macOS System Preferences/Settings plugin using privileged helper (SMJobBless) to update configuration fails

My software is a daemon that is launched via a plist in /Library/LaunchDaemons . Naturally it does not have GUI and other than configuring the runtime during its installation (.pkg) I imagined that creating a System Preferences plugin for my software would allow a privileged user to make changes to the software's runtime configuration. For example the plugin would allow a privileged user to start and stop the daemon. The installer plugin and its helper were setup and signed so that they - in theory - should work together like the SMJobBless examples do.

The only difference from examples like EvenBetterAuthorizationSample from what I can tell is that those examples are using a *.app as opposed to a *.prefPane .

The SMJobBless error message output to console is: The operation couldn’t be completed. (CFErrorDomainLaunchd error 2.)

Is there a limitation in using System Preferences/Settings with SMJobBless?

Up vote post of monotone Down vote post of monotone
861 views
Posted by
monotone
Reply
Add a Comment

Accepted Reply

So SMJobBless won’t help you here; it only works for apps.

Having said that, SMJobBless is only about installing a privileged helper tool. You already have an installer to install all the other parts of your product, so having that installer lay down your privileged helper tool at the same time seems like a reasonable approach.

Once the privileged helper tool is installed then you end up doing the same XPC and Authorization Services dance as you would if it’d been installed by SMJobBless.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Thanks, that is the answer for what I've been looking for. Much appreciated.

    monotone
Add a Comment

Replies

SMJobBless is about installing a helper tool as a daemon [1]. If you already have a way to install your daemon — your installer package — there’s really no point in involving SMJobBless. So, is your goal to replace your installer package with SMJobBless? Or something else?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Hence the common term privileged helper tool.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

@eskimo My 'daemon' is a network monitoring tool that runs as a non-privileged, no-login user. The preference pane + privileged helper is intended to change the monitoring tool's configuration, start/stop, uninstall, status. Since my preference pane plugin is installed for all users (/Library/PreferencePanes) storing its persistent preference data in /Library/Preferences it requires elevated privileges when it writes to that location. Hence the idea to use SMJobBless, which - as you say - installs another daemon, aka a helper that will be authorized to obtain the privileges it needs to write to /Library/Preferences. As I understand it, the helper is just a lightweight daemon to perform a few dedicated tasks that require elevated privileges. I hope that clarifies it. In any case, there are many ways to skin that cat, but I believed that to be the most sensible. If you have another suggestion, I'm all ears. Thanks.

Posted by
monotone
Up vote reply of monotone Down vote reply of monotone
Add a Comment

So SMJobBless won’t help you here; it only works for apps.

Having said that, SMJobBless is only about installing a privileged helper tool. You already have an installer to install all the other parts of your product, so having that installer lay down your privileged helper tool at the same time seems like a reasonable approach.

Once the privileged helper tool is installed then you end up doing the same XPC and Authorization Services dance as you would if it’d been installed by SMJobBless.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Thanks, that is the answer for what I've been looking for. Much appreciated.

    monotone
Add a Comment