We want to be immediately aware of user logins as they occur. Our interests are the security aspect (who/when) but also the performance (how long did it take). Basically, we aim for something similar equivalent to the NSWorkspace fast user switching notifications with will/did flavors. We did some digging but none of the available mechanisms seem like a good fit:
- user accounting database, must be actively polled
- launch agents, false positives can't be ruled out, also IPC
- authorization plug-in, seems a bit much, only covers logins
- login/logout script, to cite the documentation: There are numerous reasons to avoid using login and logout scripts.
- EndpointSecurity, generally seems like a good fit but no support
What's a good way to do this on macOS?