One of our apps contains an agent that is launched at login using a plist in /Library/LaunchAgents. Now the question came up if I can make sure this agent is only launched by the system and cannot be launched by a user or another application. I wonder if this can be done using launch constraints. I played a bit with responsible application constraints but I couldn't make it work. Either the agent didn't launch at all or it could also be launched by just double-clicking on it in Finder. I wonder whether this is even possible. Thanks.
Launch constraints to prevent an agent from being launched manually by a user?
Can you post some details about what you actually tried?
What I’d do in this case is something like:
-
A parent constraint of
is-init-proc. -
A self constraint of
launch-typebeing not 3.
However,
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
@DTS Engineer
I played around with responsible process constraints but it seems that this was completely wrong. Thanks for your support.
BTW: Could you please explain how to set launch-type to not being 3 ? Seems that there's no not operator.
Regards, Marc
Yeah, I noticed the absence of a ‘not equals’ operator. However, I think you can get around that by transforming ‘X not equals N’ into ‘X less than N or X greater than N’.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
@DTS Engineer
Tried this, but then the app doesn't launch anymore:
<dict>
<key>launch-type</key>
<dict>
<key>$or</key>
<dict>
<key>$lt</key>
<integer>3</integer>
<key>$gt</key>
<integer>3</integer>
</dict>
</dict>
</dict>
Probably it's the wrong syntax because I get the following error if I launch the app:
AMFI: Launch Constraint Violation (enforcing), error info: c[4]p[1]m[2]e[6], ($or operator disallowed for active fact)
Unfortunately especially the operators are poorly documented. Any idea?
Thanks, Marc
Probably it's the wrong syntax
I don’t have a full answer for you — too much stuff to do, not enough time! — but I wanted to share a cool trick (-:
In macOS 14.4 we added a new LightweightCodeRequirements framework. That includes a DSL for LWCRs. That DSL is much easier to understand than the equivalent property list syntax, and you can use the framework to export a property list from a value created with the DSL.
Consider this code:
import Foundation
import LightweightCodeRequirements
func main() throws {
let req = try OnDiskCodeRequirement.allOf {
TeamIdentifier("SKMME9E2Y8")
SigningIdentifier("com.example.Test759443")
}
let enc = PropertyListEncoder()
enc.outputFormat = .xml
let json = try enc.encode(req)
print(String(decoding: json, as: UTF8.self))
}
try main()
When I run this on my Mac, it prints:
…
<dict>
<key>value</key>
<dict>
<key>arrayKey</key>
<string>$and-array</string>
<key>key</key>
<string>$and</string>
<key>value</key>
<array>
<dict>
<key>key</key>
<string>team-identifier</string>
<key>value</key>
<string>SKMME9E2Y8</string>
</dict>
<dict>
<key>key</key>
<string>signing-identifier</string>
<key>value</key>
<string>com.example.Test759443</string>
</dict>
</array>
</dict>
</dict>
…
This is with Xcode 15.4 on macOS 14.5.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thank you, @DTS Engineer. The correct syntax seems to be:
<dict>
<key>$or-array</key>
<array>
<array>
<string>$or</string>
<dict>
<key>launch-type</key>
<dict>
<key>$lt</key>
<integer>3</integer>
</dict>
</dict>
</array>
<array>
<string>$or</string>
<dict>
<key>launch-type</key>
<dict>
<key>$gt</key>
<integer>3</integer>
</dict>
</dict>
</array>
</array>
</dict>
Regards, Marc