Nearly all hard drives contain a built-in sleep timer which is designed to power down the spindle motor, saving energy when the drive has not been in use for some specified time. macOS supports a simple yes/no setting to manage this sleep feature of hard drives. It can be controlled by the option Energy Saver > Put hard disks to sleep when possible in the System Preferences application. Enabling this option corresponds to setting the sleep timer of disk drives to a value of 10 minutes of inactivity.
With TinkerTool System, you can control the sleep timers of hard disks more precisely, by specifying the exact value for the timer. Time intervals between 1 minute and 2 hours 59 minutes can be selected. To change the sleep timer of all disk drives, perform the following steps:
The kernel of the operating system uses priorities to organize its Input/Output Jobs, mainly disk and network operations that must be executed as service for the applications currently running. Work carried out for invisible background applications (like Time Machine, for example) has lower priority than operations performed for interactive applications (like a text-processing program). Operations with low priority are throttled which means they are artificially slowed down, by letting them pause for certain small time intervals.
In some situations, this performance penalty can become tedious, e.g. when you are waiting for an extensive Time Machine backup run to complete. Time Machine jobs are mainly made up of input/output operations on disks or network, so they are significantly affected by this slow-down.
You can temporarily disable throttling of input/output operations for background applications, giving them the same priority as other tasks. The change becomes effective immediately, but is not permanently stored as a preference. The setting will only be retained until you either shut down the operating system or change the setting again.
To disable low-priority throttling for I/O operations in the kernel perform the following steps:
Under very rare circumstances, running jobs could block each other while throttling is disabled, causing the system to freeze. Because all I/O operations run with the same priority in this case, the system can no longer reschedule important jobs to run before low-priority ones. High-priority operations may need to wait for a large number of low-priority ones, increasing the likelihood that jobs that depend on each other start waiting in circular fashion, causing a mutual blockage.
macOS uses the policy to handle external hard drives like removable disk media. Similar to the management of a CD, which is inserted into a drive by the current interactive user, the user logged in at the front graphical user session is also considered the “owner” of all external disk drives. This has the consequence that the external drives will be ejected and become inaccessible after the user has logged out. Moreover, most drives will automatically power down in this situation.
This policy might not be useful in certain cases, for example when you operate the computer as a file server, and you are sharing files on external disks which should remain accessible, no matter if a user is logged in at the graphical console or not. To change this policy, perform the following steps:
This option affects all partitions on all hard drives which macOS considers to be “external” and owned by a user.
macOS follows the strategy to automatically detect all disk drives and all their partitions currently connected to the computer, making them active and visible on the user interface. This might not be useful in certain situations, for example when you have a Windows partition on your computer which you don’t need when working with macOS, or when you keep a backup copy of your system partition in reserve on a secondary disk drive. With the help of TinkerTool System, you can tell macOS not to activate specific partitions automatically. A second, independent option allows you to choose whether the system should allow the execution of programs which are stored on specific partitions. This feature can be useful if you connect “foreign” drives to your system that contain applications written for other operating systems, incompatible with macOS. You can no longer mistakenly try to open programs on such drives.
In both cases, macOS must have a way of reliably referring to each drive and partition. This is done by so-called Universal Unique Identifiers (UUIDs), a sequence of characters like 7F176A72–72B2–3D69–19FC–27ABBEFA662D which are guaranteed to be unique for every partition of every disk drive in the world. You don’t need to enter these UUIDs by hand. TinkerTool System automatically finds out the UUIDs and helps you to identify the drives by specifying their current volume names and file systems.
Perform the following steps when you like to exclude certain disk volumes from automatic mounting or execution of programs:
It is also possible to drag volumes from the Desktop or the Finder’s computer folder directly into the tables. You can remove one or more volumes by pressing the [—] button below the respective table, and saving your modifications. To discard your changes and return the tables to the state currently established in macOS, press the Revert button.
Spotlight is the built-in search technology of macOS which is designed to find files very rapidly after the user has specified key words or other search criteria. The technical implementation is based on several system services which operate silently in the background. However, Spotlight can sometimes be affected by technical problems, so administrators may need to fine-tune Spotlight operations in certain situations.
Spotlight is designed to operate as one of the basic core components of macOS. For this reason, other system services and many applications developed for macOS depend on the correct operation of Spotlight and will fail when Spotlight has been shut down. This includes the Time Machine backup service and the App Store application. For this reason, TinkerTool System does not support any operation to disable Spotlight completely. However, you can shut down Spotlight indexing on selected disk volumes.
When Spotlight is active, it automatically creates a hidden index database and some preference files on each volume currently connected with your computer. The database and the preference settings are needed to quickly find the contents you are searching for. These hidden components are called Metadata Stores.
For each of the volumes, TinkerTool System allows you to display whether Spotlight is activated on that volume, and how much storage space is currently needed by the Metadata Stores. This information is displayed in the table Spotlight Metadata Storage. Only volumes which are technically capable of supporting Spotlight are listed in the table. A refresh button right below the table will update the contents of the table. This step is necessary to let macOS allow TinkerTool System (after authentication) to compute the size of the index databases. Access to the databases is protected because they contain potentially confidential information, namely all words of all documents all users have stored on the current computer.
After selecting one or multiple lines in the table, you can activate several operations that should be performed:
To activate one of these functions, press the button Perform selected operation.
Note that the deactivation of index operations is only in effect until you restart macOS. Unless Spotlight isn’t blocked on affected volumes by using the setting Spotlight > Privacy in System Preferences, macOS will recommence its indexing services upon next startup.
Under specific circumstances, it might be helpful to disable Spotlight operations on a disk volume “forever”, e.g. on a slow memory stick which you only use to transport data to other computers. This can be done by a special marker which works independently of the Spotlight privacy settings. Setting such a marker is particularly helpful on external drives which are used with different macOS computers, because all systems will automatically respect this setting after it has been established. To set or remove this marker, perform the following steps:
When you attempt to connect to an AFP server (AppleShare file server) manually, a password entry panel will appear. TinkerTool System can modify the system setting that controls which name macOS should suggest in this panel. You can select between the short name of the current user, another preconfigured name, or the option not to suggest any name (No name). Perform the following steps:
Apple has deprecated the use of certain outdated authentication methods, which are considered unsafe according to today’s standards when connecting to AFP servers. The operating system won’t offer the affected authentication methods when contacting a server. This can however mean that you can no longer connect to old servers successfully. TinkerTool System allows you to unlock certain methods so that they can be used again. Perform the following steps:
The following methods can be reactivated:
Because all these methods are insecure and outdated, you should only enable as few as possible in order not to compromise the security of your network.
The use of the keychain technology, which has always been part of macOS, involves an inherent security problem: When you used the keychain to store a password for an authorized connection to a network server, can you be absolutely sure that this will be the same server the next time you connect to it? In the worst case, your network could have been manipulated in such a way that you now connect to a rogue server, setup by an attacker, which mimics the behavior of the original server. So when the replaced server asks for authentication, macOS will automatically send user name and password found in the keychain. Confidential data lands in the wrong hands.
To make you aware of this general security problem, macOS Sierra introduced a new feature to always ask for confirmation when connecting to a server, even when the credentials for this server are known in your keychain. This will reduce comfort however, especially if the server link is part of an automatic workflow. Apple provides a system setting that allows you to outweigh between security and comfort when reconnecting to known servers. To change the setting, perform the following steps:
By default, the pane Network of the application System Preferences does not show a menu item to disable the support of IPv6 on specific network interfaces. The feature to switch IPv6 to Off is present in the operating system, however. You can use TinkerTool System to control this option.
When you have disabled IPv6 support for an active network service, System Preferences will correctly reflect this, adding an Off menu item to the Configure IPv6 option. You can either use System Preferences or TinkerTool System to re-enable this feature later. If you use TinkerTool System to do this, your configuration setting automatically switches back to the mode previously defined in System Preferences.
If you change your network location or the IPv6 mode in System Preferences while TinkerTool System is running, it is recommended to restart TinkerTool System to ensure that the application shows the updated status.
By default, macOS assumes that the display screen is rendering graphics with a physical resolution of 72 pixels per inch. This policy was taken over from the classic Mac OS. While this basic assumption was true when the Macintosh was introduced 30 years ago, today’s display devices often have a much higher resolution. The pixels have become smaller, so your screen may actually use more than 140 pixels per inch. This is particularly the case when you are using a MacBook with a Retina display or an iMac with a 5k screen. The operating system offers a feature named HiDPI (High Number of Dots per Inch) which allows it to double the physical resolution on demand. This means the components creating the graphical output can select between the two resolutions 72 ppi (“low”) and 144 ppi (“high”). When your computer is connected to a Retina screen, HiDPI mode will be enabled automatically.
You can unlock HiDPI for your operating system independent of the monitor currently connected. For example, as a software developer you can use this feature to test applications in Retina mode although you don’t own a Retina screen.
Enabling the HiDPI feature requires two steps: The first step is to unlock HiDPI mode via TinkerTool System. The second step is to select one of the HiDPI display resolutions on the pane Displays of System Preferences. Perform the following steps to work with HiDPI display modes:
When you log in again, you can launch System Preferences, go to Displays, set the Resolution to Scaled and choose one of the HiDPI settings shown in the table. Note that the table lists the effective pixels, not the physical pixels. Because Retina mode combines 4 physical pixels to one virtual pixel, the values are halved in each dimension. A display screen with 2400 x 1600 pixels would be shown as HiDPI resolution with 1200 x 800 pixels, for example.
macOS will switch to the new setting, enabling the actual HiDPI mode. The whole screen contents will immediately be magnified. However, currently running applications might not switch to the new resolution with full output quality at the same time. You must log out and log in once again to ensure that you are actually getting the correct resolution and full picture quality in all applications.
Warning: The display resolution is a very critical setting. If you set the resolution too high, the windows can become so large that they no longer fit on screen. This means you can no longer see or control all parts of some applications which can make your system unusable!
To use the system with 144 ppi, a screen with at least 2048 x 1536 pixels is strongly recommended, because macOS applications are designed by the rule that they can expect windows to have a minimum size of 1024 x 768 pixels at 72 ppi.
The application System Preferences is designed to support a plug-in architecture: The different control areas, called Preference Panes, are automatically activated and deactivated depending on what type of computer you are using. For example, the pane Trackpad will only appear on computers having a trackpad, the item Ink will only be displayed if a graphic tablet or a similar device with pen support is attached to the computer.
System Preferences also supports an additional section that contains optional panes installed by the user. It will be displayed as fifth category, at the bottom of the window. TinkerTool System can help you to manage this section: It can activate additional preference panes which are part of macOS, but are reserved for advanced users and are normally hidden. It can also assist you in removing optional preferences panes you no longer need.
The following additional pane can be activated:
Apple is providing additional panes as part of macOS. Their features may vary depending on OS version, and they may be changed without notice. The optical quality of the panes may not comply with the usual design standards.
To activate one of the hidden panes, perform the following steps:
You can start System Preferences directly from here to use the new panes immediately. Press the button Launch System Preferences.
The panes listed in the previous section and panes of other vendors which appear in the bottom line of System Preferences can be removed when you no longer need them. It is not necessary to know where the different vendors have installed the modules. Perform the following steps:
In the permission system of macOS, which is explained in detail in the chapter The Pane ACL Permissions, each application decides for itself what rights it will grant for a new a file or folder when that file system object is being created. This also includes the Finder which is the typical application to create new folders.
Security problems could arise if you are using badly written or very old applications which don’t care about permission settings. Such applications could grant write permission to the category “other users” which means that nearly everyone — no matter if the user is even “known” by the current computer — could access, overwrite, and delete each and every document created by that program. In environments where users cannot be considered to behave cooperatively, like schools or large companies, such a lax policy of granting permissions can make a system unusable. For this reason, macOS and every other UNIX system is using a permission filter: Whenever an application creates a new file or folder and has to set the initial permission settings, the permissions will be sent through a filter first which decides if applications are allowed to grant a specific right or not. The filter corresponds directly with the three POSIX rights read, write, execute, and the access parties owner, group owner, and others. See the chapter The Pane ACL Permissions for details.
By default, macOS uses a permission filter which is preconfigured with the following policy:
Administrators can change this policy, modifying the permission filter so that the initial permissions are either relaxed or become even stricter. To modify the permission filter of macOS, perform the following steps:
The change will take effect the next time you start the computer. The button Set Default can be pressed to return to the recommended standard filter. Pressing the button Revert will cause TinkerTool System to discard your changes and to display the settings currently established in the system.
Warning: It is very dangerous to set check marks in the line Owner. Enabling a filter option in this section means that applications will no longer have the right to access the files they just have created.
The setting only affects programs started in user sessions. Background programs of the operating system won’t be affected (unless they are started as part of a user session).
There are specific circumstances where TinkerTool System detects that it won’t be possible to modify the permission filter. In this case, the table is disabled and an error message appears at its left side. The following situations can cause such a problem:
macOS contains an automatic software update service which is designed to contact Apple in regular time intervals, checking whether updates for the operating system are available. This service is configured with the pane App Store of System Preferences. The updates will later be loaded via the App Store application.
It is possible to setup your own software distribution server which mirrors the software distributions and update information from Apple. This can be done by a feature available in the App macOS Server, or by using other third-party utilities which mimic the behavior of Apple’s update servers. To redirect computers in your own network to contact your own update server instead of Apple’s, a special system setting must be modified on each affected computer. This can be done automatically when you are using the Profile Manager of macOS Server but you can also configure this manually on each client. To change the setting via TinkerTool System, perform the following steps:
The change will take effect immediately, and the next time an automatic software update is started, the new server will be contacted. You can remove the customized setting by pressing the button Remove Customization.
If you have a mobile computer with a display lid, you can put your computer to sleep mode by closing the lid. macOS will automatically wake up the system when the lid is reopened later. Under some circumstances, this automatic wake-up may not be desired. You can prevent macOS from doing so by changing a system setting. Perform the following steps:
You can return to the normal setting any time.
This setting is only available on portable Macintosh computers.
If a remote administrator uses the screen sharing feature of macOS to receive the current contents of the computer screen on her own computer across a network connection, macOS automatically tries to protect the privacy of the user currently working on the local screen: If the remote administrator connects with a user account which is different from the one of the local user, the screen session won’t begin immediately. Instead, the accessing user is asked whether he likes to work on his own, separate screen, or if the local user should be asked to grant permission that the remote user can see and take over the current screen. The local user could have private or confidential information on screen, so this behavior will protect the displayed data.
In some cases, this policy may not be useful. You can disable this privacy feature as follows:
You should check if this policy is compliant with local laws and the guidelines of your company, if applicable.
If you enabled the modern version of FileVault (officially called FileVault 2) on your computer, the entire system volume will be encrypted by a secure key and a password will be necessary to unlock and decrypt the disk. When the computer is switched on, the operating system cannot start immediately, because the Mac cannot read the encrypted disk. Instead, the computer’s firmware and some parts of the unencrypted recovery partition present a special login screen (which resembles the login screen of macOS). Users have to log in here first, and for entitled users, the secret decryption key will be unlocked, which is then used to decrypt the operating system partition and to launch macOS.
At this stage, it is known that the user who unlocked the disk must also be a valid user of macOS, so the firmware passes the name and password of this user to the operating system, performing an automatic login, hereby avoiding to ask for credentials a second time. For this reason, the activation of FileVault automatically enables the automatic login feature of macOS, too.
In some cases, this behavior might not be intended. macOS supports a special feature to uncouple the decryption of the FileVault disk from the initial login upon start of the operating system:
Up-to-date versions of Time Machine support a feature which is mainly designed for mobile computers: In addition to the main backup, stored on the disks you have selected for use by Time Machine, Time Machine is capable of creating a second, completely independent backup set on the operating system volume. This second backup can be used to restore data while the mobile computer “is traveling”, not having access to the main backup copy. The data sets within this continuously available secondary backup are called local snapshots. macOS stores the snapshots in an invisible area of the system volume. The storage space needed for this will be considered to be “always automatically releasable”, i.e. the system may remove some or all snapshots at its discretion when the storage space will be needed for “real” data. The “normal” Time Machine backup has no influence on the backup done with local snapshots.
By default, local snapshots are active on mobile computers, and inactive on desktop computers. By using TinkerTool System, you can choose manually whether local snapshots should be created or not. Perform the following steps:
After disabling local snapshots, macOS will begin to automatically release the affected storage space a short time later.
macOS 10.13 High Sierra is capable of supporting the new APFS (Apple File System) on the system volume. APFS provides new features to create snapshots of a volume which can directly be used by Time Machine, and it stores them very efficiently. For this reason, Apple removed the feature to disable local Time Machine snapshots as of version 10.13 of the operating system.
The printing features of macOS are implemented by CUPS, the Common Unix Printing System. By default, macOS keeps a log of all print jobs ever processed by the local computer, the print job history. TinkerTool System can disable the log if desired, and it can show you the records currently in the log. To change the system setting for keeping print job records, perform the following steps:
The log can be reviewed by pressing the button Open print job history in web browser. TinkerTool System will delegate this task to your preferred web browser. Web access to the printing subsystem is inactive by default in several versions of macOS. By using the option Enable web interface of printing system you can control whether web access should be possible or not.