I'm struggling to understand how to use launchctl enable/disable instead of launchctl load/unload on 10.11 15A279bThe specific issue is I want to disable mongodb so it no longer starts at boot:manoa:~ mike$ ps -ef|grep [m]ongo manoa:~ mike$ launchctl load ~/Library/LaunchAgents/homebrew.mxcl.mongodb.plist manoa:~ mike$ ps -ef|grep [m]ongo 501 1722 1 0 9:12AM ?? 0:00.09 /usr/local/opt/mongodb/bin/mongod --config /usr/local/etc/mongod.conf manoa:~ mike$ launchctl disable ~/Library/LaunchAgents/homebrew.mxcl.mongodb.plist Usage: launchctl disable <service-target>The man page for launchctl states:launchctl allows for detailed examination of launchd endpoints. A domain manages the execution policy for a collection of services. A service may be thought of as a virtual process that is always available to be spawned in response to demand. Each service has a collection of endpoints, and sending a message to one of those endpoints will cause the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets. Many subcommands in launchctl take a specifier which indicates the target domain or service for the subcommand. This specifier may take one of the following forms:I'm lost without some concrete example/tutorial at this point. Which domain is my plist a part of (or can it sit across several?)Is there a WWDC session that covers how to understand what the difference is between:system/[service-name]user/<uid>/[service-name]login/<asid>/[service-name]gui/<uid>/[service-name]session/<asid>/[service-name]pid/<pid>/[service-name]Is <service-target> from the Usage: help one of the above choices or something else?manoa:~ mike$ launchctl list|grep mongo 1722 0 homebrew.mxcl.mongodbWhat is service-name specifically in this case? manoa:~ mike$ launchctl disable pid/1722/homebrew.mxcl.mongodb Could not disable service: 1: Operation not permitted

I'v set sudo launchctl config user path PATH and now I cannot launch brew, npm, node and ect. from terminal. What I should to do for these commands work again from terminal?

Hi all, I am having a mysterious problem trying to load a user LaunchAgent under Big Sur - It is the .plist of gniemetz's automount.sh  https://github.com/gniemetz/automount for mounting SMB shares via pwd access from the Keychain - Placed the .sh into /usr/local/bin, chmod 644 and chown user:staff Placed the LaunchAgent .plist into ~/Library/LaunchAgents (created LaunchAgents it as it didn't exist), same chmod/chown. drwxr-xr-x		3	 users		 96 Nov	1 22:13 LaunchAgents ~/Library/LaunchAgentsrw-r--r--		1	 users	 1038 Nov	1 22:13 it.niemetz.automount.plist /usr/local drwxr-xr-x		4 root		wheel		128 Nov	1 21:52 bin /usr/local/binrwxr-xr-x		1 root		wheel	30310 Oct 29 21:58 automount.sh then the following: Load failed: 5: Input/output error For the life of me, I cannot find anywhere what this means... launchctl start ~/Library/LaunchAgents/it.niemetz.automount.plist completes with no errors, syntax also parses OK /Users//Library/LaunchAgents/it.niemetz.automount.plist: OK I have added Terminal and /bin/bash to Full Disk Access under Security... Launching the script manually as /usr/local/bin/automount.sh works fine. Console shows system.log shows this when load -w is run: 00:27:14 mac-mini-Big-Sur com.apple.xpc.launchd[1] (com.apple.xpc.launchd.user.domain.1000002.100006.Aqua): entering bootstrap mode Nov	3 00:27:14 mac-mini-Big-Sur com.apple.xpc.launchd[1] (com.apple.xpc.launchd.user.domain.1000002.100006.Aqua): exiting bootstrap mode For easy reference the .plist is pasted at the end - Anyone seen this error before? Thanks! ++ Label it.niemetz.automount LimitLoadToSessionType Aqua RunAtLoad WatchPaths /etc/resolv.conf /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist ProgramArguments /usr/local/bin/automount.sh --mountall

I've got an app that is sandboxed, and it requires a privileged helper. I've worked through the EBAS sample app with various updates to conform with current systems. After a lot of work, I've got to a point where I'm stumped. The Python script SMJobBlessUtil.py returns this error, and I don't know what to do to correct it: <path to helper tool>: tool __TEXT / __info_plist section dump malformed (2) I've gone over the various settings numerous times. It doesn't fail for the EBAS sample, but does for my app. Looking at the binary, the __info_plist sections look identical apart from identifiers. This is what mine looks like (identifiers deleted): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleIdentifier</key> <string>***</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>***</string> <key>CFBundleVersion</key> <string>1.0</string> <key>SMAuthorizedClients</key> <array> <string>anchor apple generic and identifier "***" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "***")</string> </array> </dict> </plist> I must be missing something, but I've run out of ideas on where to find it. Anybody got a pointer?

Service Management framework supports installing and uninstalling services, including Service Management login items, launchd agents, and launchd daemons. General: DevForums tag: Service Management Service Management framework documentation Daemons and Services Programming Guide archived documentation Technote 2083 Daemons and Agents — It hasn’t been updated in… well… decades, but it’s still remarkably relevant. EvenBetterAuthorizationSample sample code SMJobBless sample code Sandboxing with NSXPCConnection sample code WWDC 2022 Session 10096 What’s new in privacy introduces the new SMAppService facility, starting at 07˸07 BSD Privilege Escalation on macOS DevForums post Background items showing up with the wrong name DevForums post Related tags include: XPC, Apple’s preferred inter-process communication (IPC) mechanism Inter-process communication, for other IPC mechanisms Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I customize an open source app (yo), sign it, and deploy it to a bunch of Macs. We've been doing this for almost 4 years and it relies on 2 LaunchAgents that run a python script. With the move to Ventura, I discovered the background items and that this particular item shows up as 2 "yo_scheduler" items I have now: signed the python script add AssociatedBundleIdentifiers to the LaunchAgents Call LSRegisterUrl as part of the postinstall script I've packaged all this up, and install it on clients. Based on the documentation, I would anticipate that these 2 items would now show up as "Yo.app" but they don't. They show up as our developer program name. Based on some discussion with other Mac admins it sounds like we have to register AND open the app before the LaunchAgents are actually installed. If I install, then run sfltool resetbtm, then restart the Mac this all shows up properly... What's the proper way to use legacy LaunchAgents installed by a PKG?

My situtation: I recently added AssociatedBundleIdentifiers in launchd plist and see the result that my app's name is on the System Settings > Login Items (Allow in the background). But the machine that already has installed the older app without AssociatedBundleIdentifiers still shows Developer ID due to the cached state. And it is commemted at https://developer.apple.com/forums/thread/713493. It can be updated by resetting command and then restarting the system, but doing it on my users' machines seems inappropriate in many ways. My question: So, is there any way that I can make the change(Developer ID -> App name) without resetting and restarting by any chance?

I have a problem with a helper implemented with SMAppService daemonServiceWithPlistName. The helper run a command line program that executes system(dscl . delete /Users/name_of_user) Previously, this was implemented using AuthorizationExecuteWithPrivileges and it worked, from macOS Ventura start to show a dialog window "App would like to administer your computer. Administration can include modifying passwords, networking and system setting". But with SMAppService there is no such dialog window and helper app just stuck. I would like to know if this is a bug or correct behavior for a helper through SMAppService. Thanks for the answer.

I did some research and found that we can add our app by bundling a 'helper app' inside the main app's Contents/Library/LoginItems. Then in the main app (say from app delegate didlaunchwithoptions), call SMLoginItemSetEnabled and pass it the bundle identifier of the helper app and flag=true. This is way, when the main app is launched, it will configure the helper app as the 'login item', and that helper app will be launched automatically upon system login. Then in the helper app launch process, check if the 'main app' is not running, open it by using its path/url. But we also want that users are not able to quit (or force-quit) the main app (it's a security app). Or at least, if they kill the app, it should be relaunched automatically. Will just doing the above achieve all this? app should be launched upon system login app should be launched if it's killed by any way If not, what are the options?

Hi Team, We have developed an Daemon process using Microsoft Windows Worker Service written in .NET Core. On the first run the daemon process supposed to copy an sqlite database file on our specified path and then it will also generate some image files and save them on the specified path. The daemon process is working perfectly fine in DEBUG mode. However whenever we launch the daemon process in RELEASE mode via launchd command, the daemon process is unable to copy or write the files on the specified path. It looks like in the RELEASE mode the exe file of daemon needs file writing permissions to copy and write the files. Can you please guide us how can we resolve this issue and grant the file writing rights to the daemon process to work? Thank you. Asif from Techliance.

macOS 13 introduced a new mechanism for users to control background items on their Mac. These items now show up in a list under System Settings > General > Login Items > Allow in the Background. The name in that list should be the name of the app responsible for the background item. If it’s not, there are two possible reasons: Your product is built incorrectly. There’s a bug in macOS. It’s important to distinguish between those two cases, and the best way to do that is to test your product on a fresh machine: Set up a new machine that’s never seen your product before. I generally use a VM for this, restoring from a snapshot between each test. Install your app as the user would. Check what you see in System Settings. If you see the right name, it’s likely that your product is built correctly. If that same product shows the wrong name in other environments, it’s reasonable to assume that this is a bug in macOS. Note Such bugs are very common on development machines. The code that gets the name of your product relies on the Launch Services database, and it’s not uncommon for the building and rebuilding you do on your development machine to thoroughly scramble that database. That’s why testing on a fresh machine is so important. OTOH, if this test shows the wrong value you need to start looking at your code. There are three common cases here: Your product is an app that calls SMAppService to install its background items. Your product includes an app but installs its background items by writing launchd property list file to /Library/LaunchDaemons, /Library/LaunchAgents, or ~/Library/LaunchAgents. Your product does not include an app. If you use SMAppService and the wrong name shows up, that’s strong evidence that you’re dealing with a bug in macOS. SMAppService should provide the system the information it needs to understand that your app is responsible for your service. If you work with launchd property list files directly, make sure to add an AssociatedBundleIdentifiers property that lists your app’s bundle ID. Again, that lets the system know that your app is responsible for these launchd jobs. If your product doesn’t include an app then there’s a limit to how well the system can do here. You might want to consider creating and installing some sort of management app, one that exists solely to become the responsible code for your launchd jobs. If you’ve concluded that your product is built correctly and you’re able to consistently reproduce the problem on a fresh machine, that’s definitely worth filing a bug about it. Such a bug should be actionable. Even if you can’t reproduce the problem, you might still want to file a bug about it, with the understanding that it’s significantly harder to fix such bugs. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

My app needs a HelperTool which runs as root. I did in Xcode Version 14.3.1 (14E300c), macOS 13.4.1 (22F82): • Create new Project: macOS App: TestSM • Add new target: XPC Service: HelperSM • make new Property List: smProp.plist with: Label de.mdenkmann.HelperSM BundleProgram /Contents/XPCServices/HelperSM.xpc/Contents/MacOS/HelperSM • add Copy File Build Phase in TestSM for smProp.plist with: Destination: Wrapper Subpath: Contents/Library/LaunchDaemons smAppService = SMAppService.daemon(plistName: "smProp.plist") smAppService.register() now: smAppService.status = "enabled" When I do: let connectionToService = NSXPCConnection(serviceName: helperSMBundleIdentifier) I can communicate with HelperSM, but it does NOT run as root. Bad. When I do: let connectionToService = NSXPCConnection(machServiceName: "de.mdenkmann.HelperSM", options: [. privileged]) I get NSXPCConnectionInvalid when I communicate with the HelperSM. Even worse. How to get my root Helper? When I look at: System Settings → General → Login Items → Allow in the Background I see: TestSM.app 3 items; 3 items affect all users. What are these 3 items? Why Background? I want my HelperSM get started as root when called from TestSM, then run it as long as the system sees fit, then stop. It should not be called from other apps. It has no need to run in the background once TestSM stops.

We want to keep our Mac UI app running all the time, when a user is logged into to a mac machine (app resides in /Applications). To achieve this, we can use launchctl from within post-isntall script to load a plist file which resides in /Library/LaunchAgent. How to prevent a user (without admin password) to unload the agent using launchctl from terminal?

Hi, I'm working on macOS launchAgent based project, and using 3rd party code to upload big files to remote server. from time to time, I see that the upload rate is very slow and when i try it to use command line tool, the paste is much faster. Therefore, I believe that launchAgent based processes, may get low priority in using network bandwidth compared to foreground tools. I wonder if there's anything I can do on the process' info.plist file to get better prioritization on network resources. Perhaps I need to call the file uploader/downloader from dedicated XPC helper tool, but I prefer doing it from the same process. Thanks !

Hello, due to a problem with displaying daemons in login items that are loaded in a postinstall script using launchctl bootstrap plist-name. Instead of the name of the application, there is the name of the organization. I read eskimo post . AssociatedBundleIdentifiers are in the plist and contains correct bundle id, but the system still does not determine the name of the application. We thought if we remake it on use SMAppService API, then we are faced with another problem, this is the inability to install the application using remote device management, and speaking of a large number of computers, it becomes impossible to go and set a password on each individual device to load the daemon during installation. Are there any ways to solve this situation? Or may be how fix displaying name in login items?

i want to add a cert to system keychain in my program. with command "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ", i can add success manually. but when i run with my program, it fail. my program is a daemon runatload. can any one help?