This tool queries the available Java Virtual Machines from /Library/Java/JavaVirtualMachines.
$ /usr/libexec/java_home --help
Usage: java_home [options...]
Returns the path to a Java home directory from the current user's settings.
Options:
[-v/--version <version>] Filter versions (as if JAVA_VERSION had been set in the environment).
[-a/--arch <architecture>] Filter architecture (as if JAVA_ARCH had been set in the environment).
[-F/--failfast] Fail when filters return no JVMs, do not continue with default.
[ --exec <command> ...] Execute the $JAVA_HOME/bin/<command> with the remaining arguments.
[-X/--xml] Print full JVM list and additional data as XML plist.
[-V/--verbose] Print full JVM list with architectures.
[-h/--help] This usage information.
An example usage of this tool:
$ /usr/libexec/java_home -v 11 -a x86_64
/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home
dot_clean
This is an extremely useful built-in utility to delete all useless dot files that macOS creates, such as ._MyFile.
Just point it at a folder, and it wipes it free of the cruft!
This is a utility for managing GPUs, especially eGPUs. This is what is behind
the safe eject functionality of the eGPU in the System UI.
It is useful for:
Listing GPUs on the system.
Determining what applications are using a particular GPU.
Ejecting an eGPU safely.
Launching an application on a specific GPU.
Switching an application from one GPU to another.
$ /usr/bin/SafeEjectGPU
usage: SafeEjectGPU [Commands...]
Commands:
gpuid <gpuid> # specify gpuid of following commands
gpuids <gpuid1>,<gpuid2>,... # specify list of gpuids for RelaunchPIDOnGPU command
gpus # show all GPUs and their applicable properties
apps # show all Apps on specified gpuid
status # show status of all specified gpuid
Eject # Eject (full eject sequence) on specified gpuid
Initiate # Initiate eject sequence on specified gpuid
Relaunch # Relaunch lingering AppKit apps on specified gpuid
Finalize # Finalize eject sequence on specified gpuid
Cancel # Cancel eject sequence on specified gpuid
RelaunchPID <pid> # RelaunchPID can be used in app testing to send Relaunch stimulus in isolation
RelaunchPIDOnGPU <pid> # Send Relaunch stimulus to an app with set of limited GPUs to select from, use gpuids
LaunchOnGPU <path> # Launch an app from given bundle path with set of limited GPUs, use gpuids
zombies # show all zombies (apps holding reference to unplugged eGPU)
zcount # show count of (unhidden) zombies
Zkill # kill zombies
Zrelaunch # relaunch zombies
+fallbackGPUEjectPolicy # allow builtin fallbacks to take effect (default)
-fallbackGPUEjectPolicy # deny builtin fallbacks
Notes:
Unspecified gpuid (==0) indicates all "removable" GPUs
Capitalized commands may have system-wide effects
Non-capitalized commands are informative only
See description of Info.plist "SafeEjectGPUPolicy" key. Use values:
"ignore", "wait", "relaunch", or "kill" for per-app policy
+/-fallbackGPUEjectPolicy can appear multiple times on the commandline and applies to following commands
This command gives information about File Sharing. It should look similar to the File Sharing section in the Sharing preference pane.
$ /usr/sbin/sharing
Usage:
sharing -a <path> [options] : create a sharepoint for directory specified by path <path>
sharing -e <name> [options] : edit sharepoint named <name>
sharing -r <name>: remove sharepoint with name <name>
sharing -l [-f json] : list existing sharepoints
options:
-A <name> :use share point name <name>forafp. Obsolete but leftinfor backwards compatibility.
-F <name> :use share point name <name>forftp. Obsolete but leftinfor backwards compatibility.
-S <name> :use share point name <name>for smb.
-s [<flags>] :enable sharing, restricted by flags if specified;
flags = 000,001,010 ...111; 1 = share, 0 = do not share;
with digits indicating afp (no longer supported), ftp (no longer supported) and smb in that order;
default is 001 if -s is specified with no flags.
-g [<flags>] :enable guest access, restricted by flags if specified;
flags = 000,001,010 ...111; 1 = enabled, 0 = disabled;
with digits indicating afp (no longer supported), ftp (no longer supported) and smb in that order;
default 001 if -g is specified with no flags.
-i [<flags>] :enable inherit privileges from parent (afp only). Obsolete but left infor backwards compatibility.
-n <name> :set record name to use (by default this is the directory name of the shared directory)
-R <0/1> :make share read only for smb. 1 is enable, 0 is disable.
-E <0/1> :make share encrypted for smb v3 and later. 1 is enable, 0 is disable.
-f <format> :when listing shares, outputs in specified format. Formats supported: json
remotectl
The Apple T2 security chip (a built-in ARM chip in newer Intel Mac models) communicates with your system with a modified HTTP/2 protocol. There is also a command-line interface for various functions of the chip.
Note that this chip is merged with the Apple Silicon chips, and remotectl is no longer used on Apple Silicon Macs.
This is a utility related to "CloudDocs", also know as iCloud Drive.
$ /usr/bin/brctl
Usage: brctl <command> [command-options and arguments]
-h,--help show this help
COMMANDS
diagnose [options] [--doc|-d <document-path>] [<diagnosis-output-path>]
diagnose and collect logs
-M,--collect-mobile-documents[=<container>] (default: all containers)
-s,--sysdiagnose Do not collect what's already part of sysdiagnose
-t,--uitest Collect logs for UI tests
-n,--name=<name> Change the device name
-f,--full Do a full diagnose, including server checks
-d,--doc=<document-path>
Collect additional information about the document at that path.
Helps when investigating an issue impacting a specific document.
-e,--no-reveal Do not reveal diagnose in the Finder when done
[<diagnosis-output-path>]
Specifies the output path of the diagnosis; -n becomes useless.
log [options] [<command>]
-a,--all Show all system logs
-p,--predicate Additional predicate (see `log help predicates`)
-x,--process <name> Filter events from the specified process
-d,--path=<logs-dir> Use <logs-dir> instead of default
-S,--start="YYYY-MM-DD HH:MM:SS" Start log dump from a specified date
-E,--end="YYYY-MM-DD HH:MM:SS" Stop log dump after a specified date
-b Only show CloudDocs logs
-f Only show FileProvider related logs
-F Only show FruitBasket related logs
-g Only show Genstore related logs
-i Only show SQL and CloudDocs logs
-z,--local-timezone Display timestamps within local timezone
dump [options] [<container>]
dump the CloudDocs database
-o,--output=<file-path>
redirect output to <file-path>
-d,--database-path=<db-path>
Use the database at <db-path>
-i,--itemless
Don't dump items from the db
-u,--upgrade
Upgrade the db if necessary before dumping
[<container>] the container to be dumped
status [<containers>]
Prints items which haven't been completely synced up / applied to disk
[<container>] the container to be dumped
quota
Displays the available quota in the account
monitor [options] [<container> ...]
monitor activity
-g dump global activity of the iCloud Drive
-i dump changes incrementally
-S,--scope=<scope>
restrict the NSMetadataQuery scope to docs, data, external or a combination
[<container> ...] list of containers to monitor, ignored when -g is used
A pretty cool command here is a utility to get the quota left on your iCloud Drive:
$ /usr/bin/brctl quota
2098962726220 bytes of quota remaining
sysadminctl
Basically an all around useful tool for managing users, as well as manage full-disk encryption (FileVault).
$ /usr/sbin/sysadminctl
Usage: sysadminctl
-deleteUser <user name> [-secure || -keepHome] (interactive || -adminUser <administrator user name> -adminPassword <administrator password>)
-newPassword <new password> -oldPassword <old password> [-passwordHint <password hint>]
-resetPasswordFor <local user name> -newPassword <new password> [-passwordHint <password hint>] (interactive] || -adminUser <administrator user name> -adminPassword <administrator password>)
-addUser <user name> [-fullName <full name>] [-UID <user ID>] [-GID <group ID>] [-shell <path to shell>] [-password <user password>] [-hint <user hint>] [-home <full path to home>] [-admin] [-roleAccount] [-picture <full path to user image>] (interactive] || -adminUser <administrator user name> -adminPassword <administrator password>)
-secureTokenStatus <user name>
-secureTokenOn <user name> -password <password> (interactive || -adminUser <administrator user name> -adminPassword <administrator password>)
-secureTokenOff <user name> -password <password> (interactive || -adminUser <administrator user name> -adminPassword <administrator password>)
-guestAccount <on || off || status>
-afpGuestAccess <on || off || status>
-smbGuestAccess <on || off || status>
-automaticTime <on || off || status>
-filesystem status
-screenLock <status || immediate || off || seconds> -password <password>
Pass '-' instead of password in commands above to request prompt.
'-adminPassword' used mostly for scripted operation. Use '-' or 'interactive' to get the authentication string interactively. This preferred for security reasons
*Role accounts require name starting with _ and UID in 200-400 range.
A pretty useful command in this tool is to check if FileVault is enabled:
CloudKit controls, probably useful for some advanced users.
$ /usr/sbin/ckksctl
usage: ckksctl [-p] [-j] [-s] [-v arg] [status] [fetch] [push] [resync] [reset] [reset-cloudkit] [ckmetric]
Control and report on CKKS
positional arguments:
optional arguments:
-p, --perfcounters Print CKKS performance counters
-j, --json Output in JSON format
-s, --short Output a short format
-v arg, --view arg Operate on a single view
optional commands:
status Report status on CKKS views
fetch Fetch all new changes in CloudKit and attempt to process them
push Push all pending local changes to CloudKit
resync Resync all data with what's in CloudKit
reset All local data will be wiped, and data refetched from CloudKit
reset-cloudkit All data in CloudKit will be removed and replaced with what's local
ckmetric Push CloudKit metric
otctl
This is the Octagon Trust utility. It's a pretty neat view of the underlying trust network being used by your Apple Devices.
$ /usr/sbin/otctl
usage: otctl [-s arg] [-e arg] [-r arg] [-j] [-i arg] [-E] [-P] [--altDSID arg] [--entropy arg] [--appleID arg] [--dsid arg] [--container arg] [--radar arg] [start] [sign-in] [sign-out] [status] [resetoctagon] [resetProtectedData] [user-controllable-views] [allBottles] [recover] [depart] [er-trigger] [er-status] [er-reset] [er-store] [health] [ckks-policy] [taptoradar] [fetchEscrowRecords] [fetchAllEscrowRecords] [recover-record] [recover-record-silent]
Control and report on Octagon Trust
positional arguments:
optional arguments:
-s arg, --secret arg escrow secret
-e arg, --bottleID arg bottle record id
-r arg, --skipRateLimiting arg enter values YES or NO, option defaults to NO, This gives you the opportunity to skip the rate limiting check when performing the cuttlefish health check
-j, --json Output in JSON
-i arg, --recordID arg recordID
-E, --enable Enable something (pair with a modification command)
-P, --pause Pause something (pair with a modification command)
--altDSID arg altDSID (for sign-in/out)
--entropy arg escrowed entropy in JSON
--appleID arg AppleID
--dsid arg DSID
--container arg CloudKit container name
--radar arg Radar number
optional commands:
start Start Octagon state machine
sign-in Inform Cuttlefish container of sign in
sign-out Inform Cuttlefish container of sign out
status Report Octagon status
resetoctagon Reset and establish new Octagon trust
resetProtectedData Reset ProtectedData
user-controllable-views Modify or view user-controllable views status (If one of --enable or --pause is passed, will modify status)
allBottles Fetch all viable bottles
recover Recover using this bottle
depart Depart from Octagon Trust
er-trigger Trigger an Escrow Request request
er-status Report status on any pending Escrow Request requests
er-reset Delete all Escrow Request requests
er-store Store any pending Escrow Request prerecords
health Check Octagon Health status
ckks-policy Trigger a refetch of the CKKS policy
taptoradar Trigger a TapToRadar
fetchEscrowRecords Fetch Escrow Records
fetchAllEscrowRecords Fetch All Escrow Records
recover-record Recover record
recover-record-silent Silent record recovery
Run the following command to list your peers:
$ /usr/sbin/otctl status
... Lots of Useful Output ...
spctl
This is the System Policy management utility. You can enable and disable Gatekeeper and other code-signing features this way.
$ /usr/sbin/spctl
System Policy Basic Usage:
spctl --assess [--type type] [-v] path ... # assessment
spctl --add [--type type] [--path|--requirement|--anchor|--hash] spec ... # add rule(s)
spctl [--enable|--disable|--remove] [--type type] [--path|--requirement|--anchor|--hash|--rule] spec # change rule(s)
spctl --status | --master-enable | --master-disable # system master switch
Developer Mode Usage:
spctl developer-mode <action>
enable-terminal
Add Terminal as a developer tool.
Kernel Extension User Consent Usage:
spctl kext-consent <action> ** Modifications only available in Recovery OS **
status
Print whether kernel extension user consent is enabled or disabled.
enable
Enable requiring user consent for kernel extensions.
disable
Disable requiring user consent for kernel extensions.
add <team-id>
Insert a new Team Identifier into the list allowed to load kernel extensions without user consent.
list
Print the list of Team Identifiers allowed to load without user consent.
remove <team-id>
Remove a Team Identifier from the list allowed to load kernel extensions without user consent.
A useful command is to view the status of the system policy assesments:
$ /usr/sbin/spctl --status
assessments enabled
networksetup
Network setup is pretty much everything network-related minus some wireless stuff.
客服电话
APP下载
官方微信
请发表评论