Spotlight – Enable/Disable

I’m a big fan of spotlight on a Mac, but there are those out there who aren’t, if you happen to be one of them then this next bit is for you, you can disable spotlight by doing the following

Open Terminal and type the following

sudo nano /etc/hostconfig

locate the following item

SPOTLIGHT=-YES-

Change it so it now reads

SPOTLIGHT=-NO-

Press CTRL-X, then press Y, then press ENTER to save the file

Now to disable indexing type the following into Terminal

sudo mdutil -i off /

to erase the current index type the following into Terminal

sudo mdutil -E /

And thats that, Spotlight is now disabled, but if you realise that you have made a terrible mistake then don’t despair, you can enable spotlight again by basically reversing the work you’ve just done

so, in Terminal type

sudo nano /etc/hostconfig

locate the following item

SPOTLIGHT=-NO-

Change it so it now reads

SPOTLIGHT=-YES-

Now to enable indexing type the following into Terminal

sudo mdutil -i on /

and there you have it, a fully working spotlight

Create a Hidden Administrator

I like to hide the administrator account from prying eyes, this helps add to the security of your machine by not making it obvious what accounts are on the machine.

To do this you need to do a number of things, first of all log in to the Mac with an admin account.

Go to System Preferences, then Accounts, then click on Login Options & change the following options

Display login window as : Name and password
Disable Automatic Login

Next you can either create a new admin account to hide, or you can edit and hide an existing one

Now, right-click (CTRL Click) on the account you wish to hide and choose Advanced Options

Set the User ID to a number less than 500, I usually do between 490 and 499 as there are a few system accounts that use earlier numbers

Now change the Home directory to something someone wouldn’t think to look, a lot of people use /var/

It’s also a good idea to put a . in front of your home folder to hide it further, so the path would be /var/.admin

Now you need to move and rename your actual home folder, to do this it’s easiest to use the Terminal, so open that up and type the following

sudo mv /Users/admin /var/.admin
sudo chown -R admin /var/.admin

Now you need to remove the Public and Sites folders from your home folder, as you already have a Terminal window open then you can enter the following to remove them

sudo rm -R /var/.admin/Public /var/.admin/Sites

OK, now thats all done you need to make some changes to the loginwindow preferences, this can also be done in the Terminal, so enter the following

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array admin

This will hide any account with a User ID under 500 and add your ‘admin’ account to the hidden users list

Test this by rebooting and logging in as a non-admin user, go to System Preferences and then Accounts, if all is well then the admin account will not show up

Now log out and log in as the hidden admin user, I tend to put some applications on the Desktop of this hidden account, just ones that I’d rather the end user of the machine not use as they have the potential to break their machines if not used correctly (I once had a user use OnyX to display hidden files and then they deleted the mach.kernel as they didn’t recognise the file and thought it could be a virus) so I now keep this out of their reach

Firmware Password Utility

As every good System Administrator should, I set firmware passwords on all my macs.

But one of the frustrations caused by this security precaution is when you are trying to boot a mac into Target Disk Mode, you need to first boot from an installation disk and then run the Firmware Password Utility

To get around this, I create a copy of the Firmware Password Utility on all macs (you could put one on a USB if you wish)

This is done by by following these steps

1. Insert a Mac OS X Installation DVD into your Mac

2. Open Terminal and type the following

cp - R "/Volumes/Mac OS X Install DVD/Applications/Utilities/Firmware Password Utility.app" ~/Desktop

3. Now you can run the utility from your desktop

Also, if you are setting up multiple macs and you wish to have them all use the same firmware password, you can do the following to push it to all machines

1. Set it manually on 1 machine using the utility mentioned above

2. Open Terminal and type the following

sudo nvram security password

you will get an output similar to this

security-password %cd%f8f%bd%98%87%c5%

This is your encoded firmware password, you can now deploy this via Apple Remote Desktop, SSH, or a script.

Please note, this will only work on Intel Macs

To deploy it to other Macs, enter the following into Terminal either locally, via SSH, ARD or other deployment solutions

sudo nvram security-password %cd%f8f%bd%98%87%c5%
 sudo nvram security-mode=command

Apple Software Update Server – Client configuration

To switch a Mac client from collecting its updates from Apple to your Software Update Server then you will need to apply the following to the client machines

Open Terminal and paste the following text into it

For 10.7

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-lion-snowleopard-leopard.merged-1.sucatalog

if running from Apple Remote Desktop then you can send the following UNIX command as root user

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-lion-snowleopard-leopard.merged-1.sucatalog

For 10.6

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-leopard-snowleopard.merged-1.sucatalog

or if running from ARD then you can send the following as root user

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-leopard-snowleopard.merged-1.sucatalog

For 10.5

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/

again if running from ARD then you can send the following as root user

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/

To confirm that this has worked, run Software Update on the client and it should add your servers name to the window during the check for updates.

To remove a machine from a local ASUS and collect updates from Apple again then type the following into the Terminal

sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

or if running from ARD then do the following as root user

defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

Disable Bonjour advertising

As a security precaution I always disable Bonjour advertising on all macs on my network, please note that this will not stop Bonjour from working, but it will stop your macs from advertising their presence on your network.

Here is how to do it

Open a Terminal window

If you are logged in as an administrator then type the following:

sudo nano /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

you need to look for the following section

<array>
<string>/usr/sbin/mDNSResponder</string>
<string>-launchd</string>
</array>

now add the following string to the array

<string>-NoMulticastAdvertisements</string>

so the array should now look like this

<array>
<string>/usr/sbin/mDNSResponder</string>
<string>-launchd</string>
<string>-NoMulticastAdvertisements</string>
</array>

To save the file press CTRL-X

This will ask you if you wish to save, press Y for yes, and N for no

If you chose to save it then you will get a prompt about the save location, this will more than likely be the same place you opened the file from, in this example we want the file to stay in the same location, so just press ENTER to complete the save process

Reboot your machine and see if it shows up in Finder (on a different machine), if it does then you may have a spelling mistake in the additional line, reopen the file using the instructions above and check it over

As I said this will not disable Bonjour, so you will still be able to connect to Bonjour printers etc.