Kick-of policy through LaunchAgent?

jphillips
Release Candidate Programs Tester

I have an enrollment script that does a lot of behind-the-scenes system configurations, installations, etc, but I'm having a timing issue with DEP and the Enrollment Complete trigger.

I would like to create a LaunchAgent that kicks off the policy on the next user login (login trigger does not seem to work consistently). The policy's script would go through the process, delete the launch agent, then reboot.

I can run the script locally, but since it requires a lot of admin privs, it's not practical because of the constant user nagging for passwords.

Is this even possible?

1 ACCEPTED SOLUTION

Zanoski
New Contributor II

Yes, I've implemented the same thing.

To run something a job as root, create a launch daemon. Check out these links for detailed info on daemons:

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/launchctl.1.html
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man5/launchd.plist.5.html

There may be times when you want to execute something with root access but only when a user is logged in. You can still do this with a launch daemon. Just add a condition to exit your script when certain users are logged in (e.g: root, _mbsetupuser, loginwindow, etc). Then in your launchd plist, you set a desired start interval. This way the daemon will keep trying until correct conditions are met.

One recommendation I have is to evaluate all tasks you need to run and determine whether they should run once on the device, once per user, root access, under user's identity or just when user is logged in, etc. Once you have that breakdown, you may find that it makes sense to break this up into different jobs where some part is launch daemon(s) and another is launch agent(s).

View solution in original post

3 REPLIES 3

Zanoski
New Contributor II

Yes, I've implemented the same thing.

To run something a job as root, create a launch daemon. Check out these links for detailed info on daemons:

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/launchctl.1.html
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man5/launchd.plist.5.html

There may be times when you want to execute something with root access but only when a user is logged in. You can still do this with a launch daemon. Just add a condition to exit your script when certain users are logged in (e.g: root, _mbsetupuser, loginwindow, etc). Then in your launchd plist, you set a desired start interval. This way the daemon will keep trying until correct conditions are met.

One recommendation I have is to evaluate all tasks you need to run and determine whether they should run once on the device, once per user, root access, under user's identity or just when user is logged in, etc. Once you have that breakdown, you may find that it makes sense to break this up into different jobs where some part is launch daemon(s) and another is launch agent(s).

jphillips
Release Candidate Programs Tester

Thanks for the response. I was indeed wrongly creating an Agent instead of a Daemon. Once I switched it over, and added the user check condition to the script, it worked flawlessly!

hodgesji
Contributor

I'm running into this same issue where I'm trying to get a LaunchAgent to trigger a script only when the user logs in. Would you mind sharing your code for a user check condition when running it as a Daemon? I'm not sure I'm following.