If an application has registered Login Items that are running, what happens if the application bundle is replaced with a new version? Does any currently running processes of the login items get relaunched to use the new version? Are there any specific steps required to ensure the new version is used immediately?

Hi there :) I try to put an Xcode project in place within a LaunchAgent. The ultimate goal is to have an "application" with two component: macOS application with just an basic UI all the logic happens in a LaunchAgent that runs on background and is launch at startup. The macOS app uses XPC to send messages to the agent that will run either the app is opened or not. I struggled at first having this error (for the agent): An XPC Service cannot be run directly. Then I found using MachServices key in the .plist of the agent fixes the issue, plus: let listener = NSXPCListener.init(machServiceName: "com.tonygo.NetworkMonitorAgent") Then I wonder: Do we have somewhere a documentation about how to setup a LaunchAgent in Xcode I create the plist of the agent on side and run it manually, I could do this in a more automatic way How could I package a macOS applciation that will contains the agent, install it and load the agent? Note: This is mainly for learning and understanding what we could do at each level (XPCService, LaunchAgents, LaunchDaemon, etc.).

Platform: MacOS 12.0 I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store. I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges. So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension? One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.

Greetings all, I have installed 2 similar function apps (which are safe/signed e.t.c.) I run at different times, and both add items to the Login Items background section, the one is adding a background daemon and is only functioning when the switch is turned to on, while the other adds a PriviledgedHelperTool and can function even if the switch is turned to off, but if it is turned to on, but if I run this app then somehow the other breaks and can not function properly. So as a workaround I keep the PriviledgedHelperTool switch to off and only the other app's daemon switch to on so they can both operate whenever I want. My question has to do with the one that adds the PriviledgeHelperTool, and I wonder if this script contains any crucial information for the functioning of the according application. Though even if I deleted the PriviledgedHelperTool of it from the according folder, and launched the app, it seems it was not regenerated neither any notification shown up or so. Furthermore even if I removed the PriviledgedHelperTool the app seems to function properly, but I would like that thought to be confirmed by some community experts / developers here. I am on MacBook Air M1, macOS Sonoma 14.3 Developer Beta Thank you all in advance for your time. Best regards.

Hello I have an App in macOS that is based on two services The first is running as a Daemon The second running as Agent(GUI) I use a script in my app installer (postinstall) that copies the plist files into the folders /Library/LaunchDaemons /Library/LaunchAgents/ And then run for the Daemons: launchctl load And for each user who is currently connected su -c "launchctl load That is working. But when I reboot my machine only the Daemons is running The Agent is not running and in the log "launchctl" There are errors that i can not find any documentation or explanation 2024-01-04 08:01:11.047284 (gui/503 [100004]) <Notice>: Bootstrap by launchctl[1769] for /Library/LaunchAgents/com.sysaid.SessionUtilities.plist succeeded (0: ) 2024-01-04 08:01:11.047289 (gui/503 [100004]) <Notice>: exiting bootstrap mode 2024-01-04 08:01:11.047299 (gui/503/SysAid.Agent [1771]) <Notice>: internal event: SOURCE_ATTACH, code = 0 2024-01-04 08:01:11.048031 (user/503) <Notice>: service inactive: com.apple.xpc.launchd.unmanaged.su.1768 2024-01-04 08:01:11.048039 (user/503) <Notice>: removing inactive unmanaged service: com.apple.xpc.launchd.unmanaged.su.1768 2024-01-04 08:01:11.050192 (gui/503/SysAid.Agent [1771]) <Notice>: Requesting first run LWCR update 2024-01-04 08:01:11.064345 (pid/1759 [AgentCPP]) <Notice>: uncorking exec source upfront 2024-01-04 08:01:11.064352 (pid/1759 [AgentCPP]) <Notice>: created 2024-01-04 08:01:11.085689 (gui/503/SysAid.Agent [1771]) <Error>: Service could not initialize: Unable to verify trusted spawn(/Applications/SysAid Helpdesk.app/Contents/MacOS/AgentSessionUtilities, /Library/LaunchAgents/com.sysaid.SessionUtilities.plist, SysAid.Agent, 3, 503), error 0xa1 - Service cannot be launched because of BTM policy 2024-01-04 08:01:11.085697 (gui/503/SysAid.Agent [1771]) <Error>: initialization failure: 23C71: xpcproxy + 31472 [460][6960F486-3261-3A05-9150-1B1F72E3ADB0]: 0xa1 2024-01-04 08:01:11.085698 (gui/503/SysAid.Agent [1771]) <Error>: Untrusted service was denied launch by BTM. Removing. 2024-01-04 08:01:11.085699 (gui/503/SysAid.Agent [1771]) <Notice>: internal event: INIT, code = 161 2024-01-04 08:01:11.086095 (gui/503/SysAid.Agent [1771]) <Notice>: xpcproxy exited due to exit(78) 2024-01-04 08:01:11.086101 (gui/503/SysAid.Agent [1771]) <Notice>: exited due to exit(78) 2024-01-04 08:01:11.086106 (gui/503/SysAid.Agent [1771]) <Notice>: already handled failed init, ignoring 2024-01-04 08:01:11.086115 (gui/503/SysAid.Agent [1771]) <Notice>: service state: exited 2024-01-04 08:01:11.086123 (gui/503/SysAid.Agent [1771]) <Notice>: internal event: EXITED, code = 0 2024-01-04 08:01:11.086127 (gui/503 [100004]) <Notice>: service inactive: SysAid.Agent 2024-01-04 08:01:11.086131 (gui/503 [100004]) <Notice>: removing service: SysAid.Agent 2024-01-04 08:01:11.086151 (gui/503/SysAid.Agent [1771]) <Notice>: internal event: PETRIFIED, code = 0 2024-01-04 08:01:11.086155 (gui/503/SysAid.Agent [1771]) <Notice>: service state: not running The app and the Installer signed and notarized Can you help me figure out what I'm missing

I'm building a Safari content blocker extension. The app is able to use SFContentBlockerManager.reloadContentBlocker to update the content blocker's JSON rules. However, I'm also trying to update the rules in the background through a daemon. The daemon app is embedded inside the main app, and is registered by the main app through SMAppService. The issue I'm running into is I can't get both the GUI app and the daemon to both update the content blocker: If I embed the Safari extension inside the main app and not the daemon, the main app is able to update the extension, but the daemon fails with an "operation couldn’t be completed" error (supposedly because it isn't the owner of the app) Alternatively, if I embed the extension inside the daemon, the main GUI app can no longer update the extension (also failing with "operation couldn't be completed" If I try to embed the extension inside both the main app and the daemon, it works fine when running from Xcode, but App Store Connect verification fails because it won't allow an bundle ID with two periods after the main app ID (e.g. the main app is com.example.App, the daemon is com.example.App.daemon, and the extension is com.example.App.daemon.extension) I'm wondering if I'm missing something here? Is there a way to get Safari to recognize both the main app and the daemon as "owners" of the extension? Thanks in advance!

I have a Python script that I've configured to run every 30 minutes. Since it has an associated property list, I've been trying to modify the name that appears in the 'Allow in the Background' section, but I couldn't find an effective way to display the desired name. I tried setting the CFBundleName and CFBundleDisplayName keys in the .plist, but I don't believe they have any impact as they don't seem to change anything. Any other suggested approaches would be greatly appreciated. This is the aforementioned property list: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.tom.python-cleanup</string> <key>CFBundleName</key> <string>Name that i want</string> <key>CFBundleDisplayName</key> <string>Name that i want</string> <key>ProgramArguments</key> <array> <string>python</string> <string>/usr/local/tom/cleanup.py</string> </array> <key>StandardOutPath</key> <string>/usr/local/tom/cleanup-service.log</string> <key>StandardErrorPath</key> <string>/usr/local/tom/cleanup-service.log</string> <key>RunAtLoad</key> <true/> <key>StartCalendarInterval</key> <dict> <key>Minute</key> <integer>30</integer> </dict> </dict> </plist>

I work on an app which adds a login item to the user's system. I recently got a report from a user that functionality of the app that talks to the login item wasn't working; upon further investigation, it became apparent that the item was in the requiresApproval state. I plan to update the app to handle this state better, but this situation left me wondering: under what conditions do login items get put into this state immediately upon registration? The documentation mentions "the user needs to take action in System Settings before the service is eligible to run", but doesn't specify when/why this would be the case - I could guess that it's related to macOS accounts with limited privileges or restrictive MDM profiles, but would love to know for certain. Thanks!

Everything is OK in previous macOS versions. But today when I call try agent.register(). I got an error: - Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} #0 The agent is init with SMAppService.agent(plistName: ...) And I took a look for log: 2023-12-21 01:03:20.398350+0800 0x17e07 Error 0x72960 8028 0 smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] getEffectiveDisposition: error: Error Domain=BTMErrorDomain Code=-95 "record not found" UserInfo={NSLocalizedDescription=record not found} 2023-12-21 01:03:20.398386+0800 0x17e07 Error 0x0 8028 0 smd: [com.apple.xpc.smd:SMAppService] Unable to get disposition of item: <private> error: Error Domain=NSPOSIXErrorDomain Code=3 2023-12-21 01:03:20.398407+0800 0x17e07 Default 0x0 8028 0 smd: [com.apple.xpc.smd:all] Found status: 3 for <private> 2023-12-21 01:03:46.833936+0800 0x17bcc Default 0x72949 8028 0 smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private> 2023-12-21 01:03:46.833986+0800 0x17bcc Default 0x72949 8028 0 smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private> 2023-12-21 01:03:46.836622+0800 0x17e05 Default 0x72949 8029 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] registerLaunchItem: pid=8236, uid=501, type=agent, parentURL=<private>, url=<private>, config=<private> 2023-12-21 01:03:46.839123+0800 0x17e05 Debug 0x72949 8029 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: save scheduled. 2023-12-21 01:03:46.839164+0800 0x17e05 Debug 0x72949 8029 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] RecordSet notification scheduled for uid -2 2023-12-21 01:03:46.903417+0800 0x17bcc Error 0x72949 8028 0 smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] -[BTMManager registerLaunchItemWithAuditToken:type:relativeURL:configuration:uid:]_block_invoke: error: sandbox required 2023-12-21 01:03:46.903449+0800 0x17bcc Error 0x72949 8028 0 smd: [com.apple.xpc.smd:SMAppService] Register of <private> rejected by BTM. Btw, my app is a sandboxed App.

I'm working on a macOS application which deals with the system calls, I want one of the calls to be shutdown executable. On click of a button, which is available in the application, the system should get shutdown. I'm able to achieve this, but everytime it is invoked, user is prompted with the sudo permission, which I want to avoid. There should not be any user intervention and the system must be shutdown. No applescript please. The user should never be prompted with the sudo permission grant and the code can be objc or swift.

Hi, Is there a way to restrict calls to a launch daemon? Can I allow only my app to use my daemon? cheers, sivan

Recently, I encountered a weird bug that I could not have a clue about. I have an API to save the configuration settings to a plastic, which is located at "/Library/Preferencs/Bitglass". The writer is a daemon and the function looks as follows. The weird thing I found recently was that the function could not save the IPC server port value when the daemon was installed by another installer daemon. But it can save other plastic values without any problems. When the list was not saved to a file, there is not any error messages. The following function is called by two daemons to save different settings into a plastic file. Is there anyone who has any clue why it failed to save the plist to a file when the daemon is installed and launched by another daemon? (BOOL)setValue:(const char *)key value:(const char *)value { std::lock_guardstd::mutex lock(plist_mutex); NSString *nskey = [NSString stringWithUTF8String:key]; NSString *nsval = [NSString stringWithUTF8String:value]; @try { [data setObject:nsval forKey:nskey]; if (![data writeToFile:plistPath atomically:YES]) { BGLOG(LOG_ERROR, "Failed to write" &lt;&lt; key &lt;&lt; "=" &lt;&lt; value); return FALSE; } return TRUE; } @catch (NSException *e) { BGLOG(LOG_ERROR, "Caught exception:" &lt;&lt; [e.name UTF8String] &lt;&lt; " reason:" &lt;&lt; [e.reason UTF8String]); return FALSE; }

I'm getting this message in a launchd log. The service in question is a Focusrite thing. What does it mean? (system/com.focusrite.ControlServer) : cannot spawn: service is in penalty box The peripheral seems to be working fine.

Apple M2 Pro MacOs: 13.6 (22G120) In my system extension installer's postInstall script I have launch agent configured for the app as below: launchctl enable gui/$user_uid/com.mycompany.client.myproduct launchctl bootstrap gui/501 /Library/LaunchAgents/com.mycompany.myproduct.plist When I install the software using a local user, the service works fine without any issue and the service is shown listed in 'launchctl list' command: % launchctl list | grep -i mycompany 84714 0 com.mycompany.client.myproduct But when I login using on the same machine using a AD (Active Directory) user, the service/agent doesnt start and I don't see any entry service listed in 'launchctl list'. This is how my plist file looks like: % defaults read /Library/LaunchAgents/com.mycompany.myproduct.plist { CFBundleVersion = "200.200.200.200"; KeepAlive = 1; Label = "com.mycompany.client.myproduct"; LimitLoadToSessionType = ( Aqua ); ProgramArguments = ( "/Applications/mycompany.app/Contents/MacOS/Mycompany Module" ); RunAtLoad = 1; Version = "200.200.200.200"; } What am I missing here?

Hello, I currently am designing a data backup solution, and have an unsandboxed launch agent written in DotNet 6 that needs read access to files in order to back them up. It is configured together with its own App Group (with the sandboxed GUI). However, this Launch Agent cannot access files or enumerate directories in ~/Library/Group Containers/com.apple.notes whatsoever (even after enabling full disk access for the calling app, the files are not restricted either). I am trying to access the NoteStore.sqlite and similar files so that the Launch Agent can read the file and upload it to S3. Is there some entitlement I need to add, or access prompt? It seems like there is additional security layers for Sandboxed folders for apps that I'm trying to bypass. What is the recommended solution for my use case? (For Ventura and Sonoma users)

Hi all! So SMJobBless is deprecated, and I want to my app to do some privileged things, e.g. move file to root user folder with permission dialog. Simple, right? But how can I do that simple thing? Found example with agent, but it does not have root permission to write a file in root's folder. Any help?

Hi, We're trying to generate the key inside secure enclave from the deamon, but it fails with the below error. The operation couldn’t be completed. (OSStatus error -26276 - failed to generate asymmetric keypair) Could you please help me to resolve the issue?

If the user deletes the app, must something be done to ensure that the launchd agent is removed (or is that something that does not need to be worried about in general)? For more context, I am creating a launchd agent using the SMAppService. I am only an amateur so apologies if this is a bit of a stupid question.

I am trying to build Endpoint Security demo app on xcode, when I run sudo launchctl list 3xxxxxxxx6.com.example.apple-samplecode.SampleEndpointApp.Extension i get { "LimitLoadToSessionType" = "System"; "MachServices" = { "3FB5H67G96.com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension.xpc" = mach-port-object; }; "Label" = "3FB5H67G96.com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension"; "OnDemand" = false; "LastExitStatus" = 9; "Program" = "/Library/SystemExtensions/24197CF7-F318-4968-87D5-B869AAF544F5/com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension"; }; when I run the app i get Successfully installed the extension ✅ but noting happens. what should I do from here? plz halp

Having some problems with launchd since I upgraded to Sonoma. First some background. I run a secondary userid which is logged in whenever the Mac is turned on. At startup it logs in. It contains a launchd file to run at load & lock the user, in case my Mac falls into the wrong hands. It also contains two launchd files which run an app at load & daily at 2PM. All the above worked reliably under Ventura. Focusing on the launch process now. I noticed the app was not starting up at login. Suspected that two launchd run at launch files may be a problem. So, as a test, I renamed (plist > xml) so that only the app would run at launch. When I tested it. my app did not launch, but the renamed file which locks the id still ran. Strange. Any insights as to what's happening? Thanks.