Configuring Mac OS

So you’ve just got your brand new Macbook Pro and you want to start using it effectively? Here are my installation notes relative to Mac OS 10.15 (Catalina) on a Macbook Pro TouchBar ID.

Resources

Table of Content

Pre-requisites: Erase and Re-install

The first things you should do is to securely erase your disk and re-install the OS. It’s not a 100% guarantee of security but let’s say it ensures you start from a clean system.

Secure erase is no longer available under Mac OS Sierra, but the below steps should be sufficient:

  • configure and login the first time with a dummy user
  • Open “System Preference” (in the dock), go to “Security & Privacy”, Select FileVault and turn it on (Copy the encryption key)
  • Wait for the encryption of your disk to finish.
    • in parallel (but not such now it’s really required), open the “App Store” and download your OS update
  • Once FileVault has finished:
    • Reboot and use Command + R after the apple logo appears
    • Select Disk Utility: erase your full disk
      • Select View / Show All Device
      • Select the top internal disk (APPLE SSD […])
      • Select Erase: (Name: MacbookPro, Format: APFS, Scheme: GUID)
      • You may be asked to enter your Apple ID
      • When it’s finished, quit Disk Utility
    • Select “Reinstall macOS”

You can now reboot and make the first configuration steps

Preliminary setup: System Preferences

So now you should have setup Mac OS (Cataline 10.15 at the time of writing), it’s time to configure it.

  • (eventually) install now Little Snitch application to monitor closely all connections attemps (and thus allow permanently the once elligible upon configuration of the below steps).
    • Enable the option “Show Local Network” (Upper left dropdown in Monitor window)
  • Open “Keychain Access” app (under Applications / Utilities /), go to the Preferences menu, and select “Show keychain status in menu bar”.
    • It permits to lock the screen on demand.
  • Clean the dock with unnecessary applications
  • Open “System Preferences” (in the dock), go to “Security & Privacy”
    • Under ‘General’: “require password after 5s”.
    • Unlock and select the ‘Advanced’ button (bottom right)
      • Enable “Require a administrator password to access system-wide preference” Disable automatic login and remote control infrared receiver.
    • Under ‘FileVault’, Turn it on

    You should use FileVault from the first day you purchase your Mac. Then all your data is encrypted, including any bad blocks, or on SSD’s the blocks that have not been pre-cleaned.

    • Under ‘Firewall’: Turn on to start the Firewall.
      • Ideally, under the Advanced tab, select the option to “prevent all incoming connections”.
      • Otherwise, enable at least the stealth mode, and disable the other Automatic settings
    • Under ‘Privacy’: be aware of the services using your location.
      • Under ‘About Location Services & Privacy’,
  • Update your laptop (Turn on automatic updates when proposed)
    • In the Apple menu (top left), select “App Store”, go to the ‘Updates’ tab and install the latest updates (you will probably have to restart)

It’s now time to finalize the configuration of the “System Preferences” (in the dock):

  • Adapt your favorite settings in ‘Desktop & Screen Saver’
  • In Dock:
    • reduce the size
    • enable “Magnification”
  • In Mission Control:
    • Untick ‘Automatically rearrange Spaces based on most recent use’
    • (eventually) Untick ‘Group windows by application’
    • Untick ‘Display have separate spaces’
    • Select Dashboard As Space
    • Configure the ‘Hot Corners’ (bottom left button) as follows:
      • top left: ‘Mission Control’
      • bottom left: ‘Desktop’
    • I also prefer to use “ALT Arrow Keys” to switch between spaces. Configure that under Keyboard / ShortCuts under ‘Mission Control’: modify the key binding for “Move to {left right} spaces”.
  • In Displays, untick the ‘Show mirroring options in the menu bar when available’
  • In Keyboard:
    • Under ‘Text’: Disable ‘Add period with double space’ as it lead to strange (unexpected) behaviour like inserting a ‘.’ upon double space… Quite annoying when programming…
    • Under ‘ShortCuts’, select ‘App ShortCuts’ and enable globally your favorites shortcut (“CTRL + {left,right} arrow” in my case) to move to the {next,previous} tab. Trouble is that the consistency of the menu name at this level is still not perfect (some use: ‘Select Next Previous Tab’, while the new standard seems to be ‘Show Next Previous Tab’). So the best is to configure the same shortcuts to cover all cases:
      • click on the ‘+’ button, with Menu title: ‘Select Next Tab’ (beware this is case-sensitive) and in Keyboad SHortcut, press CTRL + right arrow.
      • repeat with ‘Select Next Tab’ and the same shortcut
      • similarly, click on the ‘+’ button, with Menu title: ‘Select Previous Tab’ (beware: this is case-sensitive) and in Keyboad Shortcut, press CTRL + left arrow.
      • repeat with ‘Select Previous Tab’ and the same shortcut
      • You probably want also to reassign the “Quit” Menu (for instance to CTRL+CMD+Q) to avoid accidentally closing your apps
    • Note that for some reason, iTerm does not correctly handle these general settings and need to be tweak accordingly (see below for more details)
    • Under Shortcuts / Accessibility, untick everything
    • If you plan to use Alfred App (especially with the PowerPack), you may want to disable the shortcuts for Spotlight search (CMD+Space) to use it with Alfred.
  • In TrackPad: enable ‘Tap to click’ and increase the ‘Tracking speed’
    • select for One finger “Tap to click”, “dragging” and “Secondary click”. Ensure “Secondary Tap” is checked for Two Fingers
  • In ‘iCloud’: adapt the settings (in particular for the ‘Find My Mac’ option )
  • in ‘Internet Account’, add your favorites accounts (ensure double authentication is enable for all of them)
  • In App Store: select ‘Automatically check for updates’
    • tick all sub-options there
    • review the other settings.
  • In BlueTooth, Turn it off (unless you plan to use a wireless mouse)
  • In Sharing
    • click on the lock
    • Edit and adapt the computer name
    • ensure all options are disabled
    • (eventually) Allow (for the time of the setup) the ‘Remote Login’ option only for your username (in particular, remove Administrators from the list). This will permit to connect and transfer files from your old Mac to this new one. Remember to disable it afterwards.
  • In Time Machine:
    • tick ‘Show Time Machine in menu bar’
    • select your disk and tick ‘Encrypt backups’
  • In Accessibility,
    • Under General, untick all
    • Under Display, disable ‘Shake mouse pointer to locate’
  • In Printer & Scanners, click on the ‘+’ button
    • right-click on the toolbar, select Customize Toolbar, drop the Advanced menu there
    • Click on ‘Advanced’ to add your UL printer
      • Type: Windows printer via spoolss
      • URL: `smb:///
      • Adapt the Name

In Safari, open the Preferences and in the “General” section, uncheck the option “Open safe files after downloading”. Carefully check all options.

Secure Boot

Recent Mac have a Apple T2 Security Chip which you can use to enable Secure Boot - this makes sure that only a legitimate, trusted operating system loads at startup.

Secure Boot settings are available in Startup Security Utility:

  • Turn on or restart your laptop, then press and hold Command (⌘)-R immediately after you see the Apple logo to start up from macOS Recovery.
  • When you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.
    • enter an administrator account
    • Turn on firmware password
    • Enable Secure Boor at Full security level
    • Disallow boting from external media

Homebrew – The missing package manager for Mac OS

Install Homebrew as per instructions:

1

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

You can also install your GUI application using Homebrew Cask, which “extends Homebrew and brings its elegance, simplicity, and speed to macOS applications and large binaries alike” using brew cask <software>. This way is even better as you can update them in a single CLI command (see below)

Thus your typicall Homebrew setup would include the following steps:

  • Install mas-cli, a CLI interface to the applications you installed with the Mac App Store (each has a product identifier which is also used for mas-cli commands).
  • Install Homebrew Bundle which takes care of storing all installed apps and packages in a Brewfile (through brew bundle dump) that can be used to re-install them.
    • this way upon migration from your OLD laptop, you probably want to save your current installed packages with brew bundle dump, to transfer the created Brewfile to your new laptop and restop the installation with brew bundle
1
2
3
4
5
6

$> brew install mas         # CLI for Mac App Store - https://github.com/mas-cli/mas
$> brew tap Homebrew/bundle # bring Brewfile management
# OLD laptop: 
#     brew bundle dump [--file=$(date +%F)_Brewfile] # Create a Brewfile embedding all installed apps
# NEW laptop: 
#     brew bundle  [--file=...]   # Consumes the local Brewfile to install your apps

If you want to replicate my personnal configuration:

1
2
3

# download Brewfile 
curl -O https://raw.githubusercontent.com/Falkor/dotfiles/master/brew/Brewfile
brew bundle

OR, at least, you probably want to install the following packages:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# (newer) Git/gpg/rsync/vim   stuff
$> brew install git-core git-flow git-extras gnupg pinentry-mac rsync subversion vim wget
# useful CLI utilities 
$> brew install autojump htop nmap parallel r sift stow terminal-notifier tig tree
# CLI completions on <TAB>
$> brew install bash-completion brew-cask-completion rake-completion zsh-completions
#
### Now you probably want to install your favorite apps (iterm2, Firefox, Chrome etc.) with brew
# best terminal ever
$> brew install iterm2
# editors and office suits
$> brew install atom sublime-text texstudio openoffice microsoft-office vim
# Emacs for ever
$> brew tap d12frosted/emacs-plus
$> brew install emacs-plus@27 --with-spacemacs-icon
# browser
$> brew install firefox google-chrome google-backup-and-sync
# tools
$> brew install authy dropbox mactex meld menumeters nextcloud openvpn-connect rowanj-gitx rstudio skim skype transmission vlc
# virtualization 
$> brew install virtualbox vagrant vagrant-manager docker
# games
$> brew install steam

Note: you may also consider my minimal Brewfile.minimal

You can update the installed apps and packages using:

1
2
3

$> brew update && brew upgrade
$> brew cu     # cask upgrade from tap buo/cask-upgrade
$> brew cleanup

I personnaly set the following shell function to do this operation:

1
2
3
4
5
6
7

bup () {
    echo "Updating your [Homebrew] system"
    brew update
    brew upgrade
    brew cu
    brew cleanup
}

Terminal Applications

  • Install iTerm2 Version 3, the best terminal application under Mac OS
  • You might still wish to use the default Terminal app (under /Applications/Utilities/) as the integration with the TouchBar is better than iTerm2 at the time of writing

Note equivalent on Linux is Guake Terminal or Terminator

iTerm2 configuration

As mentioned above, for some reason, iTerm2 does not correctly handle the general keyboard shortcut settings. Here is how to enforce it:

Open iTerm2 Preferences from the menu

  • Under ‘General’:
    • Closing: Untick Confirm ‘Quit iTerm2’
    • Selection: tick ‘copied text includes trailing newline’ (a warning box is issued in this case, so don’t worry)
    • Window:
      • tick ‘Smart window placement’
      • untick ‘Native full screen windows’
  • Under ‘Appearance’
    • Window:
      • untick ‘Show Window number’
      • tick ‘Hide scrollbars’
      • tick ‘Disable transparency for fullscreen windows’
    • Tabs: untick ‘Show activity Indicator’
    • Panes: untick ‘Show per-pane title bar with split’
    • Dimming: tick ‘Dim background windows’
  • Under ‘Profiles’
    • in “General”:
      • Tag: default
      • Title: Profile (Job+Args)
      • Icon: Built-in Icon for Current App
      • Working Directory: select ‘Resuse previous session’s history’
      • select ‘Applications in Terminal may access clipboard’
    • in “Colors”: you should select the color scheme you like using the ‘Color Presets’ button.
      • personnally I like Darkside
      • tick ‘Smart Cursor Color’

    • in “Text”: see My dotfiles instructions

      bash brew tab homebrew/cask-fonts brew cask install font-hack-nerd-font brew cask install font-source-code-pro-for-powerline - Install powerlevel10k which will install the recommended fonts MenloLGS. Altrenatively, you can consider the Source Code Pro for Powerline at 14pt (for Regular). - Tick ‘Use built-in Powerline glyphs’ - Font: MesloLGS NF, Regular, 15pt, 100, 100, tick Anti-Aliases - Untick ‘Use a different font for Non-ASCII text’ * OR use the “Hack Nerd” font for that (Regular, 14pt) - Note: you might wish to set also this setting in the default Terminal app.

    • In ‘Window’:
      • Columns: 140, Rows: 40
      • tick ‘if showing profile name…’
      • note: if you want to bind a special key combination to launch iTerm (thus in the Default profile), you might want to set the style as ‘Full-Width Top of Screen’
    • In ‘Terminal’: tick ‘Unlimited scrollback’ (1000 lines), tick ‘Silence bell’
    • In ‘Session’: After a session ends: select ‘Close’
      • tick ‘Status Bar enabled’, configure it with the following components: job name (width: 100), clock (width: 150), current directory, git state (polling interval: 5), CPU utilization, empty space, fixed-sized spacer.
    • In ‘Keys’
      • Load Preset ‘Terminal.app Compatibility’
      • delete the key combinations “CTRL {left,right} arrow” and “CMD+arrow keys” that conflicts with the global settings for tab navigation (see above System Preferences settings)
  • Under Keys: Set a couple of useful key combinations listed in the below table
iTerm Key bindings Action Esc+ Command Description
SHIFT + left arrow Send Escape Sequence b bash: backward-word
SHIFT + right arrow Send Escape Sequence f bash: forward-word

Once you are really satisfied with the Default profile, you might wish to Duplicate it (through the ‘Other Actions’ menu) to create a special hotkey profile invoked upon using (as in my case) the hotkey CTRL+CTRL set as Alfred4 workflow.

SSH Keys

You should generate new SSH key pairs for your laptop (use a strong passphrase):

1
2

$> ssh-keygen -t ed25519 -o -a 100     # Generate ~/.ssh/id_ed25519[.pub]
$> ssh-keygen -t rsa -b 4096 -o -a 100 # Generate classical RSA keys (4096 bits)

See also my tutorial on SSH

Transferring Files - Migrate from your old Macbook

Turn off (after a last backup!) your old Macbook, connect it with a USB-C cable (if possible, avoid to use the one of your charger – for some reason, this might not allow for data transfer). Reboot it in target mode: start it up while pressing and holding the T key. You will be asked to unlock the disk (using your Filevault key/password) which will be mounted under /Volumes/MacbookPro. You can start transferring files using rsync from your old laptop to the new one as follows (see useful rsync options) however this requires a recent version 3.X of rsync to install via Homebrew

1
2
3
4
5
6
7
8
9

# Default version: 2.X
$> /usr/bin/rsync --version
rsync  version 2.6.9  protocol version 29

# Install rsunc 3.X with homebrew:
$> brew install rsync
# Now you should have the version 3.X
$> rsync --version
rsync  version 3.2.3  protocol version 31

Now you can transfer your data from your old Mac to the new one using the rsync command while preserving Mac OS attributes as follows:

rsync -avzu -NHAX --protect-args --fileflags --force-change [...]

OR (later, in delete mode - use if if you carefully know what you’re doing)

rsync -avz --delete -NHAX --protect-args --fileflags --force-change [...]

These options preserve extended attributes on folders etc. proper to Mac.

In practice, I personnaly prefer to first sync my home directory into a special folder ~/__IMPORT__ to manually move the folders back. For the first (big) sync, you probably want to use caffeinate command which prevents your Mac from going to sleep with caffeinate -s rsync [...] as advided here.

caffeinate -s rsync […] caffeinate forks a process, execs “rsync […]” in it, and holds an assertion that prevents the system from sleeping. This assertion is valid only when system is running on AC power.

Thus your first sync process once your OLD laptop is in target mode and connected to your new laptop is operated as follows:

1
2
3
4
5
6
7

# On your NEW laptop
mkdir ~/__IMPORT__
cd ~/__IMPORT__
# /!\ ADAPT user name accordingly - sync homedir
caffeinate -s rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/$(whoami)/./  ~/__IMPORT__
# Sync Shared directory 
caffeinate -s rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/Shared/./  /Users/Shared/

Restoration of Applications configs

Alfred4

1
2
3

rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/$(whoami)/Library/Application\ Support/Alfred/./ ~/Library/Application\ Support/Alfred
# configs
rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/$(whoami)/Library/Preferences/com.runningwithcrayons.Alfred*.plist ~/Library/Preferences/

MailMate

1
2
3
4
5
6
7
8
9
10
11
12

# installation 
$> brew install mailmate

### restore past config BEFORE opening MailMate
# mailboxes
rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/$(whoami)/Library/Application\ Support/MailMate/./ ~/Library/Application\ Support/MailMate
# configs
rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/$(whoami)/Library/Preferences/com.freron.MailMate.plist ~/Library/Preferences/

### Repeat with SpamSieve 
rsync -avzu -NHAX --protect-args --fileflags --force-change /Volumes/MacbookPro/Users/$(whoami)/Library/Application\ Support/SpamSieve/./ ~/Library/Application\ Support/SpamSieve
cp /Volumes/MacbookPro/Users/$(whoami)/Library/Preferences/com.c-command.SpamSieve.plist ~/Library/Preferences/com.c-command.SpamSieve.plist

SublimeText

See recommended plugins

Nextcloud

You just need to copy ~/Library/Application Support/Nextcloud/nextcloud.cfg

Google Chrome Tabs

You probably want to restore your previously opened tabs. Quit Google chrome then:

1
2
3
4
5

cd ~/Library/Application\ Support/Google/Chrome/Default/Sessions/
# get rid of current session and tabs
mv * /tmp/
# Restore previous tabs / sesssions from backup
cp ~/__IMPORT__/Library/Application\ Support/Google/Chrome/Default/Sessions/*

Reopen Google Chrome.

Shell integration

See Falkor/dotfiles on Github, which have been changed to follow XDG guidelines.

$> mkdir -p ~/git/github.com/Falkor/
$> cd ~/git/github.com/Falkor/
$> git clone https://github.com/Falkor/dotfiles.git
$> cd dotfiles
$> ./install.sh --recommended     # OR ./install.sh --all

Editors

You need a good editors ;) Here are a few suggestions:

Installation:

$> brew tap railwaycat/emacsmacport
$> brew install emacs-mac atom vim

Configuration:

I like to always see in the menu bar:

  • The current network activity – I personally rely on the one provided by Little Snitch.
  • the load on my CPU cores. For that I use MenuMeters for OS X El Capitan 10.11 (and later) that you can simply install with brew install menumeters
    • enable only CPU Menu meter, Vertcal bar, Show CPU temperature, interval: 2s, Show physical cores only, Colors: white, gray, nickel

Finder

In Finder Menu, select Preferences.

  • In General, select all checkboxes for the items to be shown on the Desktop.
  • In Sidebar,
    • under Favorites, uncheck AirDrop (enable it only on demand) and check your homedir
    • under “Devices”, check “your MacBook Pro” and uncheck “iDisk”;
    • under “Shared”, uncheck “Back to My Mac” and “Bonjour Computers”
  • In Advanced,
    • tick ‘Show all filename extensions’
    • check “Empty Trash Securely” (no longer available under Sierra it seems)

Make the Library folder visible from the finder:

1

$> chflags nohidden ~/Library

RVM

RVM (Ruby Version Manager) can be installed using my Falkor/dotfiles](https://github.com/Falkor/dotfiles) install script:

$> cd ~/git/github.com/Falkor/dotfiles
$> ./install.sh --rvm

Otherwise, follow the official instructions.

Migrating to a New GPG Key

References:

See my tutorial on GPG.

Specific Application configuration

Below are some configuration notes for the [paid] applications I use.

1Password

A must have for password management and integration in different browser. You can enable TouchID in the Preferences General menu to unlock your 1Password vault.

Alfred App

Just don’t hesitate to pay for the Powerpack – The workflow capabilities it brings (through the repo) is just amazing. Here are the [workflows](https://www.alfredapp.com/workflows/) I use:

  • One for opening iTerm2 with CTRL + CTRL (as previously in Vizor). This mean that you have to configure the Default profile of iTerm to fullscreen from top

Marked 2 (markdown viewer)

Open the Preferences pane, Under Processor, select ‘Discount (GFM)’

Omnigraffle

If you need to import the stencils from Omnigraffle 6, they are located in ~/Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application\ Support/The\ Omni\ Group/OmniGraffle

VirtualBox / vagrant

Change the default folder for VMs:

$> mkdir -p /Users/Shared/VMs/virtualbox

Run virtualbox, in Preferences, change the “Default Machine Folder” accordingly.

Music management with beets

$> pip install beets
# Those are required for some plugins
$> pip install pyacoustid requests pylast
$> brew install chromaprint
$> mkdir ~/.local/beets      # Create data dir for beets to store music DB
$> beet config -e         # Edit YAML configuration (`~/.config/beets/`)
[...]
$> beet config    # Typical configuration
directory: /Users/Shared/Music
asciify_paths: yes
library: ~/.local/beet/musiclibrary.db
plugins: chroma fromfilename fetchart lyrics

Bootcamp

Bootcamp assistant (at least 128GB if possible), Select Windows 10 Enterprise

Installation; * french keyboard * Setup a PIN (beware of the wrong layout (french vs. french )) * Upon session opening, Boot camp with install

Upon reboot, you can select the target disk (Mac OS or Windows) by pressing the Options key - you will need to enter the Firmware password (beware that the default keyboard layout is en.US whatever settings you put).

  • Run Windows Update
  • Configure the Mac [french] keyboard:
    • Select Language
    • In Preferred languages: select “Francais (France)”, “Options / Keyboards” add “French (Apple)” and delete all other keyboards. Repeat for all other languages