENCY_QOS_TIER_UNSPECIFIED / LATENCY_QOS_TIER_UNSPECIFIED 1568 | req base/override thruput qos: THROUGHPUT_QOS_TIER_UNSPECIFIED / THROUGHPUT_QOS_TIER_UNSPECIFIED 1569 | req darwin BG: NO 1570 | req internal/external iotier: THROTTLE_LEVEL_TIER0 (IMPORTANT) / THROTTLE_LEVEL_TIER0 (IMPORTANT) 1571 | req darwin BG iotier: THROTTLE_LEVEL_TIER2 (UTILITY) 1572 | req managed: NO 1573 | req other: 1574 | req suppression (App Nap) behaviors: 1575 | effective policy 1576 | eff role: TASK_UNSPECIFIED (PRIO_DARWIN_ROLE_DEFAULT) 1577 | eff latency qos: LATENCY_QOS_TIER_UNSPECIFIED 1578 | eff thruput qos: THROUGHPUT_QOS_TIER_UNSPECIFIED 1579 | eff darwin BG: NO 1580 | eff iotier: THROTTLE_LEVEL_TIER0 (IMPORTANT) 1581 | eff managed: NO 1582 | eff qos ceiling: THREAD_QOS_USER_INITIATED 1583 | eff qos clamp: THREAD_QOS_UNSPECIFIED 1584 | eff other: 1585 | imp_donor: YES 1586 | imp_receiver: NO 1587 | pid suspended: NO 1588 | adaptive daemon: NO (boosted: NO) 1589 | ``` 1590 | 1591 | ### taskpolicy 1592 | 1593 | taskpolicy can be used to adjust certain policies for running programs, and can additionally be used for running programs with a particular policy. 1594 | 1595 | ```$text 1596 | $ /usr/sbin/taskpolicy 1597 | Usage: taskpolicy [-x|-X] [-d ] [-g policy] [-c clamp] [-b] [-t ] 1598 | [-l ] [-a] [ [...]] 1599 | taskpolicy [-b|-B] [-t ] [-l ] -p pid 1600 | ``` 1601 | 1602 | An example of using taskpolicy is clamping a command to a particular task QoS: 1603 | 1604 | ```text 1605 | $ /usr/sbin/taskpolicy -c background sw_vers 1606 | ProductName: macOS 1607 | ProductVersion: 11.0 1608 | BuildVersion: 20A2411 1609 | ``` 1610 | 1611 | ### asr 1612 | 1613 | asr stands for Apple Software Restore. It is used for copying volume content. 1614 | 1615 | ```text 1616 | $ /usr/sbin/asr 1617 | Usage: asr 1618 | is one of the following: 1619 | asr help | version 1620 | asr restore --source --target [] 1621 | asr restore --source asr:/// --file [] 1622 | asr server --source --config [] 1623 | asr imagescan --source [--filechecksum] [--nostream] 1624 | asr info --source [--plist] 1625 | ``` 1626 | 1627 | There is a [great WWDC talk](https://developer.apple.com/videos/play/wwdc2019/710/) which dives into ASR around the eleven minute mark. 1628 | 1629 | ### shortcuts 1630 | 1631 | shortcuts allows you to run and list your shortcuts from the Shortcuts app. 1632 | 1633 | ```text 1634 | $ /usr/bin/shortcuts 1635 | OVERVIEW: Command-line utility for running shortcuts. 1636 | 1637 | USAGE: shortcuts 1638 | 1639 | OPTIONS: 1640 | -h, --help Show help information. 1641 | 1642 | SUBCOMMANDS: 1643 | run Run a shortcut. 1644 | list List your shortcuts. 1645 | view View a shortcut in Shortcuts. 1646 | sign Sign a shortcut file. 1647 | 1648 | See 'shortcuts help ' for detailed help. 1649 | ``` 1650 | 1651 | An example of using shortcuts is the list command to list your shortcuts: 1652 | 1653 | ```text 1654 | $ /usr/bin/shortcuts list 1655 | Accessibility Assistant 1656 | Show me my Doorbell Camera 1657 | Show me my Front Camera 1658 | ``` 1659 | 1660 | ### networkQuality 1661 | 1662 | networkQuality measures the quality of the network you are connected to. 1663 | 1664 | ```text 1665 | $ /usr/bin/networkQuality -h 1666 | USAGE: networkQuality [-C ] [-c] [-h] [-I ] [-s] [-v] 1667 | -C: override Configuration URL 1668 | -c: Produce computer-readable output 1669 | -h: Show help (this message) 1670 | -I: Bind test to interface (e.g., en0, pdp_ip0,...) 1671 | -s: Run tests sequentially instead of parallel upload/download 1672 | -v: Verbose output 1673 | ``` 1674 | 1675 | Running without any arguments will give you an assessment of your network. 1676 | 1677 | ```text 1678 | $ /usr/bin/networkQuality 1679 | ==== SUMMARY ==== 1680 | Upload capacity: 24.494 Mbps 1681 | Download capacity: 262.640 Mbps 1682 | Upload flows: 16 1683 | Download flows: 12 1684 | Responsiveness: Medium (677 RPM) 1685 | ``` 1686 | --------------------------------------------------------------------------------