Launch constraints to prevent an agent from being launched manually by a user?

Can you post some details about what you actually tried?

What I’d do in this case is something like:

• A parent constraint of is-init-proc.

• A self constraint of launch-type being not 3.

However,

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@DTS Engineer

I played around with responsible process constraints but it seems that this was completely wrong. Thanks for your support.

BTW: Could you please explain how to set launch-type to not being 3 ? Seems that there's no not operator.

Regards, Marc

Yeah, I noticed the absence of a ‘not equals’ operator. However, I think you can get around that by transforming ‘X not equals N’ into ‘X less than N or X greater than N’.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@DTS Engineer

Tried this, but then the app doesn't launch anymore:

<dict>
	<key>launch-type</key>
	<dict>
		<key>$or</key>
		<dict>
			<key>$lt</key>
			<integer>3</integer>
			<key>$gt</key>
			<integer>3</integer>
		</dict>
	</dict>
</dict>

Probably it's the wrong syntax because I get the following error if I launch the app:

AMFI: Launch Constraint Violation (enforcing), error info: c[4]p[1]m[2]e[6], ($or operator disallowed for active fact)

Unfortunately especially the operators are poorly documented. Any idea?

Thanks, Marc

Probably it's the wrong syntax

I don’t have a full answer for you — too much stuff to do, not enough time! — but I wanted to share a cool trick (-:

In macOS 14.4 we added a new LightweightCodeRequirements framework. That includes a DSL for LWCRs. That DSL is much easier to understand than the equivalent property list syntax, and you can use the framework to export a property list from a value created with the DSL.

Consider this code:

import Foundation
import LightweightCodeRequirements

func main() throws {
    let req = try OnDiskCodeRequirement.allOf {
        TeamIdentifier("SKMME9E2Y8")
        SigningIdentifier("com.example.Test759443")
    }
    let enc = PropertyListEncoder()
    enc.outputFormat = .xml
    let json = try enc.encode(req)
    print(String(decoding: json, as: UTF8.self))
}

try main()

When I run this on my Mac, it prints:

…
<dict>
    <key>value</key>
    <dict>
        <key>arrayKey</key>
        <string>$and-array</string>
        <key>key</key>
        <string>$and</string>
        <key>value</key>
        <array>
            <dict>
                <key>key</key>
                <string>team-identifier</string>
                <key>value</key>
                <string>SKMME9E2Y8</string>
            </dict>
            <dict>
                <key>key</key>
                <string>signing-identifier</string>
                <key>value</key>
                <string>com.example.Test759443</string>
            </dict>
        </array>
    </dict>
</dict>
…

This is with Xcode 15.4 on macOS 14.5.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you, @DTS Engineer. The correct syntax seems to be:

<dict>
    <key>$or-array</key>
    <array>
        <array>
            <string>$or</string>
            <dict>
                <key>launch-type</key>
                <dict>
                    <key>$lt</key>
                    <integer>3</integer>
                </dict>
            </dict>
        </array>
        <array>
            <string>$or</string>
            <dict>
                <key>launch-type</key>
                <dict>
                    <key>$gt</key>
                    <integer>3</integer>
                </dict>
            </dict>
        </array>
    </array>
</dict>

Regards, Marc