I'm getting this message in a launchd log. The service in question is a Focusrite thing. What does it mean? (system/com.focusrite.ControlServer) : cannot spawn: service is in penalty box The peripheral seems to be working fine.

Hello, I currently am designing a data backup solution, and have an unsandboxed launch agent written in DotNet 6 that needs read access to files in order to back them up. It is configured together with its own App Group (with the sandboxed GUI). However, this Launch Agent cannot access files or enumerate directories in ~/Library/Group Containers/com.apple.notes whatsoever (even after enabling full disk access for the calling app, the files are not restricted either). I am trying to access the NoteStore.sqlite and similar files so that the Launch Agent can read the file and upload it to S3. Is there some entitlement I need to add, or access prompt? It seems like there is additional security layers for Sandboxed folders for apps that I'm trying to bypass. What is the recommended solution for my use case? (For Ventura and Sonoma users)

Hi all! So SMJobBless is deprecated, and I want to my app to do some privileged things, e.g. move file to root user folder with permission dialog. Simple, right? But how can I do that simple thing? Found example with agent, but it does not have root permission to write a file in root's folder. Any help?

I customize an open source app (yo), sign it, and deploy it to a bunch of Macs. We've been doing this for almost 4 years and it relies on 2 LaunchAgents that run a python script. With the move to Ventura, I discovered the background items and that this particular item shows up as 2 "yo_scheduler" items I have now: signed the python script add AssociatedBundleIdentifiers to the LaunchAgents Call LSRegisterUrl as part of the postinstall script I've packaged all this up, and install it on clients. Based on the documentation, I would anticipate that these 2 items would now show up as "Yo.app" but they don't. They show up as our developer program name. Based on some discussion with other Mac admins it sounds like we have to register AND open the app before the LaunchAgents are actually installed. If I install, then run sfltool resetbtm, then restart the Mac this all shows up properly... What's the proper way to use legacy LaunchAgents installed by a PKG?

My app needs a HelperTool which runs as root. I did in Xcode Version 14.3.1 (14E300c), macOS 13.4.1 (22F82): • Create new Project: macOS App: TestSM • Add new target: XPC Service: HelperSM • make new Property List: smProp.plist with: Label de.mdenkmann.HelperSM BundleProgram /Contents/XPCServices/HelperSM.xpc/Contents/MacOS/HelperSM • add Copy File Build Phase in TestSM for smProp.plist with: Destination: Wrapper Subpath: Contents/Library/LaunchDaemons smAppService = SMAppService.daemon(plistName: "smProp.plist") smAppService.register() now: smAppService.status = "enabled" When I do: let connectionToService = NSXPCConnection(serviceName: helperSMBundleIdentifier) I can communicate with HelperSM, but it does NOT run as root. Bad. When I do: let connectionToService = NSXPCConnection(machServiceName: "de.mdenkmann.HelperSM", options: [. privileged]) I get NSXPCConnectionInvalid when I communicate with the HelperSM. Even worse. How to get my root Helper? When I look at: System Settings → General → Login Items → Allow in the Background I see: TestSM.app 3 items; 3 items affect all users. What are these 3 items? Why Background? I want my HelperSM get started as root when called from TestSM, then run it as long as the system sees fit, then stop. It should not be called from other apps. It has no need to run in the background once TestSM stops.

Hi guys. I'm evaluating porting our daemon/agent service over to the new SMAppService API. I noticed one major gap here (or maybe I missed something?) that, with launchctl, we can put something under "/Library/LaunchAgents" and trivially register it as a global launch agent, yet with SMAppService.agent(...) or SMAppService.loginItem(...), the item is bound to the current user and won't propagate to a different user logged in subsequently. So what is the equivalent of the global launch agent using SMAppService?

Hi, We're trying to generate the key inside secure enclave from the deamon, but it fails with the below error. The operation couldn’t be completed. (OSStatus error -26276 - failed to generate asymmetric keypair) Could you please help me to resolve the issue?

Having some problems with launchd since I upgraded to Sonoma. First some background. I run a secondary userid which is logged in whenever the Mac is turned on. At startup it logs in. It contains a launchd file to run at load & lock the user, in case my Mac falls into the wrong hands. It also contains two launchd files which run an app at load & daily at 2PM. All the above worked reliably under Ventura. Focusing on the launch process now. I noticed the app was not starting up at login. Suspected that two launchd run at launch files may be a problem. So, as a test, I renamed (plist > xml) so that only the app would run at launch. When I tested it. my app did not launch, but the renamed file which locks the id still ran. Strange. Any insights as to what's happening? Thanks.

Hello everyone, I'm interested in creating an agent or daemon on macOS that can monitor several types of user interactions: File Upload Events: I want to listen for events when users upload files to their Macs. Drag-and-Drop Events: I'd like to capture events when users perform drag-and-drop actions. Clipboard Events: I'm also interested in monitoring copy/paste actions in the clipboard. Keystroke Events: Finally, I want to be able to track keystroke events. Could anyone provide guidance or point me in the right direction on how to achieve this? Any help or resources would be greatly appreciated. Thank you!

i want to add a cert to system keychain in my program. with command "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ", i can add success manually. but when i run with my program, it fail. my program is a daemon runatload. can any one help?

I'm struggling to understand how to use launchctl enable/disable instead of launchctl load/unload on 10.11 15A279bThe specific issue is I want to disable mongodb so it no longer starts at boot:manoa:~ mike$ ps -ef|grep [m]ongo manoa:~ mike$ launchctl load ~/Library/LaunchAgents/homebrew.mxcl.mongodb.plist manoa:~ mike$ ps -ef|grep [m]ongo 501 1722 1 0 9:12AM ?? 0:00.09 /usr/local/opt/mongodb/bin/mongod --config /usr/local/etc/mongod.conf manoa:~ mike$ launchctl disable ~/Library/LaunchAgents/homebrew.mxcl.mongodb.plist Usage: launchctl disable <service-target>The man page for launchctl states:launchctl allows for detailed examination of launchd endpoints. A domain manages the execution policy for a collection of services. A service may be thought of as a virtual process that is always available to be spawned in response to demand. Each service has a collection of endpoints, and sending a message to one of those endpoints will cause the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets. Many subcommands in launchctl take a specifier which indicates the target domain or service for the subcommand. This specifier may take one of the following forms:I'm lost without some concrete example/tutorial at this point. Which domain is my plist a part of (or can it sit across several?)Is there a WWDC session that covers how to understand what the difference is between:system/[service-name]user/<uid>/[service-name]login/<asid>/[service-name]gui/<uid>/[service-name]session/<asid>/[service-name]pid/<pid>/[service-name]Is <service-target> from the Usage: help one of the above choices or something else?manoa:~ mike$ launchctl list|grep mongo 1722 0 homebrew.mxcl.mongodbWhat is service-name specifically in this case? manoa:~ mike$ launchctl disable pid/1722/homebrew.mxcl.mongodb Could not disable service: 1: Operation not permitted

Hello, due to a problem with displaying daemons in login items that are loaded in a postinstall script using launchctl bootstrap plist-name. Instead of the name of the application, there is the name of the organization. I read eskimo post . AssociatedBundleIdentifiers are in the plist and contains correct bundle id, but the system still does not determine the name of the application. We thought if we remake it on use SMAppService API, then we are faced with another problem, this is the inability to install the application using remote device management, and speaking of a large number of computers, it becomes impossible to go and set a password on each individual device to load the daemon during installation. Are there any ways to solve this situation? Or may be how fix displaying name in login items?

Hi, I'm working on macOS launchAgent based project, and using 3rd party code to upload big files to remote server. from time to time, I see that the upload rate is very slow and when i try it to use command line tool, the paste is much faster. Therefore, I believe that launchAgent based processes, may get low priority in using network bandwidth compared to foreground tools. I wonder if there's anything I can do on the process' info.plist file to get better prioritization on network resources. Perhaps I need to call the file uploader/downloader from dedicated XPC helper tool, but I prefer doing it from the same process. Thanks !

We want to keep our Mac UI app running all the time, when a user is logged into to a mac machine (app resides in /Applications). To achieve this, we can use launchctl from within post-isntall script to load a plist file which resides in /Library/LaunchAgent. How to prevent a user (without admin password) to unload the agent using launchctl from terminal?

Hi all, I am having a mysterious problem trying to load a user LaunchAgent under Big Sur - It is the .plist of gniemetz's automount.sh  https://github.com/gniemetz/automount for mounting SMB shares via pwd access from the Keychain - Placed the .sh into /usr/local/bin, chmod 644 and chown user:staff Placed the LaunchAgent .plist into ~/Library/LaunchAgents (created LaunchAgents it as it didn't exist), same chmod/chown. drwxr-xr-x		3	 users		 96 Nov	1 22:13 LaunchAgents ~/Library/LaunchAgentsrw-r--r--		1	 users	 1038 Nov	1 22:13 it.niemetz.automount.plist /usr/local drwxr-xr-x		4 root		wheel		128 Nov	1 21:52 bin /usr/local/binrwxr-xr-x		1 root		wheel	30310 Oct 29 21:58 automount.sh then the following: Load failed: 5: Input/output error For the life of me, I cannot find anywhere what this means... launchctl start ~/Library/LaunchAgents/it.niemetz.automount.plist completes with no errors, syntax also parses OK /Users//Library/LaunchAgents/it.niemetz.automount.plist: OK I have added Terminal and /bin/bash to Full Disk Access under Security... Launching the script manually as /usr/local/bin/automount.sh works fine. Console shows system.log shows this when load -w is run: 00:27:14 mac-mini-Big-Sur com.apple.xpc.launchd[1] (com.apple.xpc.launchd.user.domain.1000002.100006.Aqua): entering bootstrap mode Nov	3 00:27:14 mac-mini-Big-Sur com.apple.xpc.launchd[1] (com.apple.xpc.launchd.user.domain.1000002.100006.Aqua): exiting bootstrap mode For easy reference the .plist is pasted at the end - Anyone seen this error before? Thanks! ++ Label it.niemetz.automount LimitLoadToSessionType Aqua RunAtLoad WatchPaths /etc/resolv.conf /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist ProgramArguments /usr/local/bin/automount.sh --mountall

I'v set sudo launchctl config user path PATH and now I cannot launch brew, npm, node and ect. from terminal. What I should to do for these commands work again from terminal?