macOS command to add back Wi-Fi service

Acknowledgements: Hat tip to Eric Hemmeter on the MacAdmins Slack for this command.

If you want a command that will add back the Wi-Fi service if you deleted it and now want it back, here it is:

networksetup -createnetworkservice Wi-Fi en1
That's assuming the output of
networksetup -listallhardwareports
has a hardware port of Wi-Fi with its device being en1 (could be en0, for example).

Terminal command to see the Startup Disk in macOS

If you want to see what the current Startup Disk is on your macOS installation, you can certainly go to System Preferences > Startup Disk.

But if you want to use the terminal instead of the GUI, this command will return the current Startup Disk:

bless --getBoot
If a Startup Disk is set, you'll see something like this:
If no Startup Disk is set, you'll see this error message instead:
Can't access "efi-boot-device" NVRAM variable
or this one:
Could not interpret boot device as either network or disk
Can't interpet EFI boot device
And, yes, there's a typo in the error message (as of macOS 10.12.6, anyway). That should say Can't interpret instead of Can't interpet.

Changing the CrashPlan primary server by terminal commands on a Mac

We recently wanted to change the primary server for our CrashPlan clients from an IP-based one to a DNS-based one. Unfortunately, CrashPlan doesn't have a .plist file you can just run a defaults write command on.

So apart from going into every machine and manually changing it from the menu bar, there is a way to script it. Thanks to ahbeng's GitHub port change script for inspiration on this, but we also got confirmation directly from Code42 that this would work.

Basically, you just want to stop the CrashPlan engine, tweak the text file, and then restart the engine. This works on CrashPlan PROe 4.2. You may have to look for a slightly different file if you're running a different version of CrashPlan PROe.

# Unload CrashPlan's engine, substitute the new string in, and then load the engine back again
sudo launchctl unload /Library/LaunchDaemons/com.crashplan.engine.plist && sudo sed -i '' -e "s/IPADDRESS/SUBDOMAINANDDOMAINNAME/g" /Library/Application\ Support/CrashPlan/conf/my.service.xml && sudo launchctl load /Library/LaunchDaemons/com.crashplan.engine.plist && open /Applications/\ menu\
Obviously, substitute in your IP address for IPADDRESS and your actual FQDN for SUBDOMAINANDDOMAINNAME.

Nota bene: If you have deployed your CrashPlan with a file, you may have to modify that file as well. Just throw in a

sudo sed -i '' -e "s/IPADDRESS/SUBDOMAINANDDOMAINNAME/g" /Library/Application\ Support/CrashPlan/conf/
as well when you've stopped the CrashPlan engine

Terminal command to get the full name of a Mac user

Munki-Enroll is a great little script combo that automatically changes the ClientIdentifier for Munki clients and then automatically creates a corresponding manifest on the Munki server that includes the old manifest.

I wanted to tweak it quite a bit to fit some of the quirks of how our organization does Munki client manifests, so I wrote up a tweaked version of the enroll shell script.

One of the things I wanted to get via the script is a particular user's full name, and I had trouble tracking down a tutorial on exactly how to get that. I also found that even when I used the usual instructions, on one computer, it didn't work—there was an extra carriage return before the full name... but that wasn't the case on other computers (and it wasn't a Yosemite vs. El Capitan thing either).

So this command actually gets the user's full name even if there's a random extra newline in the output. This works on both Yosemite and El Capitan (and probably earlier versions, but I haven't tested on Mavericks and before):

dscl . -read /Users/SHORTUSERNAME dsAttrTypeStandard:RealName | sed 's/RealName://g' | tr '\n' ' ' | sed 's/^ *//;s/ *$//'
where SHORTUSERNAME is the short username you're trying to get the full name of.

Basically, this read's the user's information, specifically the RealName. Then it strips out the RealName: part, then strips out any newline indicators, then finally strips out any preceding or trailing spaces.

Not sure if anyone else out there is looking for how to get the full name of a user using the terminal on a Mac, but that's how you do it.

Scripting enabling root or disabling root on Mac OS X

If you want to script enabling or disabling the root account in Mac OS X (instead of having to go to Directory Utility to do it), you'll want to use the dsenableroot command.

Enable the root user

dsenableroot -u adminaccount -p adminaccountpassword -r rootpasswordyouwant

Disable the root user

dsenableroot -d -u adminaccount -p adminaccountpassword

Important Notes

Just keep in mind that you have to use the syntax as given. You cannot bypass giving an actual username and password of an admin account by being logged into that admin account and prefixing the command with sudo.

Any commands you put into the terminal on a computer, by default, will go into that user's .bash_history file stored as plain text. So if it's one-off on a local computer, be sure to edit that file later and delete that line. If you're using some other remote way to deploy the command, make sure it's being sent over a secure (and protected) connection of some sort.

Enable SSH for only one user via command line

If you want to enable SSH for only one user using the command line on a Mac, run these three commands:

Make sure the group exists

sudo /usr/sbin/dseditgroup -o create -q

Add user username to the group

sudo /usr/sbin/dseditgroup -o edit -a username -t user

Turn remote login on

sudo /usr/sbin/systemsetup -setremotelogin on


Greg Neagle's tip on the MacEnterprise Mailing List
Script to allow Administrators sec group to Remote Login

Toggle Allow apps downloaded from anywhere

There's a setting on Mac OS X for allowing apps to be installed from anywhere or only from signed developers. If you want to automate changing this setting via terminal command, this is how you do it.


sudo spctl master-enable


sudo spctl master-disable

The spctl command is even more versatile than that. More details at Gatekeeper Fundamentals, Part 2.

Using a terminal command to disable App Store automatic checks

If you want to automate disabling the App Store auto check, the terminal equivalent of System Preferences > App Store > Automatically check for updates is

sudo defaults write /Library/Preferences/ AutomaticCheckEnabled -bool false

This is handy to know in case you're managing updates a different way (e.g., Munki) and don't want your users pestered with update messages directly from Apple.

Enable duplex printing via terminal command on a Mac

If you want to enable duplex printing via a terminal command (e.g., trying to fix a bunch of already-installed printers with duplex disabled, and you want to fix that with a script), first you have to figure out what parameter to change.

On one Mac with the printer installed, find the printer via System Preferences > Printers & Scanners and then go to Options & Supplies and then Options to see if duplex printing is on. If it's not on, turn it on via point and click.

Then, in the terminal, put in this command, substituting in the name of your printer for printername:

lpoptions -p printername -l
You should see a bunch of output. In the output, you may see a line referring to APOptionalDuplexer or HPOption_Duplexer.

In my case, I was trying to script duplexing for an HP printer, so the latter showed up this way:

HPOption_Duplexer/Duplex Unit: *True False
The asterisk next to True means it's set to true. You'll notice if you turn the duplex option off and then run that same command again, the asterisk will be next to False instead.

Once you figure out the option you want, the command to enable duplex printing as an option should look something like this:

lpadmin -p printername -o APOptionalDuplexer=True
or this
lpadmin -p printername -o HPOption_Duplexer=True

Acknowledgements: This is based on a helpful post from Mac Rumors from the thread enable "Duplex Printing Unit" in command prompt?