We'd prefer our security application not be worked around by the complex task of typing sudo launchctl unload /Library/LaunchDaemons/foo.plist
😄. Is there a way to prevent that? (We're not using ServiceManagement because we need ot control some of the plist entries, sadly.)
Can one prevent a launchd job from being unloaded?
Nobody has any comments or thoughts about this?
Well, if you have a kernel driver or ES system extension, you could watch for someone reading your plist and deny it.
No more kernel drivers, and even after 8 months we still don't have the ability to ship a product using endpoint security.
We'd prefer our security application not be worked around by the complex task of typing
sudo launchctl unload /Library/LaunchDaemons/foo.plist
This is only possible for an admin user. Trying to protect yourself from admin users is kinda pointless IMO, and I’m not surprised that macOS doesn’t offer great support for it. If you think that should change, I encourage you to make your case in an enhancement request.
Please post your bug number, just for the record.
If you just want to solve this specific problem, you should be able to do this by mashing on the user’s sudoers
file; see the sudoers
man page for the details.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
This is only possible for an admin user. Trying to protect yourself from admin users is kinda pointless IMO
But it is there, in that you can't install or remove a system extension even as root. I had actually expected this sort of functionality with MDM at least, but it doesn't seem to be the case unless I missed something?
I filed FB11080821, thanks Quinn :)