About notification of application launch and registration to "LaunchDaemons"

I've created an app that uses "NSNotificationCenter" to get app launch notifications.
I registered it in LaunchDaemons and started it when macOS started, but I cannot get the notification.

We have confirmed that the application has started up from the log and ps command.
I was able to get notifications when I debug in Xcode or launch the app directly.

Is it possible to get notifications by launching from LaunchDaemon?
Up vote post of TSawano Down vote post of TSawano
668 views
Posted by
TSawano
Reply
Add a Comment

Replies

Which specific notification are you registering for?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Which specific notification are you registering for?

"NSWorkspaceDidLaunchApplicationNotification" and "NSWorkspaceDidActivateApplicationNotification" are registered.
Neither can get notifications.
Posted by
TSawano
Up vote reply of TSawano Down vote reply of TSawano
Add a Comment
Ah, I figured that might be the case. NSWorkspace is part of AppKit and AppKit is not a daemon-safe framework. You will not get reasonable results via this approach. For more background on this issue, see Technote 2083 Daemons and Agents.

Note The specific issue here is that the NSWorkspace view of the world is confined to a particular GUI login session. If you have two GUI users logged in, an app running in user A’s session won’t get NSWorkspace notifications about user B launching an app. This is as it should be, but it means that the API makes no sense in a daemon context.

How you proceed from here depends on what your overall goal. Is this a security product, where the goal is to log app launches? If not, what is your goal in receiving these notifications?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Is this a security product, where the goal is to log app launches? If not, what is your goal in receiving these notifications?

This is a security product that aims to log app launches.
Is there a way to solve this problem?
Posted by
TSawano
Up vote reply of TSawano Down vote reply of TSawano
Add a Comment

This is a security product that aims to log app launches.

Our general advice for security products is that they adopt Endpoint Security (ES). This gives you access to process launches via the ES_EVENT_TYPE_NOTIFY_EXEC message.

Note The best intro to ES is WWDC 2020 Session 10159 Build an Endpoint Security app.

The main drawback to this approach is that you lose a lot of context. A process is a kernel level construct whereas an app is a user-level one. NSWorkspace is closer to the user and thus gives you more context about user operations.

One option here is to run a launchd agent in each GUI login session that talks to NSWorkspace and forward results on to your ES client. However, this isn’t without its challenges. A launchd agent is ultimately under the control of the user — for example, the user can unload the agent — and thus you have to account for the possibility of your agent being subverted.

Finally, if there’s some bit of context that your ES client need but isn’t provided by the current ES API, I recommend that you file an enhancement request describing your requirements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment