All Things macOS

IMPORTANT: Fermilab will stop supporting macOS 10.13 (High Sierra) on 31 OCTOBER 2020.
After this date, you might not be able to SSH into Fermilab machines with this OS. Be sure to upgrade to a supported version before that date to avoid disruptions.

Fermilab macOS support

For more details about FNAL macOS support, see this KB article:

Version Supported? End-of-life
10.14 Mojave YES --
10.13 High Sierra YES 31 Oct. 2020 (COMING SOON)
10.12 Sierra NO 31 Oct. 2019
10.11 El Capitan NO 01 Nov. 2018
10.10 Yosemite NO 10 Nov. 2017
10.09 Mavericks NO 01 Dec. 2016
10.08 Mountain Lion NO 14 Dec. 2015
10.07 Lion NO 12 Jan. 2015
<10.6 Snow Leopard NO

SSH configurations

Here are some known working SSH configurations for various versions of macOS. These configurations should go into the file located at ~/.ssh/config. If the file doesn't exist, create it.

macOS 10.13 (High Sierra)

Host *
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
StrictHostKeyChecking no
PasswordAuthentication no

macOS 10.12 (Sierra)

Host *
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
StrictHostKeyChecking no
PasswordAuthentication no

macOS 10.11 (El Capitan)

Host *
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDns yes
StrictHostKeyChecking no
PasswordAuthentication no


Full instructions can be found here:

On a fresh installation of macOS, you will need to configure Kerberos to connect to FNAL. The process is easy:

1. Download the krb5 configuration file here (you must be on the FNAL network or connected by VPN):
2. Copy that file to the following location on your mac (you will need sudo privileges): /etc/krb5.conf
3. Confirm that the following file does not exist (if it does, delete it): /Library/Preferences/
4. Test that it works by attempting to Kerberize yourself: kinit -f <PRINCIPAL>

Setting Up A Development Environment

As of October 2019, the CET group will no longer be providing ups builds for OS X. The reason is that OS X is changing to make it increasingly difficult to set up a ups environment. The good news is that there is a solution which involves installing a Docker image of SLF. The image takes up about 2 GB of disk space and also requires the installation of FUSE to mount the cvmfs areas for the SLF ups builds relevant for NOvA.

Once you have Docker installed, you then need to follow the instructions for setting up a CMake build, Editing Code with CMake and buildtool

Adam Lyon of Fermilab has provided instructions for installing Docker. He has also provided instructions for setting up VSCode to run with the Docker image. VSCode is an integrated development environment (IDE) which has useful features like global code search, function and variable name tab-completion, refactoring, and GUI debugging. It really improves work efficiency. It is free software.

Package Management

macOS does not have a built-in command line package manager, but there is a widely-used third-party package manager called Homebrew. Note: You must have Xcode and the Developer Command Line Tools installed for Homebrew to work (see the section above)

To install Homebrew, follow the instructions here: It's pretty easy, just do this at a terminal prompt:

/usr/bin/ruby -e "$(curl -fsSL" 

Homebrew packages are called "formulas", and the build process it invokes is called "brewing". Homebrew is accessed through the `brew` command. Some common incantations from the command line include:

brew list                   # show all currently-installed formulae
brew search                 # search for a formula
brew info                   # get detailed info, including dependencies and special usage notes.
brew install <formula>      # install a formula
brew reinstall <forumula>   # self-explanator, I think.
brew update                 # update the list of formula (this does not upgrade any software, just checks for available upgrades)
brew outdated               # returns a list of installed formulae for which there exists a newer version
brew upgrade                # upgrade all formulae for which a newer version exists
brew upgrade <formula>      # upgrade a specific formula
brew tap <keg>              # tap a particular keg

Some formulae that you find via brew search will not be in the "core" repository. The Homebrew nomenclature for a repository is "keg". So the trick to get at formulae from other kegs is to "tap" that particular keg. Here's an example of how you would tap the brewsci/bio keg (which contains matplotlib):

brew tap brewsci/bio

Now you will be able to brew install any formulae available from that keg.

More details are available here at Homebrew's FAQ page:

Potentially useful formulae (packages)

install with brew install <name>

formula name description
ack Search tool like grep, but optimized for programmers
boost Collection of portable C++ source libraries
boost-python C++ library for C++/Python2 interoperability
cmake Cross-platform make
colordiff Color-highlighted diff(1) output
cvs Version control system
emacs GNU Emacs text editor
fzf Command-line fuzzy finder written in Go
gcc GNU compiler collection
gdb GNU debugger
geant4 Simulation toolkit for particle transport through matter
git Distributed revision control system
gnuplot Command-driven, interactive function plotting
hdf5 File format designed to store large amounts of data
htop Improved top (interactive process viewer)
imagemagick Tools and libraries to manipulate images in many formats
jupyter Interactive environments for writing and running code
matplotlib Python 2D plotting library
numpy Package for scientific computing with Python
pandoc Swiss-army knife of markup format conversion
python3 Interpreted, interactive, object-oriented programming language
r Software environment for statistical computing
root6 Object oriented framework for large scale data analysis
scipy Software for mathematics, science, and engineering
tldr Simplified and community-driven man pages
tmux Terminal multiplexer
tree Display directories as trees (with optional color/HTML output)
valgrind Dynamic analysis tools (memory, debug, profiling)
vim Vi 'workalike' with many additional features
wget Internet file retriever
xrootd High performance, scalable, fault-tolerant access to data
zsh UNIX shell (command interpreter)


There are two main distributions of TeX for mac: MacTeX and BasicTeX. This page gives a wonderful explanation of them with instructions on how to install:

Setting up VOMS to use SAM with xrootd

Here are step by step instructions for setting VOMS up on OS X. These instructions work for High Sierra, and may work for other versions of OS X.

  1. Download the bundle of certificates from CILogin:
  2. Un-tar the file and double click on all the *.pem files
  3. Open the Keychain Access app and find the certificate files you just clicked on. Right click on each of the certificates from within Keychain Access and select "Get Info" from the resulting menu. Expand the "Trust" menu and select the "Always Trust" option under "When using this certificate:".
  4. Get the voms package using Homebrew.
     brew install voms 
  5. Download the latest stable version of the Globus Toolkit and use the package installer to install it.
  6. Download the necessary vomses and grid-security files, voms.tar Copy the vomses file into /etc and the grid-security directory into /etc/ and /usr/local/etc
  7. Download and un-tar the pki.tgz Move the resulting directory to /etc. You will need to do this using su, ie
     sudo -s mv pki /etc 
  8. Download and un-tar the cigetcertlibs.tar.bz2 in a directory that is in your path eg /usr/local
  9. Run
     /path/to/cigetcertlibs/python/ -i "Fermi National Accelerator Laboratory" 
    NB change "/path/to" to the location where you installed the cigetcertlibs
  10. Run
     voms-proxy-init -hours 24 --rfc --voms=fermilab:/fermilab/nova/Role=Analysis --noregen 
    voms-proxy-init which should be in your path at this point.
  11. Make a function in your .bash_profile to set up the voms for you, ie
     /usr/local/cigetcertlibs/python/ -i "Fermi National Accelerator Laboratory"   
     voms-proxy-init -hours 24 --rfc --voms=fermilab:/fermilab/nova/Role=Analysis --noregen #--cert /tmp/x509up_u502 --key /tmp/x509up_u502
     export X509_USER_PROXY=/tmp/x509up_u`id -u`
  12. Download and un-tar the sam_web_client.tar.bz2 in your products area (not localProducts)
     bunzip2 sam_web_client.tar.bz2 
  13. setup samweb by doing
     setup sam_web_client v3_0 

NB ignore these warnings, they appear to be unimportant

WARNING: VOMS AC validation for VO fermilab failed for the following reasons:
         LSC validation failed: LSC chain description does not match AA certificate chain embedded in the VOMS AC!
         AC signature verification failure: no valid VOMS server credential found.
WARNING: proxy lifetime limited to issuing credential lifetime.

Helpful Tips & Tricks

Terminal emulation

macOS has a built-in terminal emulator called "Terminal." Some people like this application, but there is a more popular alternative out there with a lot more bells and whistles called "iTerm2". You can download it here:

Useful Links

  • macOS Setup Guide - This is an excellent guide to setting up a mac for development (geared towards web development, but overlaps a lot with us). Many of the things covered in this Wiki are also covered there.
  • Homebrew package manager - Official Homebrew site
  • Mac at Fermilab Fermilab ServiceNow page for mac-related information