How to prevent user unload a daemon?

New Contributor II


I have built a helper daemon to request privileged operations on macOS, but the problem is that the user can use the launchctl command to unload my daemon. I want my daemon to keep running and prevent it from being removed by the user. So my question is: is there any way to prevent the user from unloading my daemon?



Contributor II

Not that I'm aware of. You can use the new configuration profiles to restrict user from disabling it in the new login items settings pane, but if they have the knowledge to use launchctl and they have permissions to the plist then there is little you can do. 

If you wanted to make it a little more difficult then you can set the 'schg' flag on your plist, but if a user has the know how there is still nothing stopping them from reverting the flag. 

My advice would be to set a policy via Jamf which checks if the daemon is present and enabled. You can use file hashing to verify its contents havnt changed. Then you could simply redeploy if there was a change. 

New Contributor II

Thanks @TrentO 

I believe we are able to control the integrity of the file from the application. However, I cannot disable the ability for the user to use launchctl. Since my application is running silently, once the user unloads the helper, my application needs to show a popup to request permission again.