How to make a LaunchDaemon run an app at login

catalinadaemonslaunchdpliststartup

I have an internally-maintained macOS app for my macOS Catalina-based enterprise environment which:

Must run as root (it accesses a privileged device API)
Runs in the background without a UI (via LSUIElement key set to true in its Info.plist)
Must run for every user who logs into a workstation without manual configuration (e.g. no manual Login Item configuration)

Creating a LaunchDaemon to launch the app seemed to be the right way to accomplish this. However, the app process is found to be hanging after first user login, presumably because it tries to start too early before app/window-supporting libraries are available (I thought setting LSUIElement to true would avoid this, but I guess not. If there's another Info.plist setting for the app I should use to accomplish this, I'm all ears). There are no errors related to the process or launchd service observed in system.log.

I've observed after login that if I kill the hanging process and the LaunchDaemon restarts it, it then works fine. So, all I think I need is a way to setup my LaunchDaemon plist so that the LaunchDaemon only launches the app on user login like a LaunchAgent, (which I can't use because LaunchAgents can't run as root). Does anyone have a tried and true plist configuration which accomplishes this? Maybe via setting a certain WatchPath for the LaunchDaemon?

My current plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>my.app</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/mydaemons/myapp.app/Contents/MacOS/myapp</string>
    </array>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

Best Answer

@Wowfunhappy's suggestion to use a Login Hook got me the exact behavior I wanted, even if it wasn't done via a LaunchDaemon as planned. The solution:

A script (myscript.sh) to launch my app (must be executable via chmod a+x)

#!/bin/bash

//launch app in background (otherwise login hangs)
/path/to/myapp.app/Contents/MacOS/myapp &

And specifying that script as a login hook via the command:

sudo defaults write com.apple.loginwindow LoginHook /path/to/myscript.sh

My app now runs as root as needed on every user login

Related Solutions

How to run a job once a day with launchd, regardless of when the computer is on

Launchd will run your jobs next time the mac wakes from sleep. So if you shut down your mac, this won't work. You will need to put your mac to sleep to get your daily script to run when the mac wakes if the last time it should have run was during the sleep duration.

man launchd.plist:

If the system is asleep, the job will be started the next time the computer wakes up. If multiple intervals transpire before the computer is woken, those events will be coalesced into one event upon wake from sleep.

Or in other words: You don't have to do anything specific, it's the default behavior anyway.

If you also want to run the command once after reboot, add

<Key>RunAtLoad</Key>
<true/>

to your launchd plist.

How to launch a daemon process as a specified user at boot without an interactive login

You can easily run as another user with sudo -u like so:

#!/bin/sh

UZER=jsmith

sudo -u "$UZER" /path/to/program/you/want/to/run

exit 0

Just change 'jsmith' to the appropriate short user name, and then save that as a script somewhere, and call from /Library/LaunchDaemons

Remember that all files in /Library/LaunchDaemons must be owned by root to be run.

(I think this is what bmike was suggesting)

Another option

However, I wrote up a HOWTO for making auto-login more secure:

Terminally Geeky: use automatic login more securely

The executive summary is this:

Turn on Automatic login
Put this launchd plist in ~/Library/LaunchAgents
Reboot

What it does:

As soon as you login, launchd will throw you back to the login screen using:

"/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession" -suspend

Note that is all one long line.

Considering that someone with physical access to your computer has a lot of potential exploits, I consider this relatively safe, but of course everyone has to make their own determination. I run this in my small office, but my iMac is in my private office which I can lock when I'm not there.

Also note that automatic login doesn't work with FileVault 2.

Best Answer

Related Solutions

How to run a job once a day with launchd, regardless of when the computer is on

How to launch a daemon process as a specified user at boot without an interactive login

Another option

Related Question