Prevent non-admin users to prevent unloading launch agent

We want to keep our Mac UI app running all the time, when a user is logged into to a mac machine (app resides in /Applications). To achieve this, we can use launchctl from within post-isntall script to load a plist file which resides in /Library/LaunchAgent.

How to prevent a user (without admin password) to unload the agent using launchctl from terminal?

Answered by DTS Engineer in 852518022

Let’s pick this up on your new thread.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We want to keep our Mac UI app running all the time

Is this on a managed device?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes @ eskimo. This is on a managed device for now.

I coulda sworn there were configuration profile payloads that give you control over that. Try playing around with the payloads here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

This prevents users from disabling background items in the system settings. However, they can still run launchd unload in terminal or delete the files.

I even tried adding ALL ALL= (ALL) !/bin/launchctl to the sudoers file, which prevents admins from running launchctl unload. However, non-admins are still able to run it.

Let’s pick this up on your new thread.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Prevent non-admin users to prevent unloading launch agent
 
 
Q