Last edit: October 01, 2017 10:00:33 AM CDT List of all cheatsheets See also *nix Applications, Installation & Installers productbuild will build distribution packages Package receipts live in /var/db/receipts List of installed packages pkgutil --pkgs Get a list of installed applications /usr/libexec/mdmclient QueryInstalledApps When was an Apple package installed? system_profiler SPInstallHistoryDataType | grep -A 2 -B 3 "Source: Apple" Detailed list of when packages where installed cat /Library/Receipts/InstallHistory.plist What date was a package installed pkgutil --pkg-info [package info from pkgutil --pkgs] | date -r $(awk '/install/ { print $2 }')| awk '{ print $2,$3,$6 }' Get metadata for installed files pkgutil --file-info /path/to/pkg What files will be installed by a package pkgutil --payload-files /path/to/pkg What files where installed by a package pkgutil --files [pkg] Forget packages from install database pkgutil --regexp --forget "com\.company\.product\.s*" Which applications are from the App Store? find /Applications -path '*Contents/_MASReceipt/receipt' -maxdepth 4 -print |\sed 's#.app/Contents/_MASReceipt/receipt#.app#g; s#/Applications/##' Download pkgs direct from Apple's Software Update Catalogs' Get pkg URLs: curl -s $(strings /System/Library/PrivateFrameworks/SoftwareUpdate.framework/SoftwareUpdate | awk '/https/ && /sucatalog/') | awk '/[AppName w/out brackets]/ && /pkg/' With found URLs: curl -O [URL] Get application version information defaults read /path/inside/appbundle/Contents/Info CFBundleShortVersionString Get Info on an Application file /Applications/[app].app/Contents/MacOS/[app] Find all applications owned by admin user and reset to standard ownership find /Applications -user adnetmin -print0 | xargs -0 chown root:admin Install Xcode CLI Tools xcode-select --install and then sudo xcode-select --reset Create a disk-based installer from OS X Installer.app /Applications/Install\ [OS version].app/Contents/Resources/createinstallmedia --volume /Volumes/[target] --applicationpath /Applications/Install\ OS\ X\ [OS version].app --nointeraction Get OS build version from OS X Installer.app 1. Mount InstallESD.dmg 2. hdiutil attach BaseSystem.dmg 3. defaults read /Volumes/OS\ X\ Base\ System/System/Library/CoreServices/SystemVersion.plist Launch with root access from any user account sudo -u root /Applications/app.app/Contents/MacOS/app Build a basic component package pkgbuild --component /Applications/app.app --install-location /tmp app.pkg Build a payload-free package pkgbuild --nopayload -scripts /path/to/scripts_folder --identifier [com.company.packagename] —-version [version number] /destination/packageName.pkg Build a basic package pkgbuild --identifier [com.company.packagename] --root /path/to/files -—ownership preserve —-version [version number] packageName.pkg Convert flat component package into a distribution package productbuild --package /path/to/component.pkg /path/to/distribution.pkg Package macports install into a standalone installer sudo port pkg [app] sudo port mpkg [app] Get an applications exact file path mdfind kMDItemCFBundleIdentifier = "[BundleIdentifier]" startosinstall /path/to/Install macOS High Sierra.app/Contents/Resources/startosinstall Install package with startosinstall Packages must all be signed or unsigned distribution-style flat packages startosinstall --applicationpath /Applications/Install\ macOS\ High\ Sierra.app --agreetolicense --installpackage /path/to/package.pkg --installpackage /path/to/package_two.pkg --nointeraction Choices XML installer -package /path/to/pack.pkg -showChoicesXML installer -pkg /path/to/package.pkg -applyChoiceChangesXML /path/to/file.xml -target [/] “Changing the ‘visible’ and ‘enabled’ attributes only affects their display in Installer.app; to control what is installed, we need to control the ‘selected’ choiceAttributes” — http://code.google.com/p/munki/wiki/ChoiceChangesXML List application's linked frameworks & dylibs otool -L /path/to/executable List system files used by an executable otool -L /path/to/executable Defaults & Profiles Profiles: settings are interpreted by the OS and installed in /Library/Managed Preferences as plist files 10.8+ uses cfprefsd, which is a preference broker/manager. Data might not come from what's on disk but instead come from values in memory 10.8+: Sandbox apps keep data in ~/Library/Containers/[app id] Profiles-related files live in /var/db/ConfigurationProfiles plutil -lint is your friend if editing plist or launch* files Remove all preferenes defaults delete [app id] Random defaults defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool YES defaults write /Library/Preferences/.GlobalPrefernces PMPrintingExpandedStateForPrint -bool TRUE defaults write com.apple.Safari WebKitOmitPDFSupport -bool YES See Remote Disks defaults write com.apple.NetworkBrowser EnableODiskBrowsing -bool YES Disable window restoration for an application defaults write com.apple.[appname] NSQuitAlwaysKeepsWindows -bool false Disable Resume (10.8+) defaults write com.apple.loginwindow TALLogoutSavesState -bool false See file extensions in the Finder defaults write NSGlobalDomain AppleShowAllExtensions -bool true; killall Finder Disable App Nap defaults write tld.company.app NSAppSleepDisabled -bool YES Set FV2 pre-boot login screen login banner defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “[Insert Text Here]” Then touch /System/Library/PrivateFramworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/Resources Disable Siri setup dialog defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeSiriSetup -bool TRUE defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeSiriSetup -bool TRUE Disable Siri Menu Item defaults write ~/Library/Preferences/com.apple.Siri.plist StatusMenuVisible -bool false Enable Reminders.app debug menu defaults write com.apple.reminders RemindersDebugMenu -boolean true Set Finder new window to open User Home folder by default defaults write com.apple.finder NewWindowTarget -string PfHm Show Status Bar in Finder defaults write com.apple.finder ShowStatusBar -bool TRUE Set Finder server bookmarks defaults write com.apple.sidebarlists favoriteservers -dict-add CustomListItems '( { Name = "afp://fqdn/"; URL = "smb://fqdn/"; } )' Disable Back To My Mac in Sidebar defaults write com.apple.sidebarlists networkbrowser "ControllerCustomListItemsCustomListItemsCustomListPropertiescom.apple.NetworkBrowser.backToMyMacEnabled" Disable Bonjour in Sidebar defaults write com.apple.sidebarlists networkbrowser "ControllerCustomListItemsCustomListItemsCustomListPropertiescom.apple.NetworkBrowser.bonjourEnabled" Disable on Connect Server in Sidebar defaults write com.apple.sidebarlists networkbrowser "ControllerCustomListItemsCustomListItemsCustomListPropertiescom.apple.NetworkBrowser.connectedEnabled" 10.13+ Fetch only basic SMB volume info defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool TRUE Undo: defaults delete com.apple.desktopservices DSDontWriteNetworkStores Set Safari to not open downloads automatically defaults write com.apple.Safari AutoOpenSafeDownloads -bool FALSE Set Safari to confirm when closing multiple pages defaults write com.apple.Safari ConfirmClosingMultiplePages -bool TRUE Set Safari homepage defaults write com.apple.Safari HomePage -string [FQDN] List computer level profiles profiles -Cv Get names of enrollment profiles profiles -Cv | awk '/Enrollment/ { print $5,$6,$7,$8,$9 }' Get installed profiles profiles -Lv (standard user gets that user's profiles. root gets sytem profiles) profiles -P -o stdout [or path/to/out] system_profiler SPConfigurationProfileDataType List information about installed configuration profiles system_profiler SPConfigurationProfileDataType Install profiles profiles -I -F /path/to/file Install profiles at reboot profiles -s -F /path/to/thisprofile.mobileconfig -f -v Location of Profiles Store /private/var/db/ConfigurationProfiles/Store/ Which server issued a machine's MDM certificate system_profiler SPConfigurationProfileDataType | awk '/mdm/{print $3}' | tail -1 | awk -F / '{print $3}' system_profiler SPConfigurationProfileDataType | awk '/ServerURL/ {print $3}' | awk -F / '{print $3}' What is an enrolled machine's MDM server defaults read /private/var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist APNSTokens_Production | awk '/https/' Get detailed listing of installed profiles (10.12+) /usr/libexec/mdmclient QueryInstalledProfiles Detailed APNS status (10.12+) /System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status APNS Status User (10.12+) /System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status |grep -A 25 com.apple.mdmclient.agent.push.production APNS Status Device (10.12+) /System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status |grep -A 25 com.apple.mdmclient.daemon.push.production Enable debug logs for APNS Also works to examine Profile Manager service on Server.app defaults write /Library/Preferences/com.apple.apsd APSLogLevel -int 7 defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool TRUE killall apsd tail -f /Library/Logs/apsd.log Reset: defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool FALSE defaults delete /Library/Preferences/com.apple.apsd APSLogLevel killall apsd DEP & VPP Read contents of a VPP token base64 --decode /Path/To/domain.vpptoken base64 -D /Path/To/domain.vpptoken | xxd Simulate DEP /usr/libexec/mdmclient dep nag Will manipulate /var/db/ConfigurationProfiles/.cloudConfig* files Drives, Disk Images & Filesystem Get details about the boot drive diskutil info / Get free space of boot drive diskutil info / | awk '/ Free / {print $4,$5}' Mount a DMG file hdiutil mount -noverify /path/to/the.dmg Split image based on size hdiutil segment -o firstSegname -segmentSize 4300M imageName.dmg Split image based on segment count hdiutil segment -o firstSegname -segmentCount 2 imageName.dmg Check a DMG's signature (10.12+) spctl -a -t open --context context:primary-signature -v MyImage.dmg Get attributes of files and directories GetFileInfo In-depth Spotlight logging and diagnostics mddiagnose Remove quarantine attribute flags xattr -d -r com.apple.quarantine /path/to/files Strip ACLs chmod -a# [acl number, likely 0] [path/to/folder] (that is a zero not an oh) Make files/folders invisible SetFile -a V Get access and modification information for a file stat -x Open the Enclosing Folder for a File from the CLI open -R . Get Info on a File file /path/to/file Preserve ACLs during a copy cp -p Which files in a directory are SIP-protected ls -alO (oh, not zero) Verify and Repair disk permissions sudo /usr/libexec/repair_packages --verify --standard-pkgs --volume / sudo /usr/libexec/repair_packages --repair --standard-pkgs --volume / Dry run an APFS conversion (10.13+) diskutil apfs convert /Volumes/MacHD -dryrun Manually decrypt and erase a corrupted FileVault volume diskutil cs list diskutil cs delete [uuid for problematic volume] Correct permissions for user with preferences quirks or unexpected prompts for admin credentials chown -R [user] /Users/[user] diskutil resetUserPermissions / [User's UID] If that fails: diskutil cs list diskutil cs revert [uuid for problematic volume] diskutil cs list | grep "Conversion Progress" Track progress diskutil eraseDisk JHFS+ target disk0 Get Recovery HD OS Version (10.7-10.12 non-APFS) 1. diskutil list to find Recovery HD device info 2. diskutil mount /dev/disk/slice 3. defaults read /Volumes/Recovery\ HD/com.apple.recovery.boot/SystemVersion.plist ProductVersion 4. diskutil umount /Volumes/Recovery\ HD Get Recovery Container OS Version (10.13+ APFS) 1. diskutil list to find Recovery container info 2. diskutil mount /dev/disk/slice 3. defaults read /Volumes/Recovery/[UUID]/SystemVersion.plist ProductVersion 4. diskutil umount /Volumes/Recovery Boot into Recovery Mode 1. diskutil list 2. diskutil mount /dev/disk/slice 3. sudo bless —mount /Volumes/Recovery\ HD —setBoot —nextonly —file /Volumes/Recovery\ HD/com.apple.recovery.boot/boot.efi 3a. 10.13+ APFS: sudo bless —mount /Volumes/Recovery —setBoot —nextonly —file /Volumes/Recovery/com.apple.recovery.boot/boot.efi 4. shutdown -r now Hardware Various system/machine stats and info sysctl Get serial number ioreg -c IOPlatformExpertDevice -d 2 |awk '/IOPlatformSerialNumber/ {print $3}' |sed s/\"//g system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' nvram 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:SSN | awk '{ gsub(/\%.*/, ""); print $NF }' Get hardware UUID ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }' system_profiler SPHardwareDataType | awk '/UUID/ {print $3}' system_profiler SPHardwareDataType | grep UUID | cut -c 22-57 Which hardware is supported by OS installer cat /System/Library/CoreServices/PlatformSupport.plist Get model (10.12+) /usr/libexec/mdmclient QueryDeviceInformation | awk '/Model/&&/\,/ {print $3}' Get Model Number information curl -s http://support-sp.apple.com/sp/product?cc="[last four digits of serial number]" Get EFI version system_profiler SPHardwareDataType | awk '/ROM/ {print $4}' Get a list of attached USB input devices hidutil list | awk '/USB/' Get a list of attached Bluetooth input devices hidutil list | awk '/Bluetooth/' Get a list of network ports /usr/libexec/mdmclient QueryNetworkInformation Get built-in Ethernet MAC networksetup -getinfo Ethernet | awk '/Ethernet Address/ {print $3}' Get a built-in Wi-Fi MAC networksetup -getmacaddress "Wi-Fi" | awk '/Address/ {print $3}' Get Thunderbolt Adapter MAC networksetup -getmacaddress "Thunderbolt Ethernet" | awk '/Address/ {print $3}' Get Display built-in Ethernet MAC networksetup -getmacaddress "Display Ethernet" "Wi-Fi" | awk '/Address/ {print $3}' Find My Mac registration information nvram -p | grep fmm* Computer name registered with Find My Mac nvram -p | awk '/fmm-computer-name/ {print $2}' Logging, Monitoring & Troubleshooting Tools For best results with log, run with elevated privileges 10.12+ format of default output of log command left to right • Timestamp (YYYY-MM-DD HH:MM:SS.sssss-TZ) • Thread ID • Log Level Type (Default, Info, Debug, Error, Faults) • Process ID • Process Name (processingImagePath) • Library (senderImagePath) • Subsystem • Category • Message (eventMessage) 10.12+ log predicates • category: Category of a log entry • eventMessage: Searches the activity or message • eventType: Type of events that created the entry (e.g. logEvent, traceEvent) • messageType: Type or level of a log entry • processImagePath: Name of the process that logged the event • senderImagePath: Not all entries are created by processes, so this also includes libraries and executables • subsystem: Name of the subsystem that logged an event 10.12+ log equivalent to tail -f /var/log/system.log log stream --style syslog 10.12+ log stream with a time limit log stream --style syslog --type log --timeout [time period m|h|d] Output 10.12+ logs log collect --output /path/to/collected.logarchive Output a time period of 10.12+ logs log collect --last [time period m|h|d] --output /path/to/collected.logarchive Check for a specific event or term in 10.12+ logs log show --predicate 'eventMessage contains "foo"' --last [time period m|h|d] e.g. log show --predicate 'eventMessage contains "Safari"' --info -last 15m Check for a events with a specific subsystem in 10.12+ logs log show --predicate subsystem contains "foo"' --last [time period m|h|d] e.g. log show --predicate 'subsystem contains "com.apple.finder"' --info --last 12h Show user login information for past week log show --predicate 'processImagePath contains "com.apple.AccountPolicyHelper"' --last 7d Show "Previous Shutdown" error info for past week log show --predicate 'eventMessage contains "Previous Shutdown"' --last 7d Show last fifteen minutes of logs for a particular process log show --predicate 'processID == [pid]' -last 15m System Error Codes /System/Library/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers/MacErrors.h Shutdown Cause Codes 0: Power disconnected 3: Hard shutdown 5: Normally initiated shutdown -3: Multiple temperature sensors too high -60: Bad master directory block, serious disk error -61, -62: Unresponsive app resulting in forced shutdown -64: Kernel panic, probably due to firmware issue -71: Memory too hot -74: Battery too hot -75: MagSafe power adaptor communication problem -78: Incorrect input current from power adaptor -79: Incorrect current from battery -86, -95: Proximity temperature (heatsink etc.) too high -100: Power supply too hot -101: Display too hot -103: Battery voltage too low -104: Unknown battery fault -127: PMU/SMC forced shutdown for another cause lsof options lsof -i or lsof -iPn Find open files by user: lsof -u username/UID Find by process: lsof -p PID See all the files an application has open lsof -c [Application] See network connections an application has opened lsof -c [Application] | grep TCP lsof -c [Application] | grep LISTEN Get detailed filesytem usage fs_usage -e -www See file changes for an application or process as they happen opensnoop -n [process name] SIP will impact use See new process execution execsnoop SIP will impact use See I/O events as they occur iosnoop SIP will impact use Display top disk I/O events by process iotop SIP will impact use Per application TCP I/O nettop -m tcp I/O per network route nettop -m route Measure which CPU a process runs on cpuwalk.d See bytes of I/O by file and process iofileb.d SIP will impact use Sample process by CPU sampleproc SIP will impact use Get summary of machine's CPU, Power, Disk and Memory usage and process activity systemstats --day current Profile memory usage per application (10.9+) footprint -pid [pid] footprint -proc [process name] Status of loaded kexts kextstat Dump system configuration data scutil -p --snapshot Look in /var/tmp for configd* files Create disk IOPS table iostat -do -c 3 -w 5 [disks] do:old-style disk info c: count w:second wait interval [disks]: Can list multiple disks Determine which process is connected to a particular IP (aka what's downloading all that stuff) 1. `nettop -nc -m route` _this gives a list of IPs. Find suspect IP_ 2. `netstat -tn | awk '/[suspect IP from step 1]/'` 3. `lsof | awk '/[socket number returned in netstat for suspect IP]/' ` 4. If needed, `ps ax | grep [PID found in lsof]` Kickstart ARD with access and full privileges for admin users sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu Networking & Directory Services mDNSResponder= one true source of DNS resolution in 10.5+ (with a few exceptions) dig/nslookup/host = direct queries; have own resolvers ping/dscl/dscacheutil/Safari = use mDNSResponder; info is cached Native Attributes=LDAP | Standard Attributes=OD Flush DNS Cache (10.7+) sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder Clear Google Chrome DNS Cache chrome://net-internals/#dns “Clear host cache” Resolve hostname to IP dscacheutil -q host -a name [name] Get DNS server used by a particular port ipconfig getoption [port] domain_name_server Set Computer/Host Name scutil --set ComputerName [value] scutil --set LocalHostName [value] scutil --set HostName [value] Dump mDNSResponder cache info to syslog sudo killall -INFO mDNSResponder Select system configuration location scselect What DNS servers is a machine using to resolve hosts scutil --dns Is a host/server available and reachable? scutil --r [IP|hostname] Light weigh portscanner /System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke [IP or FQDN to scann] [starting port] [ending port] Scan a subnet for AirPlay Hosts dns-sd -B _airplay._tcp. local. Get information about wireless connection /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I Scan for wireless networks /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s Enable routing between interfaces sudo sysctl -w net.inet.ip.forwarding=1 sudo sysctl -w net.inet.fw.enable=1 Get detailed information about a mounted SMB share smbutil statshares -a Enable DirectoryService logs slapconfig -enableslapdlog Misc tools dot_clean networksetup sso_util Security Start the application level firewall launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist Stop the application level firewall launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist Allow an outbound connection in application layer firewall socketfilterfw -t"/Applications/[app]/Contents/MacOS/[app]" 10.13 User-Approved Kernel Extension Loading Database /var/db/SystemPolicyConfiguration/KextPolicy Get UAKEL Database Kext Entries sqlite3 -line /var/db/SystemPolicyConfiguration/KextPolicy 'select * from kext_policy;' sqlite3 -line /var/db/SystemPolicyConfiguration/KextPolicy 'select * from kext_policy;' -csv 10.13+ encrypted FileVault Personal Recovery Key location /var/db/FileVaultPRK.dat Check package signing pkgutil --check-signature /path/to/.pkg Strip a signing signature for a package pkgutil --expand /path/to/package /path/to/destination; pkgutil --flatten /path/to/expanded /new/destination Check the cert expiration date on an installer from the App Store openssl pkcs7 -inform der -in /Applications/[app]/Contents/_MASReceipt/receipt -print_certs -text | grep "Not After :" Get malware definitions date (10.6 -10.8) defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification Get Malware definitions date (10.9+) stat -x /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist | grep Modify | awk '{print $2,$3,$4,$5,$6}' Force update of malware definitions (10.6 - 10.8) sudo /usr/libexec/XProtectUpdater Force update of malware definitions (10.9-10.11) softwareupdate --background-critical Automatic updates must be enabled first: softwareupdate --schedule on Force update of Xprotect, Gatekeeper and MRT definitions (110.12) softwareupdate -l --include-config-data softwareupdate -i --include-config-data Delete all enrolled fingerprints of all users on a Touchbar Mac sudo bioutil --purge -s Reset access to personal data tccutil reset [app name] Mimic Gatekeeper's check at the CLI codesign --verify --no-strict --deep --verbose=2 /path/to/app How to tell if an app is signed in detail codesign -dv --verbose=4 /path/to/app 2>&1 Get detailed list of System certificates (10.12+) Same as Keychain Access > System > Certificates /usr/libexec/mdmclient QueryCertificates Decrypt base64 encoded text echo [coded text] | base64 --decode Filevault presents “Update Needed” Error The "Updated Needed" means that the EFI login lost the icon information. Run the following to correct sudo fdesetup sync Software Update & Caching Service System data files == softwareupdate -background-critical/--include-config-data == XProtect, GateKeeper Opaque Whitelist and Incompatible Kext Configuration Data Caching Server clients must be able to ping gs.apple.com before they start trusting local caching server CatalogURLs 10.13: https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz 10.12: https://swscan.apple.com/content/catalogs/others/index-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz 10.11: https://swscan.apple.com/content/catalogs/others/index-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz 10.10: http://swscan.apple.com/content/catalogs/others/index-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog Client Get LocalMCX value of SUS defaults read /private/var/db/dslocal/nodes/Default/computers/localhost mcx_settings | cut -c 526-572 Which SUS Server is a Profile directing a machine to system_profiler SPConfigurationProfileDataType | grep CatalogURL | awk '{print $3}'| cut -c 2-88 Use Apple SUS when machines are configured for own SUS (Config Profiles might not allow override. 10.11+ might not respect) softwareupdate -l --CatalogURL "http://swscan.apple.com/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog" Set an updates catalog (10.11+) softwareupdate --set-catalog https://swscan.apple.com/content/catalogs/others/[catalog] Reset updates catalog softwareupdate --clear-catalog Temporarily use alt SUS (Config Profiles might not allow override) softwareupdate -i --CatalogURL "http://su.domain_name.com:8088/index.sucatalog 10.13+ Force Quickscan for just one type of update softwareupdate --list --product-types [product, e.g. macOS] Determine which SU server a machine is pulling updates from grep "Using catalog" /var/log/install.log Change Software Update Server defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://FWDNofSUS:8088/index.sucatalog Which updates are available for a machine defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastUpdatesAvailable Get a list of installed updates by date system_profiler SPInstallHistoryDataType Enable Xprotect and Gatekeeper updates to be installed automatically defaults /Library/Preferences/com.apple.SoftwareUpdateConfigDataInstall -bool TRUE Enable automatic installation of security updates defaults /Library/Preferences/com.apple.SoftwareUpdateCriticalUpdateInstall -bool TRUE Enable automatic installation of app updates from the App Store defaults /Library/Preferences/com.apple.commerceAutoUpdate -bool TRUE Enable automatic installation of OS X updates defaults /Library/Preferences/com.apple.commerceAutoUpdateRestartRequired -bool TRUE Enable automatic software update check defaults /Library/Preferences/com.apple.SoftwareUpdateAutomaticCheckEnabled -bool TRUE When was the last time a Xprotect Config Data package was installed pkgutil --pkg-info $(pkgutil --pkgs | awk '/com.apple.pkg.XProtectPlistConfigData/' | tail -n 1) | date -r $(awk '/install/ { print $2 }')| awk '{ print $2,$3,$6 }' What Caching Server is a machine using sudo find /var/folders -iname diskcache.plist -exec plutil -p {} \; | awk '/localAddressAndPort/ {print $3}' | head -n 1 | sed 's/\"//g' Which Caching Server is a machine using 10.12+ /usr/bin/AssetCacheLocatorUtil 2>&1 | grep guid | awk '{print$4}' | sed 's/^\(.*\):.*$/\1/' | uniq Server Files associated with SUS #/Library/Server/Software Update/Config - swupd.plist: Lists catalogs on Apple's servers available for use by SUS - swupd.conf: Apache config file for SUS; includes rewrite rules #/Library/Server/Software Update/Status - .last_run: last time the service checked in with Apple - .sync_in_progress or .sync_done: Current sync status of server with Apple - .start_time: when the SUS started running - com.apple.server.swupdate.plist: List of updates available from SUS #/Library/Server/Software Update/Data/html - catalogs.sucatalog: what catalogs are available for use Monitor Caching Server activity (pre-10.13) tail -f /Library/Server/Caching/Logs/Debug.log 10.13+ Caching Service Prefs file /Library/Preferences/com.apple.AssetCache.plist (must be owned by _asset_cache user and group) 10.13+ Caching Service Control /usr/bin/AssetCacheManagerUtil • AssetCacheManagerUtil activate: Enable Service • AssetCacheManagerUtil flushCache • AssetCacheManagerUtil status • AssetCacheManagerUtil settings • AssetCacheManagerUtil reloadSettings Get detailed SUS status sudo serveradmin fullstatus swupdate Force a SUS sync swupd_syncd Check Running Process on server ps ax | grep swupd.conf Check to see if server is listening on SUS port netstat -an | grep 8088 [expect to see "LISTEN"] Automatically sync updates but do not enable them sudo serveradmin settings swupdate:autoEnable = no Delete unused updates sudo serveradmin swupdate:PurgeUnused = yes Troubleshoot a SUS Server 1. Confirm service is running: serveradmin fullstatus swupdate 2. Confirm the process is running: ps ax | grep swupd.conf 3. Confirm the server is listening: netstat -an | grep 8088 4. Confirm a client can reach the catalog: curl -C - -O http://[ip or fqdb]:8088/catalogs.sucatalog 5. Confirm a client can see the service with nmap System Don't forget about systemsetup /var/folders/zz must be 755 SIP Whitelists /System/Library/Sandbox/rootless.conf /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths Turn on remote login systemsetup -setremotelogin on Create the com.apple.access_ssh group Needed to allow proper SSH access dseditgroup -o create -q com.apple.access_ssh Add the admin group to com.apple.access_ssh Needed to allow proper SSH access dseditgroup -o edit -a admin -t group com.apple.access_ssh Get the time from time server /usr/sbin/systemsetup -getnetworktimeserver Set Timezone systemsetup -settimezone America/Chicago Use "/usr/sbin/systemsetup -listtimezones" to see a list of available list time zones Start iCloud log collection ubcontrol --diagnose Reset iCloud ubcontrol --reset Disable sleep image sudo pmset -a hibernatemode 0 sudo nvram "use-nvramrc?"=false /etc/newsyslog.conf file permissions mode | how many copies to keep | size | when to roll | flags Turn off printer sharing 1. lpstat -p | awk '{print $2}' | xargs -I{} lpadmin -p {} -o printer-is-shared=false 2. cupsctl —no-share-printers Get a list of printers lpstat -a Get options for a particular printer lpoptions -p [name] -l What printers are configured on a machine sudo cat /etc/cups/printers.conf | awk '/Info/' | cut -c 6-99 List a user's launchd items launchctl print gui/[user's UID] List system launchd itmes launchctl print system Get detailed information about a particular launchagent launchctl print gui/[user UID]/[com.company.launchagent] Load a launchagent (10.10+) launchctl bootstrap gui/[user UID] /Library/LaunchAgents/com.company.launchagent.plist Unload a launchagent (10.10+) launchctl bootout gui/[user UID] /Library/LaunchAgents/com.company.launchagent.plist User Get currently logged in user (Fast User Switching safe) python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");' Alternate versions of current logged in user /usr/bin/w | grep console | awk '{print $1}' ls -l /dev/console | awk '{print $3}' id -P | awk -F: '{print $1}' User info lookup dscacheutil -q user -a name [name] When was an account created Dump creationTime from user record in dscl, then date -r [seconds] Get a list of user IDs dscl . -list /Users UniqueID List of local users on machine dscl . list /Users UniqueID | awk '$2 >500 { print $1 } Get user's /var/folders Cache Folder getconf DARWIN_USER_CACHE_DIR Get user's /var/folders Temp Folder getconf DARWIN_USER_TEMP_DIR Mobile account files Password: /var/db/shadow/hash/[dsattrTypeStandard:GeneratedUID] Account Info: ~/.account Change local user password dscl . -passwd /Users/username thenewpasswordhere 10.11+: sysadminctl -resetPasswordFor [local user name] -newPassword [new password] Use dscl in single user mode /bin/launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist & Create a user (10.11+) sysadminctl -addUser [-fullName ] [-UID ] [-shell ] [-password ] [-hint ] [-home ] [-picture ] 10.13 requires using -secureTokenon when creating an admin user Cleanly remove a user (10.11+) Removes any user processes, their home folder, public shares, cached credentials and disables Back to My Mac for the user sysadminctl -deleteUser [user] Server-specific OS X Server CLI tools serveradmin ServerBackup webappctl Server (v3+) DNS Tool: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig Keep shares mounted after log out sudo defaults write /Library/Preferences/SystemConfiguration/autodiskmount AutomountDisksWithoutUserLogin -bool YES Programatically start PHP and Python apps hosted by Server.app sudo webappctl start com.apple.webapp.php sudo webappctl stop com.apple.webapp.php sudo webappctl start com.apple.webapp.wsgi sudo webappctl stop com.apple.webapp.wsgi Get full network settings for a server serveradmin settings network What ports is a server listening on netstat -an Dump DNS information dnsconfig list Get information about a zone dnsconfig --zone=[domain] View a particular machine's information dnsconfig --rr=[FQDN of machine] Misc Generate print-ready PDFs of man pages man -t [command] | open -f -a /Applications/Preview.app/ Convert an audio file afconvert Toggle visibility of hidden files in the Finder Press Shift + Command + . (period) Display a notication osascript -e 'display notification "This is the window body" with title "Window Header!"' Force the Setup Assistant to Run sudo /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant -MBDebug -MiniBuddyYes "What's New" notifications /System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/touristd Apple Service Domains Apple makes extensive use of Akamai and Cloudfront CDNs, so not all addresses will resolve to an Apple 17.0.0.0 address aaplimg.com Apple's in-house CDN albert.apple.com Used for activation appldnld.apple.com iOS Firmware delivery ax.itunes.apple.com Apple search buy.itunes.com Purchase and account validation captive.apple.com Used for captive network testing. Also used attwifi.apple.com cl*.apple.com Used by locationd configuration.apple.com configuration.apple.com is an alias for configuration.apple.com.edgekey.net, which will resolve to various Akamai IPs deimos * .apple.com iTunes U deploy.apple.com DEP and VPP portal. api-applecareconnect-ept*.apple.com, acc-ipt.apple.com, mdmenrollment.apple.com are also used for DEP gg*.apple.com iOS update servers gnf-mdn.apple.com & gnf-mr.apple.com Deliver EFI updates for Touchbar Macs gs.apple.com gs.apple.com is an alias for gs.apple.com.akadns.net, which will resolve to various Apple 17.0.0.0 IPs iOS signature validation and update servers used by Caching service. gsp*.apple.com & gsp*-ssl.apple.com Used with geolocation services ig.apple.com Used with Touchbar Macs lcdn-locator.apple.com Likely used with Caching Service lcdn-registration.apple.com Caching Service registration littlebuddy.apple.com Used by Setup Assistant mesu.apple.com iOS software updates metrics.apple.com Apple analytics mzstatic.com Apple in-house CDN ocsp.apple.com Used to validate certificates. Might also use various verisign.net and verisign.com domains phobos.apple.com iTunes push.apple.com Resolves to various Apple 17.0.0.0 IPs. Used for APNS. Includes gateway.push.apple.com, feedback.push.apple.com and courier.push.apple.com For push notification services skl.apple.com Used with Touchbar Macs su.itunes.apple.com App updates swcdnlocator.apple.com Related to Apple Mac Software Update swscan.apple.com Front end to Apple Mac Software Update swdist.apple.com Related to Apple Mac Software Update Built-in apps and binaries and their related service domains Airport Utility Can connect to apfw.apple.com and apsu.apple.com assistantd Associtated with Siri, dictation, etc. Makes calls to various Apple 17.0.0.0 IPs cloudconfigurationd Can connect to iprofiles.apple.com and suconfig.apple.com. Used for MDM and profiles Safari Can connect to extensions.apple.com and plugins.apple.com SpotlightNetHelper Can connect to cloudfront.net, init.itunes.apple.com, api-glb-chi.smoot.apple.com and api.smoot.apple.com storeaccountd Can connect to phobos.apple.com, ax.init.itunes.apple.com and play.itunes.apple.com SubmitDiagInfo Can connect to radarsubmissions.apple.com