Because of ultra-low power consumption, easy to use interface, nearly silent working, Mac Mini M4 has become a good candidate for lots of more interesting usage, like NAS, home media server, soft router.

Prerequisite

If you buy the cheapest version with the default disk capacity 256 GB which is low, you have different options to expand the storage. You can buy an external SSD that support Thunderbolt 4. Buying an Thunderbolt 4 enclosure plus branded NVMe SSD is usually cheaper than the standalone branded portal SSD. You can also manually replace the internal SSD and upgrade to 2TB.
Buy a HDMI virtual display emulator to allow working headless while allow remote VNC connect.
Assign a static IP address to the Mac.
- This can be configured in the main router. With main router option, if using Wi-Fi remember to turn off private Wi-Fi address in the Wi-Fi configuration to allow assignment by fixed MAC address.
- This can be also be configured in the network/Wi-Fi setting.
Install Homebrew for easy software package management.

Mac Mini is a SSH Server

To enable SSH access, we can go to Settings -> General -> Sharing and enable Remote Login and check allow full disk access for remote users. Limit the access to the users you have created. For easy access, we can edit the local hostname to something simple e.g. mac-mini.local.

To secure your SSH server, you can change default SSH port to something else. It is recommended to use private ports between 49152 to 65535. You can edit with

sudo nano /etc/services

find the line with CTRL+W and search for SSH

ssh  22/udp    #SSH Remote Login Protocol
ssh  22/tcp    #SSH Remote Login Protocol

uncomment it and change it to your desired port

ssh  <your desired new port>/udp    #SSH Remote Login Protocol
ssh  <your desired new port>/tcp    #SSH Remote Login Protocol

Restart the SSH service

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load   /System/Library/LaunchDaemons/ssh.plist

Now you can access your Mac Mini with

ssh -p <your new ssh port> <your user name>@<your mac mini host name>

Using certificate login instead password is much more recommended, following these steps to switch to SSH login with certificate:

First generate an SSH key pair on your SSH client machine by using following command. You’ll be prompted to choose a path to save the key. The default path is ~/.ssh/id_ed25519. It’s recommended to name the key after the server, e.g., ~/.ssh/mac-mini.

ssh-keygen -t ed25519 -C "your_email@example.com"

Upload the public key to your Mac Mini host

ssh-copy-id -i ~/.ssh/<ssh key pair name>.pub <your username>@<your mac mini hostname>

Now you should be able to login without password

ssh -i ~/.ssh/<ssh key pair name> -p <your new ssh port> <your user name>@<your mac mini host name>

After confirming we can login with certificate we can now disable the password login

sudo nano /etc/ssh/sshd_config

and modify following lines as

PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin prohibit-password

Restart the SSH service again

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load   /System/Library/LaunchDaemons/ssh.plist

Mac Mini is a Remote Desktop

To enable remote desktop access, we can go to Settings -> General -> Sharing and enable Screen Sharing. Limit the access to the users you have created. Now you are ready to connect to Mac Mini using any VNC client.

To connect securely to the VNC endpoint, use Apple Remote Desktop if have Mac or use SSH tunnel ssh -i ~/.ssh/<ssh key pair name> -p <your new ssh port> -N -L 5901:localhost:5900 <your username>@<your mac mini hostname> and VNC client connect to local proxy port. To only allow the traffic from ssh tunnel, you can edit firewall setting and block any incoming connection to screensharingd.bundle.

Following settings can reduce additional bandwidth required to transfer the background information:

Go to Settings -> Wallpaper and select rotate color
Go to Settings -> Screen Saver and choose one of the color based screen saver

Mac Mini is a Scheduled Task Executor

You can use Mac Mini to execute periodic scheduled task like for example keep Duck DNS IP Address Up-to-Date:

First create a duck.sh script to update the IP

mkdir ~/duckdns
cd ~/duckdns
nano duck.sh

add following content

echo url="https://www.duckdns.org/update?domains=<your DNS domain>&token=<your duckdns token>&ip=" | curl -k -i -o ~/duckdns/duck.log -K -

add executable permission

chmod 700 duck.sh

add the periodic job

cron -e

and paste following configuration

*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1

Mac Mini is a NAS

Go to Settings -> Users & Groups and create a standard account with password
Go to Settings -> General -> Sharing and enable File Sharing.
Disable allow full disk access for all users
Click on ! icon on the right
1. If we want to share external disk space, we need to explicitly add the shared folder, for example one that reside in external disk because symlink from user folder (which is default sharing location) to external drive doesn't work.
2. Add access for the new standard account
Click Options and enable account for sharing to Windows if needed.

Now you can mount the shared folder as a disk volume in for example Windows machine

net use Z: \\<your Mac Mini IP>\<your shared folder name> /SAVECRED /PERSISTENT:YES

It will ask for username and password. To remove the volume you can execute

net use Z: /delete

Mac Mini can be a 24H/7D Silent Downloader

You can run any download job on the Mac Mini and leave it on forever.

For torrent file we can download qBittorrent Enhanced Edition and install, then

Settings
- Downloads
  - check do not start the downloads automatically
  - check pre-allocate disk space for all files
- Connections
  - add a global upload limit
- Advance
  - check auto ban unknown peer from China.
  - check auto ban bittorrent media player
Go to MacOS System Settings -> General -> Login Items & Extensions and add qTorrent to the Open at Login

Mac Mini can be a Backup Server

You can download official client of Dropbox, Google Drive, OneDrive, etc. and start synchronizing file to your local drive.

brew install --cask google-drive
brew install --cask dropbox
brew install --cask onedrive

You can also use rclone for creating backup of your cloud data. This is for example convenient for Dropbox because it has limitation of maximum 3 devices but using rclone you can get rid of this limitation. We show an example for creating backup for Dropbox.

First install rclone using Homebrew

brew install rclone

Before the configuration, we need to get a Dropbox App ID following the instructions from https://rclone.org/dropbox/#get-your-own-dropbox-app-id. After we have obtained the app id, now we configure rclone with

rclone config

We can verify that refresh token is present

cat ~/.config/rclone/rclone.conf

We can then verify the setup is correct with

rclone lsd dropbox:

To keep the local copy synchronized with dropbox we can can manually invoke this command

rclone sync --exclude ".DS_Store" dropbox: <path where you want to store your local copy of Dropbox> --backup-dir <path where you want to store your backup of local copy> --suffix .$(date +"%Y-%m-%d-%H-%M-%S")

We can save this command to a script for example ~/dropbox-sync-from-remote-to-local.sh and add execution permission chmod +x ~/dropbox-sync-from-remote-to-local.sh and create a cron job by executing crontab -e and then add following line to the task list

*/5 * * * * ~/dropbox-sync-from-remote-to-local.sh >> ~/dropbox-sync-from-remote-to-local.log 2>&1

Although I don't recommend, we can also sync back to Dropbox using inotify-tools. Save following commands to ~/dropbox-sync-from-local-to-remote.sh

#!/bin/bash
# Execute first time after the machine is boot
rclone sync /mnt/shared/Dropbox dropbox:
inotifywait -m -q -r -e create -e modify -e move -e delete --format '%w%f:%e' /mnt/shared/Dropbox | \
while read; do \
    path=$(echo $REPLY | cut -d ":" -f 1); \
    event=$(echo $REPLY | cut -d ":" -f 2); \
    echo "$path was changed because of event $event"; \
    echo "Skipping $(timeout 3 cat | wc -l) further changes"; \
    rclone sync --delete-during /mnt/shared/Dropbox dropbox:; \
done

We need to add execute permission to the script file

chmod +x ~/dropbox-sync-from-local-to-remote.sh

Create a cron job at boot time by executing crontab -e and then add following line to the task list

@reboot sleep 10 && ~/dropbox-sync-from-local-to-remote.sh >> ~/dropbox-sync-from-local-to-remote.log 2>&1

Mac Mini can be a HTPC

Install Jellyfin (one thing to note is that Jellyfin cannot be installed in external disk due to the code restriction) and then add it to the login item.

brew install --cask jellyfin

Open the server at http://localhost:8096/ and setup a admin account with a password. After that

Go to Dashboard -> Libraries -> Add Media Library
- disable real time monitoring
- check nfo metadata savers
- check save artwork into media folders
Go to Dashboard -> Users -> Add new user with empty password
- Go to Profile
  - disallow user to manage the server
  - disallow user to manage collections
  - disallow user to edit subtitles
  - disable live tv access
  - disable live tv recording
  - disable SynPlay access if you want to share Jellyfin to more people
  - disallow remote control
  - disallow media downloads
  - uncheck hide this user from login screens
- Go to Access
  - limit access to only subset libraries that are required
  - disable access from all devices and limit to device that are needed

By default Jellyfin doesn't support custom fonts, to enable rendering of subtitles with custom fonts:

Go to Dashboard -> Playback -> Transcoding
- choose fallback font folder path
- enable fallback fonts

You can also enable the hardware acceleration

Go to Dashboard -> Playback -> Transcoding
- choose Apple VideoToolBox as hardware acceleration
- enable hardware decoding for all options
- enable hardware encoding for all options

We can move default transcoding path to external disk for saving the disk usage:

Go to Dashboard -> Playback -> Transcoding
- change path for transcode path

Mac Mini is a Remote VSCode Server

To facilitate the SSH login you can add following configuration to the ~/.ssh/config in your VSCode client machine

Host mac-mini
    HostName <your Mac Mini hostname>
    User <your username>
    Port <your custom SSH port number>
    IdentityFile ~/.ssh/<your SSH identity file>

You can verify the connection with ssh mac-mini. Now click connect from the VSCode of client machine using Remote - SSH extension and everything else will be automatically configured, so from now you can connect from anywhere to continue your work.

The settings between VSCode server and the instance of VSCode installed in your remote Mac Mini cannot be shared, to enable consistent configuration use Settings Sync.

Mac Mini is a Jupyter Notebook Server

brew install --cask miniconda
conda init zsh

Now you can configure your conda ennvironment and then

conda activate <your environment>
jupyter notebook

Mac Mini is a LanguageTool Server

brew install languagetool

modify the language server settings

nano /opt/homebrew/etc/languagetool/server.properties

and then run

brew services start languagetool

Mac Mini is a Latex Server

brew install --cask mactex

We can now use VSCode either local or remote for editing and compiling the Latex file. For grammar checking we can use ltex-ls-plus with its VSCode extension vscode-ltex-plus.

brew install ltex-ls-plus

Mac Mini can be a Virtualized Windows Machine

Install UTM and download Windows 11 ARM 64 version and then install the Windows Guest tools for running application that is Windows specific. After initial configuration, we can optionally move the image to the external disk.

To allow us to suspend the machine we need to:

Change Display -> Emulated Display Card from option with GPU acceleration to other one
Change disk protocol from NVMe to VirtIO

Useful Configuration

Prevent Service Interruption

Go to Settings -> Energy
- enable prevent automatic sleeping when display is off
Go to Settings -> General -> Software Update
- disable beta update
- disable automatically download new updates when available.
- disable automatically install macOS updates
- disable automatically install application updates from the App Store
Go to Settings -> Privacy & Security -> Advanced
- disable log out automatically after inactivity

Improve Fault Tolerance

Go to Settings -> Energy
- enable start up automatically after power failure.
Go to Settings -> General -> Time Machine
- click on add backup disk... and select an external disk. You can perform partition on your external disk to have a volume dedicated for backup while other space for storing other files.

Improve Security

Go to Network -> Firewall
- enable firewall
- remove all unknown applications
- enable stealth mode
- disable automatically allow built-in software to receive incoming connections
- disable automatically allow downloaded signed software to receive incoming connections
Go to Settings -> Lock Screen
- set screen saver to 3 min
- set require password after lock to immediately.
- disable show user name and photo
- disable password hints
- disable show message when locked
- set login window shows to name and password
Go to Settings -> Users & Groups
- turn off automatic log in
Go to Settings -> General -> AutoFill & Passwords
- disable autofill passwords and passkeys
Go to Settings -> Privacy & Security -> Advanced
- enable require an administrator password to access system-wide settings

Improve Privacy Protection

Go to Settings -> Wi-Fi -> Details
- change private Wi-Fi address to Rotating.
- enable limit IP address tracking
Go to App Store -> Settings
- disable in-app ratings & reviews

Reduce Energy Consumption

Go to Settings -> Lock Screen
- set turn display off when inactive to 5 min
Bluetooth and Location can be turned off to reduce energy consumption
Go System Settings -> Displays -> Advance...
- disable push through the edge of a display to connect a nearby Mac or iPads
- disable allow your pointer and keyboard to move between nearby Macs or iPads
If you have macOS 26, downgrading system version to macOS Sequoia (version 15) would have lower energy consumption and more stable environment
1. Download macOS Sequoia from AppStore
2. Go to Application and right click on the Install macOS Sequoia and show package content
3. run following command sudo <drag and drop the createinstallmedia from package content> --volume <drag and drop the USB or SD volume>
4. long press the power button and boot into recovery mode
5. erase erase macintosh disk
6. back to recovery mode and select install macOS Sequoia
Go to Settings -> Privacy & Security
- turn off FileVault
Go to Settings -> Energy
- disable wake for network access
- check put hard disk to sleep when possible, by default is after 10 minutes, but we can change this configuration with sudo pmset -a disksleep 5.
Go to App Store -> Settings
- disable automatic updates
- disable automatically download apps purchased on other devices
- disable automatically download in-app content
- disable video autoplay

Optimize Storage Usage

Go to App Store -> Settings
- enable download and install large apps to a separate disk
We can also move Xcode Simulator to external disk (only user one, moving the system one /Library/Developer/CoreSimulator would cause issue)
1. check simulator's disks are unmounted using Disk Utility
2. mv ~/Library/Developer/CoreSimulator /Volumes/<your external disk>/Home/Library/Developer/CoreSimulator
3. ln -s /Volumes/<your external disk>/Home/Library/Developer/CoreSimulator ~/Library/Developer/CoreSimulator
Go to finder -> Go -> Computer and then choose View -> Show View Options and enable calculate all sizes so you can manually explore the disk and perform clean up
We can change default app installation directory and cache directory of Homebrew by adding following line to ~/.zshenv

export HOMEBREW_CASK_OPTS="--appdir=/<path to your external disk>/Applications"
export HOMEBREW_CACHE="/<path to your external disk>/<cache folder>"