Prevent non-admin users to prevent unloading launch agent

Question

Created Jul ’23

Replies 6

Boosts 1

Participants 3

We want to keep our Mac UI app running all the time, when a user is logged into to a mac machine (app resides in /Applications). To achieve this, we can use launchctl from within post-isntall script to load a plist file which resides in /Library/LaunchAgent.

How to prevent a user (without admin password) to unload the agent using launchctl from terminal?

Answered by DTS Engineer in 852518022

Let’s pick this up on your new thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’23

We want to keep our Mac UI app running all the time

Is this on a managed device?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

appledeveloper12 OP

Jul ’23

Yes @ eskimo. This is on a managed device for now.

0

Answer 3

DTS Engineer OP

Apple

Jul ’23

I coulda sworn there were configuration profile payloads that give you control over that. Try playing around with the payloads here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

elijahcantu OP

Feb ’25

This prevents users from disabling background items in the system settings. However, they can still run launchd unload in terminal or delete the files.

0

Answer 5

elijahcantu OP

Feb ’25

I even tried adding ALL ALL= (ALL) !/bin/launchctl to the sudoers file, which prevents admins from running launchctl unload. However, non-admins are still able to run it.

0

Answer 6

DTS Engineer OP

Apple

Aug ’25

Recommended

Let’s pick this up on your new thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1