I referred this(https://developer.apple.com/forums/thread/721737?answerId=739716022#739716022) example, this works for agent, but I am not able to Launch a daemon As documentation says "If your app uses launch daemons, it needs to register those first. Launch daemons require authentication by the user", how do I get user authorizes the LaunchDaemon. In Smjobbless we used AuthorizationRef, but how do i use it with SMAppservice?

I'm working on a screen sharing app and need to capture Pre-login screen and also foward remote input to login window/screen so remote user can login. Researching online, it looks like I need to use Pre-Login Agent to do that. However, I found these two threads: https://forums.developer.apple.com/forums/thread/45536 https://developer.apple.com/forums/thread/726470 Apparently, there is an unpublished workaround related to (r. 5636091). Can anyone provide details about that?

I need to get image icon of running applications in daemon. I have found the method iconForFile. [[NSWorkspace sharedWorkspace] iconForFile: bundlePath]; However, as far as I know, the framework AppKit is not daemon-safe. https://developer.apple.com/library/archive/technotes/tn2083/_index.html So, the only way which I see is to get icon file path via parsing Info.plist. However, the icon is not defined for some system app, e.g.: /System/Applications/Calendar.app /System/Applications/System Settings.app Are there any way to get icons of system application in daemon code? Is it safe to use NSBundle in daemon code? Thank you in advance.

I am able to fetch CloudKit records from my MacOS command line tool/daemon. However, I would like CloudKit to notify my daemon whenever CKRecords were altered so I would not have to poll periodically. In CloudKit console I see that my app successfully created CloudKit subscription, but the part that confuses me is where in my app do I define callback function that gets called whenever CloudKit attempted to notify my app of CloudKit changes? My first question - do I need to define callback in my implementation of UNUserNotificationCenterDelegate? NSApplicationDelegate? Something else? My second question, would CKSyncEngine work from command line application?

Why does E210002 error occur only when launched svnserve via launchctl? When I start svnserve with $ sudo /usr/local/bin/svnserve -d -r /Volumes/RAID1disk/svn and run $ svn commit -m "test1", svn commit succeeds, but when I start svnserve with $ sudo launchctl load -w /Library/LaunchDaemons/com.toshiyuki.svnserve.plist and run $ svn commit -m "test2", svn commit fails and displays the following error: Committing transaction... svn: E210002: Commit failed (details follow): svn: E210002: Network connection closed unexpectedly After the E210002 error, I ran $ ps aux | grep svnserve and got the following result. toshiyuki 67686 0.0 0.0 34252296 700 s000 S+ 10:13AM 0:00.00 grep svnserve root 35267 0.0 0.0 34302936 592 ?? Ss 10:01AM 0:00.00 /usr/local/bin/svnserve -d -r /Volumes/RAID1disk/svn From this, I believe that svnserve is launched as the root user from launchctl. Also, when I ran $ls -l /volumes/raid1disk/svn the following result was obtained. -rw-rw-r-- 1 root wheel 246 7 23 22:31 README.txt drwxrwxr-x 6 root wheel 192 7 24 06:31 conf drwxrwxr-x 17 root wheel 544 7 24 10:01 db -r--rw-r-- 1 root wheel 2 7 23 22:31 format drwxrwxr-x 11 root wheel 352 7 23 22:31 hooks drwxrwxr-x 4 root wheel 128 7 23 22:31 locks so, svnserve has write access to the repository. If I start svnserve with $ sudo /usr/local/bin/svnserve -d -r /Volumes/RAID1disk/svn instead of $ sudo launchctl load -w /Library/LaunchDaemons/com.toshiyuki.svnserve.plist both svn commit and svn chekout always succeed, so I think there is no problem with the svnserve configuration file (/etc/svnserve.conf or the file in /etc/svnserve.conf.d). I think the plist of launchctl is also correct. because If I start svnserve with $ sudo launchctl load -w /Library/LaunchDaemons/com.toshiyuki.svnserve.plist only svn chekout always succeeds (commit fails, though). The contents of the plist of launchctl file are as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.toshiyuki.svnserve</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/svnserve</string> <string>-d</string> <string>-r</string> <string>/Volumes/RAID1disk/svn</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> <key>StandardErrorPath</key> <string>/var/log/svnserve.log</string> <key>StandardOutPath</key> <string>/var/log/svnserve.log</string> 　　<key>UserName</key> <string>root</string> <key>EnvironmentVariables</key> <dict> <key>PATH</key> <string>/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin</string> </dict> </dict> </plist> Also, the execution result of $ls -l /library/LaunchDaemons/com.toshiyuki.svnserve.plist is as follows. -rw-r--r--@ 1 root wheel 929 7 24 10:29 /library/LaunchDaemons/com.toshiyuki.svnserve.plist But when I start svnserve with $ sudo launchctl load -w /Library/LaunchDaemons/com.toshiyuki.svnserve.plist "svn commit" always fails. Why is this? When I check the /var/log/svn/svnserve.log file, svnserve: E000048:Address already in use errors occured periodically.

Hello, Currently my macOS application registers itself as a login item in the AppDelegate applicationDidFinishLaunching method (see code below) However, I'm running into a problem that if the user is auto upgraded (internal 3rd party implementation) that the .pkg postinstall script runs, the last step which is launching the GUI application. Because of this, if a user unselects our app as a LoginItem, when it is relaunched, it will add itself back. I have checked the SMAppService statuses (.enabled, .notRegistered, .notFound) and discovered that when a user disables the app as a login item, the status is returned as .notFound. I am trying to find a way to detect if the user previously removed our app from login items and not register the app as a login item back, but for the first time the user opens the app the app is registered as a login item. Would checking if the status is .notRegistered work in this case for a first time install? What should i do differently? func applicationDidFinishLaunching(_ aNotification: Notification) { ... guard !Runtime.isDebug else { self.logger.debug("Detected Xcode host; Skipping installation of helper components.") return } self.logger.info("Setting UI login item") if mainApp.status != .enabled { //old code, incorrect. What should go here? do { try mainApp.register() } catch { logger.error("Failed to initialize UI login item: \(error.localizedDescription)") } } }

I use launch constraints in a project. If I archive the project and save a copy of the app locally, everything works as expected but if I choose "Direct Distribution" and submit the app to Apple for notarization, the notarized app does not contain any launch constraints. What are I am doing wrong? Thanks.

I have this application that is divided in 3 parts. A server that handles all the networking code A agent that handles all System related code A manager (NSApplication) to interact with the other two processes. Goals All three process should be kept alive if they crash All three processes must not restart if the user quits them though the NSApplication They need to run during the login window. My current set up using LaunchD is as follows. My Server process plist (relevant part) saved in System/LaunchDaemons key>MachServices</key> <dict> <key>com.myCompany.Agent.xpc</key> <true/> <key>com.myCompany.Manager.xpc</key> <true/> </dict> <key>ProgramArguments</key> <array> <string>PathToExecutable</string> <string>-service</string> </array> <key>RunAtLoad</key> <false/> My agent plist (saved in System/LaunchAgent) <key>QueueDirectories</key> <array> <string>PathToDirectory</string> </array> <key>RunAtLoad</key> <false/> <key>ProgramArguments</key> <array> <string>PathToExecutable</string> <string>service</string> </array> my Manager app plist (saved in System/LaunchAgent) <key>LimitLoadToSessionType</key> <string>Aqua</string> <key>RunAtLoad</key> <false/> <key>ProgramArguments</key> <array> <string>PathToExecutable</string> </array> <key>MachServices</key> <dict> <key>com.myCompany.Agent.manager.xpc</key> <true/> </dict> Currently I have another app that saves a file to the path of the QueueDirectories which triggers the launch of my Agent which then triggers the Server and Manager by starting a XPC Connection. QueueDirectories keeps the Agent alive (and hence all other processes) til file is removed and processes are quited through the manager. XPC Connections Server listens for a connection from agent and manager Manager listens for a connection from agent and starts a connection with server Agent starts a connection with Manager and Server Agent and Manager are owned by the user and server by root The problems When I start Agent by saving a file in the QueueDirectories path and connect to the Server over xpc I end up with two Agents, one owned by the user (the one I expect) and one owned by root. But if I manually start the Agent I do not have that problem. As I mentioned before, the server listens for a connection from the Agent. How do I stop getting two instances? or what is a better way to approach this?

I wanted to create a bundled macOS application that can be run in background. This application should also be capable of running in a non-gui environment. How should I create the application with the only condition that it should be bundled and can be launched using multiple ways like double click the bundle app or launching as a daemon using the unix executable?

One of our apps contains an agent that is launched at login using a plist in /Library/LaunchAgents. Now the question came up if I can make sure this agent is only launched by the system and cannot be launched by a user or another application. I wonder if this can be done using launch constraints. I played a bit with responsible application constraints but I couldn't make it work. Either the agent didn't launch at all or it could also be launched by just double-clicking on it in Finder. I wonder whether this is even possible. Thanks.

I wrote a daemon that is launched from the following plist in /Library/LaunchDaemons: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MachServices</key> <dict> <key>com.mycompany.daemon.xpc</key> <true/> </dict> <key>Label</key> <string>com.mycompany.daemon</string> <key>Program</key> <string>/Applications/MyApp.app/Contents/MacOS/MyDaemon</string> <key>AssociatedBundleIdentifiers</key> <string>com.mycompany.myapp</string> <key>SpawnConstraint</key> <dict> <key>team-identifier</key> <string>XXXXXXXXX</string> <key>signing-identifier</key> <string>com.mycompany.myapp</string> </dict> </dict> </plist> No I want to make sure the daemon can only be launched via xpc by MyApp and I embedded the following responsible process plist into the daemon: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>team-identifier</key> <string>XXXXXXXXX</string> <key>signing-identifier</key> <string>com.mycompany.myapp</string> </dict> </plist> But as soon as the plist is embedded, macOS refuses to launch the daemon because of a launch constraint violation. As I read in the documentation, the process opening and xpc connection is the responsible process. So what I am doing wrong? Thanks.

We are developing a lightweight VPN client inside a daemon process that will run even when no user session is active on machine. The lightweight VPN runs in machine context and does not require user session. We would like to display some basic diagnosis information about our lightweight client on macOS login window before user is logged into their machine (in case users need that). So, is it possible to display a UI window on login screen with some basic info that user can interact with. If yes, where can I get started? Please note, this is not an authorization plugin. We are just wanting to display info about our process that runs a lightweight VPN client on macOS login screen.

I'm attempting to reload a Safari Content Blocker from within a sandboxed command-line tool configured as a LaunchAgent. However, when I use SFContentBlockerManager to reload the content blocker, I encounter the error SFErrorDomain Code=1: Unavailable error. Is it possible to reload a content blocker from a LaunchAgent? If so, how can it be done? // // main.swift // BlockerUpdater // // Created by Sebastian Livoni on 30/06/2024. // import Foundation import SafariServices // Function to reload content blocker asynchronously func reloadContentBlocker() async { NSLog("Hello, World!") do { try await SFContentBlockerManager.reloadContentBlocker(withIdentifier: "me.livoni.blocker.dns") NSLog("Reload complete") } catch { NSLog("Failed to reload content blocker: \(error.localizedDescription)") } } // Main entry point for async code @main struct BlockerUpdater { static func main() async { await reloadContentBlocker() } }

I created a macOS app that can run in foreground (NSApplicationActivationPolicyRegular) and in background (NSApplicationActivationPolicyAccessory) and can be launched by an Helper (Login Item) and run in background. I use XCode 15.3 (15E204a) on macOS 14.2.1 on a MacBook Pro 16", 2019, 2,3 GHz Intel Core i9 8 core. I archive my app, I notarize it for direct distribution then I save it to the /Applications folder. Then I delete my Debug app from …/Xcode/DerivedData/MyApp-dal…xu/Build/Products/Debug so I am sure I have one only copy of my app on the disk. I firstly launch my app as NSApplicationActivationPolicyRegular then I select my menu item "Set the app as Login Item". So I call SMAppService *service = [SMAppService loginItemServiceWithIdentifier:@"com.mydomain.Helper"]; I get a service.status == SMAppServiceStatusNotFound So I am stuck. I notice that my app doesn't show up in the System Preferences/Login Items/ "Allow Background" list. So on Terminal I run the command sudo sfltool resetbtm Now the "Allow Background" apps list is empty. Then I reboot. All the apps listed in "Allow Background" list reappear and are all turned "on". I turn them back off. My app is on the list too (turned "on" too). I leave it on. Now I can launch my app as NSApplicationActivationPolicyRegular, select again my menu item "Set the app as Login Item" and call SMAppService *service = [SMAppService loginItemServiceWithIdentifier:@"com.domain.Helper"]; Now I get a service.status == SMAppServiceStatusEnabled so I install the NSStatusItem and switch to background (NSApplicationActivationPolicyAccessory). I can logout and login and my app gets properly launched by the Helper and run in background. Everything works well. I guess I miss something, because I think this is not the way to distribute my app to the customers. I can't ask my customers to run the Terminal command sudo sfltool resetbtm, reboot then turn back "off" all the unwanted apps from the "Allow Background" list then turn my app "on". Furthermore, if I delete my app, it disappears from the "Allow Background" apps list, then if I copy it back to the /Applications folder, it doesn't show up yet in the "Allow Background" apps list. I have to invoke again the sudo sfltool resetbtm Terminal command, reboot… to see it in that list. I tried on 3 machines with macOS 14.2.1. Same result. I have read several articles and posts about NSApplicationActivationPolicyAccessory, SMAppService, but I didn't find my case. The Info.plist file of the Helper properly contains &lt;key&gt;LSBackgroundOnly&lt;/key&gt;&lt;true/&gt; &lt;key&gt;LSUIElement&lt;/key&gt;&lt;true/&gt; • What do I miss? • Why my app doesn't show up in the "Allow Background" apps list when I simply copy it within the /Applications folder?

We've got a non-sandboxed app with a built-in daemon that does some root-privileged things for us on occasion. We're using the newest SMAppService APIs, using NSXPCConnections for communications, and generally things work as expected. The daemon is set up to terminate when the parent app terminates. Our app also has (and uses the daemon for) a self-update feature. Once the new app is downloaded, the daemon takes over, replaces the app in-place, terminates the old app and launches the new one. However, after this update, the daemon no longer works. Any other build & launch of the app will silently fail when trying to talk to the daemon. The XPC connection can be constructed as usual, no errors, the process goes along like it should app-side, but the daemon never actually launches and never responds. I can imagine there could be a few rules being broken here with the self-update and the built-in daemon, but what would they be and how can we work within the rules?

Hello, Our product registers a daemon in the system through SMAppService (API available from Ventura) and also checks its status in case it has to tell the user to allow the daemon process as a background process. To check the status we call a script written in applescript that returns the status of the service. Script excerpt: NSString* scriptText = @"use framework "AppKit"\n" @"use framework "ServiceManagement"\n" @"use scripting additions\n" @"on startCommand()\n" @"try\n" @"local this, service, SMAppServiceInstance, ret\n" @"set this to a reference to current application\n" @"set SMAppServiceInstance to a reference to SMAppService of this\n" @"set service to SMAppServiceInstance's daemonServiceWithPlistName: "%@"\n" @"set str to service's status as string\n" @"set success to str as number\n" @"return success\n" @"on error errorMessage number errorNumber\n" @"log ("errorMessage: " & errorMessage & ", errorNumber: " & errorNumber)\n" @"end try\n" @"return -1\n" @"end startCommand\n"; The problem we see is sometimes when we try to check the status, a thread that is created when executing the script crashes. This is an error but it doesn't always occur at this point: Crashed Thread: 6 Dispatch queue: com.apple.root.utility-qos.overcommit Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: psanwatchdog [61506] Error Formulating Crash Report: PC register does not match crashing frame (0x0 vs 0x7FF89D102A78) Thread 6 Crashed:: Dispatch queue: com.apple.root.utility-qos.overcommit 0 ??? 0x7ff89d102a78 ??? 1 libsystem_kernel.dylib 0x7ff80ce7314a __pthread_kill + 10 2 libsystem_pthread.dylib 0x7ff80ceabebd pthread_kill + 262 3 libsystem_c.dylib 0x7ff80cdd1a39 abort + 126 4 libsystem_c.dylib 0x7ff80cdd0d1c __assert_rtn + 314 5 CoreFoundation 0x7ff80d0e1104 -[__NSPlaceholderDate initWithTimeIntervalSinceReferenceDate:].cold.2 + 35 6 CoreFoundation 0x7ff80cf44cfc -[__NSPlaceholderDate initWithTimeIntervalSinceReferenceDate:] + 370 7 CoreServicesInternal 0x7ff81038da12 BookmarkData::copyItem(CFBookmarkDataItem const*, std::__1::set<CFBookmarkDataItem const*, std::__1::less<CFBookmarkDataItem const*>, std::__1::allocator<CFBookmarkDataItem const*>>&, unsigned long) const + 1780 8 CoreServicesInternal 0x7ff81038df1f BookmarkData::copyDataItemAtOffset(unsigned int, unsigned long) const + 59 9 CoreServicesInternal 0x7ff81036f0dd BookmarkCopyPropertyFromBookmarkData(BookmarkData&, __CFString const*, unsigned long) + 154 10 CoreServicesInternal 0x7ff81036ecc0 _CFURLCreateResourcePropertiesForKeysFromBookmarkData + 242 11 CoreFoundation 0x7ff80cf71893 +[NSURL resourceValuesForKeys:fromBookmarkData:] + 25 12 LaunchServices 0x7ff80d3bf8f9 +[FSNode(BookmarkData) getName:fileIdentifier:creationDate:forBookmarkData:error:] + 205 13 LaunchServices 0x7ff80d3bf0fb _LSAliasCompareToNode + 353 14 LaunchServices 0x7ff80d47e3ce _LSAliasAndInodeOnContainerMatchesNode + 173 15 LaunchServices 0x7ff80d4505d3 _LSBundleMatchesNode(_LSDatabase*, unsigned int, LSBundleData const*, id, unsigned long long) + 97 16 LaunchServices 0x7ff80d3bee21 ___LSBundleFindWithNode_block_invoke + 33 17 LaunchServices 0x7ff80d3bec64 LaunchServices::BindingEvaluation::isBindingOK(LaunchServices::BindingEvaluation::State&, LaunchServices::BindingEvaluation::ExtendedBinding const&) + 165 18 LaunchServices 0x7ff80d3bbf31 LaunchServices::BindingEvaluation::addAndEvaluate(LaunchServices::BindingEvaluation::State&, void ()(LaunchServices::BindingEvaluation::State&), std::__1::vector<LaunchServices::BindingEvaluation::ExtendedBinding, std::__1::allocatorLaunchServices::BindingEvaluation::ExtendedBinding>&) + 4127 19 LaunchServices 0x7ff80d3ba6d3 LaunchServices::BindingEvaluation::runEvaluator(LaunchServices::BindingEvaluation::State&, NSError __autoreleasing*) + 1021 20 LaunchServices 0x7ff80d44bdb4 LaunchServices::BindingEvaluator::getBestBinding(LSContext*, UTTypeRecord* __strong*, NSError* __autoreleasing*) const + 138 21 LaunchServices 0x7ff80d3b9d75 LaunchServices::BindingEvaluator::getBestBinding(LSContext*, NSError* __autoreleasing*) const + 19 22 LaunchServices 0x7ff80d3b94a6 _LSBundleFindWithNode + 586 23 LaunchServices 0x7ff80d3b8a02 _LSFindOrRegisterBundleNode + 228 24 LaunchServices 0x7ff80d58b86a LaunchServices::URLPropertyProvider::capabilityEffectiveNodeForNode(LaunchServices::Database::Context&, FSNode*) + 279 25 LaunchServices 0x7ff80d58a4d7 LaunchServices::URLPropertyProvider::prepareApplicationCapabilityValue(LaunchServices::Database::Context&, id, __FileCache*, __CFString const*, LaunchServices::URLPropertyProvider::State*, NSError* __autoreleasing*) + 226 26 LaunchServices 0x7ff80d3b4e09 LaunchServices::URLPropertyProvider::prepareValues(__CFURL const*, __FileCache*, __CFString const* const*, void const**, long, void const*, __CFError**) + 772 27 CoreServicesInternal 0x7ff81036c057 prepareValuesForBitmap(__CFURL const*, __FileCache*, _FilePropertyBitmap*, __CFError**) + 380 28 CoreServicesInternal 0x7ff8103687cb _FSURLCopyResourcePropertyForKeyInternal(__CFURL const*, __CFString const*, void*, void*, __CFError**, unsigned char) + 266 29 CoreFoundation 0x7ff80cf5c54d CFURLCopyResourcePropertyForKey + 96 30 CoreFoundation 0x7ff80cf5bbca ____CFRunLoopSetOptionsReason_block_invoke_5 + 168 31 libdispatch.dylib 0x7ff80cd09ac6 _dispatch_call_block_and_release + 12 32 libdispatch.dylib 0x7ff80cd0adbc _dispatch_client_callout + 8 33 libdispatch.dylib 0x7ff80cd1a359 _dispatch_root_queue_drain + 1014 34 libdispatch.dylib 0x7ff80cd1a84f _dispatch_worker_thread2 + 152 35 libsystem_pthread.dylib 0x7ff80cea8b43 _pthread_wqthread + 262 36 libsystem_pthread.dylib 0x7ff80cea7acf start_wqthread + 15 The script is executed in the main thread of the application and the process itself does nothing more than launch this script, it is not performing any other tasks apart from recording logs of the script task. Also comment that this error has been seen on Mac machines with rosetta and the compilation of our product is on x86_64 architecture. And to say, if we are using applescript instead of the API it is because the compilation machine uses a Mac Catalina to compile it and we found it convenient to use applescript Any ideas why these errors may occur? Thanks

I'm seeking some help or guidance. I'm attempting to write an app for private use that listens for HID events from a RF reader and responds. I have a functional app, which has to be launched via sudo, to be able to execute IOHIDManagerOpen(manager, IOOptionBits(kIOHIDOptionsTypeSeizeDevice)) correctly. I'm trying to modify this app, now, to use SMAppService and bypass the need for terminal and sudo, but I'm getting confused at what parts of my code need to be embedded into the helper and how to manage communications between the different components. I make it to step 8 in https://developer.apple.com/forums/thread/721737 before I start getting lost. Does anyone know of a functional, SIMPLE, sample app I could take a look at, or a good guide that lays out all parts of an example? Everything I've found gives the bones but no meat.

Branching from a previous post titled "Privileged daemon using SMAppService in macOS Sequoia," I have a privileged daemon using SMAppSerice that works in Sonoma and Ventura. In the previous OS versions, privilege is applied in System Settings: Login Items, Allow in the Background. Under macOS sequoia, the daemon appears by its bundle id instead of the parent app, and underneath it reads "Item from unidentified developer" and does not run, even when enabled. I'm wondering if additional steps are needed in the new OS to sign privileged daemons properly?

I have some existing code that registers a privileged daemon using SMAppService. In Ventura and Sonoma, the privileged item gets added to Login Items (allow to run in background), and must be toggled on to finish granting privileged access. In 15.0 Beta (24A5264n), the app doesn't show up in the Login Item list. Is there something I should be doing differently to use this framework in Sequoia?

On macOS 15 Sequoia, there is a new Legacy Background Tasks toggle in System Settings > Login Items & Extensions. It seems to initially appear (in an "on" state) when an app tries to install a launchd job and places a launch plist in /Library/LaunchDaemons. I have not found any effects of turning this toggle off. I still seem to be able to happily use launchctl bootstrap and launchctl bootout, for example. What does this toggle do? Is there a WWDC session or documentation I haven't found yet?