Nearly all hard drives contain a built-in sleep timer which is designed to power down the spindle motor, saving energy when the drive has not been in use for some specified time. macOS supports a simple yes/no setting to manage this sleep feature of hard drives. It can be controlled by the option Energy Saver > Put hard disks to sleep when possible in the System Preferences application. Enabling this option corresponds to setting the sleep timer of disk drives to a value of 10 minutes of inactivity.
With TinkerTool System, you can control the sleep timers of hard disks more precisely, by specifying the exact value for the timer. Time intervals between 1 minute and 2 hours 59 minutes can be selected. To change the sleep timer of all disk drives, perform the following steps:
The kernel of the operating system uses priorities to organize its Input/Output Jobs, mainly disk and network operations that must be executed as service for the applications currently running. Work carried out for invisible background applications (like Time Machine, for example) has lower priority than operations performed for interactive applications (like a text-processing program). Operations with low priority are throttled which means they are artificially slowed down, by letting them pause for certain small time intervals.
In some situations, this performance penalty can become tedious, e.g. when you are waiting for an extensive Time Machine backup run to complete. Time Machine jobs are mainly made up of input/output operations on disks or network, so they are significantly affected by this slow-down.
You can temporarily disable throttling of input/output operations for background applications, giving them the same priority as other tasks. The change becomes effective immediately, but is not permanently stored as a preference. The setting will only be retained until you either shut down the operating system or change the setting again.
To disable low-priority throttling for I/O operations in the kernel perform the following steps:
Under very rare circumstances, running jobs could block each other while throttling is disabled, causing the system to freeze. Because all I/O operations run with the same priority in this case, the system can no longer reschedule important jobs to run before low-priority ones. High-priority operations may need to wait for a large number of low-priority ones, increasing the likelihood that jobs that depend on each other start waiting in circular fashion, causing a mutual blockage.
macOS follows the strategy to automatically detect all disk drives and all their partitions currently connected to the computer, making them active and visible on the user interface. This might not be useful in certain situations, for example when you have a Windows partition on your computer which you don’t need when working with macOS, or when you keep a backup copy of your system partition in reserve on a secondary disk drive. With the help of TinkerTool System, you can tell macOS not to activate specific partitions automatically. A second, independent option allows you to choose whether the system should allow the execution of programs which are stored on specific partitions. This feature can be useful if you connect “foreign” drives to your system that contain applications written for other operating systems, incompatible with macOS. You can no longer mistakenly try to open programs on such drives.
In both cases, macOS must have a way of reliably referring to each drive and partition. This is done by so-called Universal Unique Identifiers (UUIDs), a sequence of characters like 7F176A72–72B2–3D69–19FC–27ABBEFA662D which are guaranteed to be unique for every partition of every disk drive in the world. You don’t need to enter these UUIDs by hand. TinkerTool System automatically finds out the UUIDs and helps you to identify the drives by specifying their current volume names and file systems.
Perform the following steps when you like to exclude certain disk volumes from automatic mounting or execution of programs:
It is also possible to drag volumes from the Desktop or the Finder’s computer folder directly into the tables. You can remove one or more volumes by clicking the [—] button below the respective table, and saving your modifications. To discard your changes and return the tables to the state currently established in macOS, click the Revert button.
After adding new volumes to the Exclude volumes from automatic mounting table, TinkerTool System will ask you whether you like to eject the affected volumes immediately when applying the changes.
Spotlight is the built-in search technology of macOS which is designed to find files very rapidly after the user has specified key words or other search criteria. The technical implementation is based on several system services which operate silently in the background. However, Spotlight can sometimes be affected by technical problems, so administrators may need to fine-tune Spotlight operations in certain situations.
Spotlight is designed to operate as one of the basic core components of macOS. For this reason, other system services and many applications developed for macOS depend on the correct operation of Spotlight and will fail when Spotlight has been shut down. This includes the Time Machine backup service and the App Store application. For this reason, TinkerTool System does not support any operation to disable Spotlight completely. However, you can shut down Spotlight indexing on selected disk volumes.
When Spotlight is active, it automatically creates a hidden index database and some preference files on each volume currently connected with your computer. The database and the preference settings are needed to quickly find the contents you are searching for. These hidden components are called Metadata Stores.
For each of the volumes, TinkerTool System allows you to display whether Spotlight is activated on that volume, and how much storage space is currently needed by the Metadata Stores. This information is displayed in the table Spotlight Metadata Storage. Only volumes which are technically capable of supporting Spotlight are listed in the table. A refresh button right below the table will update the contents of the table. This step is necessary to let macOS allow TinkerTool System (after authentication) to compute the size of the index databases. Access to the databases is protected because they contain potentially confidential information, namely all words of all documents all users have stored on the current computer.
After selecting one or multiple lines in the table, you can activate several operations that should be performed:
To activate one of these functions, click the button Perform selected operation.
Note that the deactivation of index operations is only in effect until you restart macOS. Unless Spotlight isn’t blocked on affected volumes by using the setting Spotlight > Privacy in System Preferences, macOS will recommence its indexing services upon next startup.
Under specific circumstances, it might be helpful to disable Spotlight operations on a disk volume “forever,” e.g. on a slow memory stick which you only use to transport data to other computers. This can be done by a special marker which works independently of the Spotlight privacy settings. Setting such a marker is particularly helpful on external drives which are used with different macOS computers, because all systems will automatically respect this setting after it has been established. To set or remove this marker, perform the following steps:
When you attempt to connect to a file server manually, a password entry panel will appear. TinkerTool System can modify the system setting that controls which name macOS should suggest in this panel. You can select between the short name of the current user, another preconfigured name, or the option not to suggest any name (No name). Perform the following steps:
Apple has deprecated the use of certain outdated authentication methods, which are considered unsafe according to today’s standards when connecting to AFP servers. The operating system won’t offer the affected authentication methods when contacting a server. This can however mean that you can no longer connect to old servers successfully. TinkerTool System allows you to unlock certain methods so that they can be used again. Perform the following steps:
The following methods can be reactivated:
Because all these methods are insecure and outdated and use of AFP technology is deprecated, you should only enable as few options as possible in order not to compromise the security of your network.
By default, the pane Network of the application System Preferences does not show a menu item to disable the support of IPv6 on specific network interfaces. The feature to switch IPv6 to Off is present in the operating system, however. You can use TinkerTool System to control this option.
When you have disabled IPv6 support for an active network service, System Preferences will correctly reflect this, adding an Off menu item to the Configure IPv6 option. You can either use System Preferences or TinkerTool System to re-enable this feature later. If you use TinkerTool System to do this, your configuration setting automatically switches back to the mode previously defined in System Preferences.
If you change your network location or the IPv6 mode in System Preferences while TinkerTool System is running, it is recommended to restart TinkerTool System to ensure that the application shows the updated status.
The application System Preferences is designed to support a plug-in architecture: The different control areas, called Preference Panes, are automatically activated and deactivated depending on what type of computer you are using. For example, the pane Trackpad will only appear on computers having a trackpad, the item Ink will only be displayed if a graphic tablet or a similar device with pen support is attached to the computer.
System Preferences also supports an additional section that contains optional panes installed by the user. It will be displayed as fifth category, at the bottom of the window. TinkerTool System can help you to manage this section: It can activate additional preference panes which are part of macOS, but are reserved for advanced users and are normally hidden. It can also assist you in removing optional preferences panes you no longer need.
The following additional pane can be activated:
Apple is providing additional panes as part of macOS. Their features may vary depending on OS version, and they may be changed without notice. The optical quality of the panes may not comply with the usual design standards.
To activate one of the hidden panes, perform the following steps:
You can start System Preferences directly from here to use the new panes immediately. Click the button Launch System Preferences.
The panes listed in the previous section and panes of other vendors which appear in the bottom line of System Preferences can be removed when you no longer need them. It is not necessary to know where the different vendors have installed the modules. Perform the following steps:
In the permission system of macOS, which is explained in detail in the chapter The Pane ACL Permissions, each application decides for itself what rights it will grant for a new a file or folder when that file system object is being created. This also includes the Finder which is the typical application to create new folders.
Security problems could arise if you are using badly written or very old applications which don’t care about permission settings. Such applications could grant write permission to the category “other users” which means that nearly everyone — no matter if the user is even “known” by the current computer — could access, overwrite, and delete each and every document created by that program. In environments where users cannot be considered to behave cooperatively, like schools or large companies, such a lax policy of granting permissions can make a system unusable. For this reason, macOS and every other UNIX system is using a permission filter: Whenever an application creates a new file or folder and has to set the initial permission settings, the permissions will be sent through a filter first which decides if applications are allowed to grant a specific right or not. The filter corresponds directly with the three POSIX rights read, write, execute, and the access parties owner, group owner, and others. See the chapter The Pane ACL Permissions for details.
By default, macOS uses a permission filter which is preconfigured with the following policy:
Administrators can change this policy, modifying the permission filter so that the initial permissions are either relaxed or become even stricter. To modify the permission filter of macOS, perform the following steps:
The change will take effect the next time you start the computer. The button Set Default can be clicked to return to the recommended standard filter. Clicking the button Revert will cause TinkerTool System to discard your changes and to display the settings currently established in the system.
Warning: It is very dangerous to set check marks in the line Owner. Enabling a filter option in this section means that applications will no longer have the right to access the files they just have created.
The setting only affects programs started in user sessions. Background programs of the operating system won’t be affected (unless they are started as part of a user session).
There are specific circumstances where TinkerTool System detects that it won’t be possible to modify the permission filter. In this case, the table is disabled and an error message appears at its left side. The following situations can cause such a problem:
As of version 10.15, macOS follows stricter security guidelines as earlier operating system versions regarding the use of AppleScript and the associated Apple Events over a remote network connection. An Apple Event that targets an application on a remote system must authenticate as the same user on the remote system. If it doesn’t do so, the sending application will receive a procNotFound error. If you like to relax this rule, using the less secure policy of older operating systems, perform the following steps on the computer that receives remote Apple Events:
The new setting does not take effect immediately. To enforce an update, either restart the computer, or toggle the Remote Apple Events setting in the Sharing pane of System Preferences twice.
If a remote administrator uses the screen sharing feature of macOS to receive the current contents of the computer screen on her own computer across a network connection, macOS automatically tries to protect the privacy of the user currently working on the local screen: If the remote administrator connects with a user account which is different from the one of the local user, the screen session won’t begin immediately. Instead, the accessing user is asked whether he likes to work on his own, separate screen, or if the local user should be asked to grant permission that the remote user can see and take over the current screen. The local user could have private or confidential information on screen, so this behavior will protect the displayed data.
In some cases, this policy may not be useful. You can disable this privacy feature as follows:
You should check if this policy is compliant with local laws and the guidelines of your organization, if applicable.
If you enabled the modern version of FileVault (officially called FileVault 2) on your computer, the entire system volume will be encrypted by a secure key and a password will be necessary to unlock and decrypt the disk. When the computer is switched on, the operating system cannot start immediately, because the Mac cannot read the encrypted disk. Instead, the computer’s firmware and some parts of the unencrypted recovery partition present a special login screen (which resembles the login screen of macOS). Users have to log in here first, and for entitled users, the secret decryption key will be unlocked, which is then used to decrypt the operating system partition and to launch macOS.
At this stage, it is known that the user who unlocked the disk must also be a valid user of macOS, so the firmware passes the name and password of this user to the operating system, performing an automatic login, hereby avoiding to ask for credentials a second time. For this reason, the activation of FileVault automatically enables the automatic login feature of macOS, too.
In some cases, this behavior might not be intended. macOS supports a special feature to uncouple the decryption of the FileVault disk from the initial login upon start of the operating system:
You can also enable an advanced security feature of FileVault for cases where this is needed. To guarantee continued access to storage media, your Mac must always keep the key for disk encryption in memory in order to successfully process any block on the disk the operating system needs to read or write. That includes time periods where your Mac enters sleep and standby modes. This is necessary to ensure that the Mac can still perform regular maintenance tasks when not being fully switched on and to execute Power Nap functions.
This policy maintains a certain comfort level, but can become an issue should your Mac be stolen, when an attacker tries to get direct memory access by connecting special hardware devices to the sleeping Mac. In theory, the disk encryption key could be disclosed this way.
By removing the check mark Keep encryption key in memory during standby you can avoid this possible method of attack. If this option is not checked, macOS will destroy the FileVault key in RAM when the system enters standby mode. In this configuration, your Mac will no longer have disk access during standby, so Power Nap and similar maintenance features will no longer be active regardless how you have configured them.
The printing features of macOS are implemented by CUPS, the Common Unix Printing System. By default, macOS keeps a log of all print jobs ever processed by the local computer, the print job history. TinkerTool System can disable the log if desired, and it can show you the records currently in the log. To change the system setting for keeping print job records, perform the following steps:
The log can be reviewed by clicking the button Open print job history in web browser. TinkerTool System will delegate this task to your preferred web browser. Web access to the printing subsystem is inactive by default in several versions of macOS. By using the option Enable web interface of printing system you can control whether web access should be possible or not.