Can not register LaunchAgents on macOS 14.2.1

Everything is OK in previous macOS versions.

But today when I call try agent.register(). I got an error: - Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} #0

The agent is init with SMAppService.agent(plistName: ...)

And I took a look for log:

2023-12-21 01:03:20.398350+0800 0x17e07    Error       0x72960              8028   0    smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] getEffectiveDisposition: error: Error Domain=BTMErrorDomain Code=-95 "record not found" UserInfo={NSLocalizedDescription=record not found}
2023-12-21 01:03:20.398386+0800 0x17e07    Error       0x0                  8028   0    smd: [com.apple.xpc.smd:SMAppService] Unable to get disposition of item: <private> error: Error Domain=NSPOSIXErrorDomain Code=3
2023-12-21 01:03:20.398407+0800 0x17e07    Default     0x0                  8028   0    smd: [com.apple.xpc.smd:all] Found status: 3 for <private>
2023-12-21 01:03:46.833936+0800 0x17bcc    Default     0x72949              8028   0    smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private>
2023-12-21 01:03:46.833986+0800 0x17bcc    Default     0x72949              8028   0    smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private>
2023-12-21 01:03:46.836622+0800 0x17e05    Default     0x72949              8029   0    backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] registerLaunchItem: pid=8236, uid=501, type=agent, parentURL=<private>, url=<private>, config=<private>
2023-12-21 01:03:46.839123+0800 0x17e05    Debug       0x72949              8029   0    backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: save scheduled.
2023-12-21 01:03:46.839164+0800 0x17e05    Debug       0x72949              8029   0    backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] RecordSet notification scheduled for uid -2
2023-12-21 01:03:46.903417+0800 0x17bcc    Error       0x72949              8028   0    smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] -[BTMManager registerLaunchItemWithAuditToken:type:relativeURL:configuration:uid:]_block_invoke: error: sandbox required
2023-12-21 01:03:46.903449+0800 0x17bcc    Error       0x72949              8028   0    smd: [com.apple.xpc.smd:SMAppService] Register of <private> rejected by BTM.

Btw, my app is a sandboxed App.

Post not yet marked as solved Up vote post of Dove Zachary Down vote post of Dove Zachary
531 views
Posted by
Dove Zachary
Reply
Add a Comment

Replies

It seems that I should make my Agent also be sandboxed.

Is it true the launch agent of a sandboxed app also should be sandboxed? And so as daemon?

Posted by
Dove Zachary
Up vote reply of Dove Zachary Down vote reply of Dove Zachary
Add a Comment

my app is a sandboxed App.

Is your app sandboxed because you plan to ship it on the Mac App Store?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I have a similar problem and I have now discovered in the release notes for macOS 14.2 that:

Fixed: Requirements for agents and daemons registered with SMAppService have changed to prevent sandbox escapes. The target executable must be sandboxed if the main app is sandboxed. A small sandboxed trampoline tool can be written to execute scripts and unsandboxed or system tools. (113037504)

I had somehow missed this information but I guess that it is now (as of macOS 14.2) clear that the system needs a SMAppService tool that is in a sandboxed app, to also be sandboxed. Although I can't find any updated documentation for it.

For me this causes a problem as my helper daemon unfortunately needs to be unsandboxed (to run certain things) but my main app is sandboxed (even though it is not for Mac App Store). I guess that I could remove the sandbox from the main app but before I do that I would like to know what a:

small sandboxed trampoline tool

really is and how one could implement something like that? Is it a small XPC service that is sandboxed and can it then talk to an unsandboxed tool? Or is it something else?

/Peter

Posted by
pgw3
Up vote reply of pgw3 Down vote reply of pgw3
Add a Comment