Skip to main content
Question

How to prevent user unload a daemon?

T
Forum|alt.badge.img+3

Hi,

I have built a helper daemon to request privileged operations on macOS, but the problem is that the user can use the launchctl command to unload my daemon. I want my daemon to keep running and prevent it from being removed by the user. So my question is: is there any way to prevent the user from unloading my daemon?

Thanks 

    2 replies

    T
    Forum|alt.badge.img+9
    • TrentO
    • Contributor
    • 83 replies
    • March 28, 2023

    Not that I'm aware of. You can use the new configuration profiles to restrict user from disabling it in the new login items settings pane, but if they have the knowledge to use launchctl and they have permissions to the plist then there is little you can do. 

    If you wanted to make it a little more difficult then you can set the 'schg' flag on your plist, but if a user has the know how there is still nothing stopping them from reverting the flag. 

    My advice would be to set a policy via Jamf which checks if the daemon is present and enabled. You can use file hashing to verify its contents havnt changed. Then you could simply redeploy if there was a change. 

    sdagley
    1 person likes this
    • sdagley
      sdagley
    T
    Forum|alt.badge.img+3
    • trinhduc20
    • Author
    • New Contributor
    • 7 replies
    • March 29, 2023
    TrentO wrote:

    Not that I'm aware of. You can use the new configuration profiles to restrict user from disabling it in the new login items settings pane, but if they have the knowledge to use launchctl and they have permissions to the plist then there is little you can do. 

    If you wanted to make it a little more difficult then you can set the 'schg' flag on your plist, but if a user has the know how there is still nothing stopping them from reverting the flag. 

    My advice would be to set a policy via Jamf which checks if the daemon is present and enabled. You can use file hashing to verify its contents havnt changed. Then you could simply redeploy if there was a change. 


    Thanks @TrentO 

    I believe we are able to control the integrity of the file from the application. However, I cannot disable the ability for the user to use launchctl. Since my application is running silently, once the user unloads the helper, my application needs to show a popup to request permission again.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings