Start

System Settings

The Pane System

Drives

Hard Disk Sleep Timer

Nearly all hard drives contain a built-in sleep timer which is designed to power down the spindle motor, saving energy when the drive has not been in use for some specified time. macOS supports a simple yes/no setting to manage this sleep feature of hard drives. It can be controlled by the option Energy Saver > Put hard disks to sleep when possible in the System Preferences application. Enabling this option corresponds to setting the sleep timer of disk drives to a value of 10 minutes of inactivity.

Drives
Drives

With TinkerTool System, you can control the sleep timers of hard disks more precisely, by specifying the exact value for the timer. Time intervals between 1 minute and 2 hours 59 minutes can be selected. To change the sleep timer of all disk drives, perform the following steps:

  1. Open the tab item Drives on the pane System.
  2. Drag the slider Put hard disks to sleep when not in use after… to the desired value.
Throttling of Low-Priority Operations

The kernel of the operating system uses priorities to organize its Input/Output Jobs, mainly disk and network operations that must be executed as service for the applications currently running. Work carried out for invisible background applications (like Time Machine, for example) has lower priority than operations performed for interactive applications (like a text-processing program). Operations with low priority are throttled which means they are artificially slowed down, by letting them pause for certain small time intervals.

In some situations, this performance penalty can become tedious, e.g. when you are waiting for an extensive Time Machine backup run to complete. Time Machine jobs are mainly made up of input/output operations on disks or network, so they are significantly affected by this slow-down.

You can temporarily disable throttling of input/output operations for background applications, giving them the same priority as other tasks. The change becomes effective immediately, but is not permanently stored as a preference. The setting will only be retained until you either shut down the operating system or change the setting again.

To disable low-priority throttling for I/O operations in the kernel perform the following steps:

  1. Open the tab item Drives on the pane System.
  2. Set a check mark at Disable artificial slowdown of disk and network operations for background jobs.

Under very rare circumstances, running jobs could block each other while throttling is disabled, causing the system to freeze. Because all I/O operations run with the same priority in this case, the system can no longer reschedule important jobs to run before low-priority ones. High-priority operations may need to wait for a large number of low-priority ones, increasing the likelihood that jobs that depend on each other start waiting in circular fashion, causing a mutual blockage.

Volumes

macOS follows the strategy to automatically detect all disk drives and all their partitions currently connected to the computer, making them active and visible on the user interface. This might not be useful in certain situations, for example when you have a Windows partition on your computer which you don’t need when working with macOS, or when you keep a backup copy of your system partition in reserve on a secondary disk drive. With the help of TinkerTool System, you can tell macOS not to activate specific partitions automatically. A second, independent option allows you to choose whether the system should allow the execution of programs which are stored on specific partitions. This feature can be useful if you connect “foreign” drives to your system that contain applications written for other operating systems, incompatible with macOS. You can no longer mistakenly try to open programs on such drives.

In both cases, macOS must have a way of reliably referring to each drive and partition. This is done by so-called Universal Unique Identifiers (UUIDs), a sequence of characters like 7F176A72–72B2–3D69–19FC–27ABBEFA662D which are guaranteed to be unique for every partition of every disk drive in the world. You don’t need to enter these UUIDs by hand. TinkerTool System automatically finds out the UUIDs and helps you to identify the drives by specifying their current volume names and file systems.

Volumes
Volumes

Perform the following steps when you like to exclude certain disk volumes from automatic mounting or execution of programs:

  1. Open the tab item Volumes on the pane System.
  2. Click the [+] button below the table which refers to the option you like to activate.
  3. In the dialog sheet, select one or more disk volumes and click OK.
  4. After all volumes have been set as intended, click the button Apply in the lower right corner of the window.

It is also possible to drag volumes from the Desktop or the Finder’s computer folder directly into the tables. You can remove one or more volumes by clicking the [—] button below the respective table, and saving your modifications. To discard your changes and return the tables to the state currently established in macOS, click the Revert button.

After adding new volumes to the Exclude volumes from automatic mounting table, TinkerTool System will ask you whether you like to eject the affected volumes immediately when applying the changes.

Spotlight

Spotlight Operation

Spotlight is the built-in search technology of macOS which is designed to find files very rapidly after the user has specified key words or other search criteria. The technical implementation is based on several system services which operate silently in the background. However, Spotlight can sometimes be affected by technical problems, so administrators may need to fine-tune Spotlight operations in certain situations.

Attention Spotlight is designed to operate as one of the basic core components of macOS. For this reason, other system services and many applications developed for macOS depend on the correct operation of Spotlight and will fail when Spotlight has been shut down. This includes the Time Machine backup service and the App Store application. For this reason, TinkerTool System does not support any operation to disable Spotlight completely. However, you can shut down Spotlight indexing on selected disk volumes.

Spotlight
Spotlight
Spotlight Index Databases

When Spotlight is active, it automatically creates a hidden index database and some preference files on each volume currently connected with your computer. The database and the preference settings are needed to quickly find the contents you are searching for. These hidden components are called Metadata Stores.

For each of the volumes, TinkerTool System allows you to display whether Spotlight is activated on that volume, and how much storage space is currently needed by the Metadata Stores. This information is displayed in the table Spotlight Metadata Storage. Only volumes which are technically capable of supporting Spotlight are listed in the table. A refresh button right below the table will update the contents of the table. This step is necessary to let macOS allow TinkerTool System (after authentication) to compute the size of the index databases. Access to the databases is protected because they contain potentially confidential information, namely all words of all documents all users have stored on the current computer.

After selecting one or multiple lines in the table, you can activate several operations that should be performed:

To activate one of these functions, click the button Perform selected operation.

Note that the deactivation of index operations is only in effect until you restart macOS. Unless Spotlight isn’t blocked on affected volumes by using the setting Spotlight > Privacy in System Preferences, macOS will recommence its indexing services upon next startup.

Under specific circumstances, it might be helpful to disable Spotlight operations on a disk volume “forever,” e.g. on a slow memory stick which you only use to transport data to other computers. This can be done by a special marker which works independently of the Spotlight privacy settings. Setting such a marker is particularly helpful on external drives which are used with different macOS computers, because all systems will automatically respect this setting after it has been established. To set or remove this marker, perform the following steps:

  1. Open the tab item Spotlight on the pane System.
  2. Click the button Change Spotlight support marker on volume… in the lower left corner of the window.
  3. In the dialog panel, set or remove the check marks Blocked from all Spotlight operations for each of the volumes as desired.
  4. Click the button OK in the panel.

Network

Options for Connecting to File Servers

When you attempt to connect to a file server manually, a password entry panel will appear. TinkerTool System can modify the system setting that controls which name macOS should suggest in this panel. You can select between the short name of the current user, another preconfigured name, or the option not to suggest any name (No name). Perform the following steps:

  1. Open the tab item Network on the pane System.
  2. Choose the desired option at Suggested name in panel.
Outdated authentication methods

Apple has deprecated the use of certain outdated authentication methods, which are considered unsafe according to today’s standards when connecting to AFP servers. The operating system won’t offer the affected authentication methods when contacting a server. This can however mean that you can no longer connect to old servers successfully. TinkerTool System allows you to unlock certain methods so that they can be used again. Perform the following steps:

  1. Open the tab item Network on the pane System.
  2. Set check marks for all desired options at Allow outdated authentication methods.

The following methods can be reactivated:

Because all these methods are insecure and outdated and use of AFP technology is deprecated, you should only enable as few options as possible in order not to compromise the security of your network.

Network
Network
Internet Protocol Version 6 Support

By default, the pane Network of the application System Preferences does not show a menu item to disable the support of IPv6 on specific network interfaces. The feature to switch IPv6 to Off is present in the operating system, however. You can use TinkerTool System to control this option.

  1. In case your computer is configured to support multiple network configuration sets (called Location by macOS), ensure first that the desired location is currently active, selecting it with the pop-up button on the pane Network of System Preferences. If you never used that feature, your default location is Automatic.
  2. Open the tab item Network on the pane System of TinkerTool System.
  3. Locate the network service you like to modify in the table Internet Protocol Version 6 Support.
  4. Remove the check mark in the column IPv6 Enabled to disable IPv6 for the network interface in that line.

When you have disabled IPv6 support for an active network service, System Preferences will correctly reflect this, adding an Off menu item to the Configure IPv6 option. You can either use System Preferences or TinkerTool System to re-enable this feature later. If you use TinkerTool System to do this, your configuration setting automatically switches back to the mode previously defined in System Preferences.

If you change your network location or the IPv6 mode in System Preferences while TinkerTool System is running, it is recommended to restart TinkerTool System to ensure that the application shows the updated status.

Preference Panes

The application System Preferences is designed to support a plug-in architecture: The different control areas, called Preference Panes, are automatically activated and deactivated depending on what type of computer you are using. For example, the pane Trackpad will only appear on computers having a trackpad, the item Ink will only be displayed if a graphic tablet or a similar device with pen support is attached to the computer.

System Preferences also supports an additional section that contains optional panes installed by the user. It will be displayed as fifth category, at the bottom of the window. TinkerTool System can help you to manage this section: It can activate additional preference panes which are part of macOS, but are reserved for advanced users and are normally hidden. It can also assist you in removing optional preferences panes you no longer need.

Preference panes
Preference panes

The following additional pane can be activated:

Apple is providing additional panes as part of macOS. Their features may vary depending on OS version, and they may be changed without notice. The optical quality of the panes may not comply with the usual design standards.

To activate one of the hidden panes, perform the following steps:

  1. Open the tab item Preference Panes on the pane System.
  2. Click one of the buttons Activate… next to the listed preference panes.

You can start System Preferences directly from here to use the new panes immediately. Click the button Launch System Preferences.

Removing optional preference panes

The panes listed in the previous section and panes of other vendors which appear in the bottom line of System Preferences can be removed when you no longer need them. It is not necessary to know where the different vendors have installed the modules. Perform the following steps:

  1. Open the tab item Preference Panes on the pane System.
  2. Select one or more items in the table Remove Optional Panes from the Bottom Section.
  3. Click the button Remove selected panes.

Permission Filter for New File System Objects

In the permission system of macOS, which is explained in detail in the chapter The Pane ACL Permissions, each application decides for itself what rights it will grant for a new a file or folder when that file system object is being created. This also includes the Finder which is the typical application to create new folders.

Security problems could arise if you are using badly written or very old applications which don’t care about permission settings. Such applications could grant write permission to the category “other users” which means that nearly everyone — no matter if the user is even “known” by the current computer — could access, overwrite, and delete each and every document created by that program. In environments where users cannot be considered to behave cooperatively, like schools or large companies, such a lax policy of granting permissions can make a system unusable. For this reason, macOS and every other UNIX system is using a permission filter: Whenever an application creates a new file or folder and has to set the initial permission settings, the permissions will be sent through a filter first which decides if applications are allowed to grant a specific right or not. The filter corresponds directly with the three POSIX rights read, write, execute, and the access parties owner, group owner, and others. See the chapter The Pane ACL Permissions for details.

Permission Filter
Permission Filter

By default, macOS uses a permission filter which is preconfigured with the following policy:

Administrators can change this policy, modifying the permission filter so that the initial permissions are either relaxed or become even stricter. To modify the permission filter of macOS, perform the following steps:

  1. Open the tab item Permissions on the pane System.
  2. Set or remove check marks in the table Permission Filter for New File Systems Objects. The lines of the table represent the three access parties Owner, Group, and Others, the columns represent the rights which should be blocked when creating new objects, namely read, write and execute. Remember that write permission for a folder means the right to create, rename and delete objects in the folder, and that execute permission for a folder means to browse the contents of a folder.
  3. Click the button Apply below the table.

The change will take effect the next time you start the computer. The button Set Default can be clicked to return to the recommended standard filter. Clicking the button Revert will cause TinkerTool System to discard your changes and to display the settings currently established in the system.

Attention Warning: It is very dangerous to set check marks in the line Owner. Enabling a filter option in this section means that applications will no longer have the right to access the files they just have created.

The setting only affects programs started in user sessions. Background programs of the operating system won’t be affected (unless they are started as part of a user session).

There are specific circumstances where TinkerTool System detects that it won’t be possible to modify the permission filter. In this case, the table is disabled and an error message appears at its left side. The following situations can cause such a problem:

Miscellaneous

Control the Security Policy for Remote Apple Events

As of version 10.15, macOS follows stricter security guidelines as earlier operating system versions regarding the use of AppleScript and the associated Apple Events over a remote network connection. An Apple Event that targets an application on a remote system must authenticate as the same user on the remote system. If it doesn’t do so, the sending application will receive a procNotFound error. If you like to relax this rule, using the less secure policy of older operating systems, perform the following steps on the computer that receives remote Apple Events:

  1. Open the tab item Misc. on the pane System.
  2. Remove the check mark at Require matching user account on clients to access the current login session.

The new setting does not take effect immediately. To enforce an update, either restart the computer, or toggle the Remote Apple Events setting in the Sharing pane of System Preferences twice.

Screen Sharing

If a remote administrator uses the screen sharing feature of macOS to receive the current contents of the computer screen on her own computer across a network connection, macOS automatically tries to protect the privacy of the user currently working on the local screen: If the remote administrator connects with a user account which is different from the one of the local user, the screen session won’t begin immediately. Instead, the accessing user is asked whether he likes to work on his own, separate screen, or if the local user should be asked to grant permission that the remote user can see and take over the current screen. The local user could have private or confidential information on screen, so this behavior will protect the displayed data.

In some cases, this policy may not be useful. You can disable this privacy feature as follows:

  1. Open the tab item Misc. on the pane System.
  2. Click on the item Permit clients to take over frontmost screen session immediately.

You should check if this policy is compliant with local laws and the guidelines of your organization, if applicable.

Miscellaneous System Settings
Miscellaneous System Settings
FileVault 2

If you enabled the modern version of FileVault (officially called FileVault 2) on your computer, the entire system volume will be encrypted by a secure key and a password will be necessary to unlock and decrypt the disk. When the computer is switched on, the operating system cannot start immediately, because the Mac cannot read the encrypted disk. Instead, the computer’s firmware and some parts of the unencrypted recovery partition present a special login screen (which resembles the login screen of macOS). Users have to log in here first, and for entitled users, the secret decryption key will be unlocked, which is then used to decrypt the operating system partition and to launch macOS.

At this stage, it is known that the user who unlocked the disk must also be a valid user of macOS, so the firmware passes the name and password of this user to the operating system, performing an automatic login, hereby avoiding to ask for credentials a second time. For this reason, the activation of FileVault automatically enables the automatic login feature of macOS, too.

In some cases, this behavior might not be intended. macOS supports a special feature to uncouple the decryption of the FileVault disk from the initial login upon start of the operating system:

  1. Open the tab item Misc. on the pane System.
  2. Click on the item Use separate logins for disk decryption and first user session.

You can also enable an advanced security feature of FileVault for cases where this is needed. To guarantee continued access to storage media, your Mac must always keep the key for disk encryption in memory in order to successfully process any block on the disk the operating system needs to read or write. That includes time periods where your Mac enters sleep and standby modes. This is necessary to ensure that the Mac can still perform regular maintenance tasks when not being fully switched on and to execute Power Nap functions.

This policy maintains a certain comfort level, but can become an issue should your Mac be stolen, when an attacker tries to get direct memory access by connecting special hardware devices to the sleeping Mac. In theory, the disk encryption key could be disclosed this way.

By removing the check mark Keep encryption key in memory during standby you can avoid this possible method of attack. If this option is not checked, macOS will destroy the FileVault key in RAM when the system enters standby mode. In this configuration, your Mac will no longer have disk access during standby, so Power Nap and similar maintenance features will no longer be active regardless how you have configured them.

Print Job History

The printing features of macOS are implemented by CUPS, the Common Unix Printing System. By default, macOS keeps a log of all print jobs ever processed by the local computer, the print job history. TinkerTool System can disable the log if desired, and it can show you the records currently in the log. To change the system setting for keeping print job records, perform the following steps:

  1. Open the tab item Misc. on the pane System.
  2. Set or remove the check mark Keep print job history in the macOS printing system.

The log can be reviewed by clicking the button Open print job history in web browser. TinkerTool System will delegate this task to your preferred web browser. Web access to the printing subsystem is inactive by default in several versions of macOS. By using the option Enable web interface of printing system you can control whether web access should be possible or not.