macOS: Know the difference between launch agents and daemons, and use them to automate processes

Mac admins can leverage system processes called daemons to automate the execution of tasks, like scripts, used in the management of computers running macOS.

System administrators will tell you any process or task that needs to be run on the systems they manage is usually performed in some form of automated manner. Whether it’s scripted, enforced through policies, or handled via third-party management server, it is far simpler to execute and report back data on properly configured automated tasks than it is to leave it to the happenstance of performing these tasks across the entire fleet with little to no confirmation that it was completed correctly.

A benefit of automating tasks beyond the obvious is that automated tasks run exactly as designed and intended. Meaning, if a script is written to check for system updates upon restart, then it will check system updates every time the device is restarted. It won’t cancel the process because now is not the opportune moment or because it simply needs to log in and print a document quickly, for example.

Specific tasks or data executed the same way each time. This allows for a system of capturing metrics on devices by reading the counters for when the task executed, the timestamps on the data modified, system logs relating to the tasks, and in the case of updates in the example above, if the targeted systems received the update in question or not. Each of these roads leads back to system security and being able to harden devices and keep them secured to minimize the attack surface and narrow the window of how the device can be compromised.

What are launch daemons?

Unix-based operating systems have daemons or computer programs that run as a background process and not directly under the interactive user’s session. This is a boon for admins as they can leverage daemons to perform any series of tasks and is particularly useful when paired with repetitive maintenance tasks that run on a schedule. By setting up daemons to perform these tasks, admins can ensure that these programs run automatically at the system level, so as not to be interrupted by user sessions or input.

Are daemons the same as launch agents?

Agents share a great deal of similarity with daemons in that they both run computer programs in an automated fashion on target devices. However, daemons execute these tasks at the system-level, while agents execute these tasks within the context of the user’s interactive session. Both are useful and powerful in their own right, but each has its own specific use cases and should be treated as such to prevent tasks that rely on system-level access from being executed in the user’s space where they may not have the necessary rights to perform the tasks properly.

Where can I find launch daemons and agents?

  • ~/Library/LaunchAgents
  • /Library/LaunchAgents
  • /Library/LaunchDaemons
  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons

Does the daemon or launch agent require any specific formatting?

Yes, however it is essentially a property list (plist) file that will hold the specific information that will serve as the crux of our task. Below I have included an example property list that reveals three required categories, referred to as keys, necessary to ensure it will run properly:

  • Label: Uniquely identifies a task to launch.
  • Program: Defines the task to be executed.
  • RunAtLoad: Specifies when the task should be run.

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”http://www.techrepublic.com/”http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
          <dict>
                    <key>Label</key>
                    <string>com.companyname.task</string>
                    <key>Program</key>
                    <string>/path/to/scripts/folder/script_name.sh</string>
                    <key>RunAtLoad</key>
                    <true/>
          </dict>
</plist>

Note: Additional configuration keys may be used in addition to, or in place of the keys included above to execute tasks based on different parameters, based on Apple’s developer documentation.

Mounting volumes example

  1. Log in to your macOS device as an admin.
  2. Launch the Terminal and enter the following command to create your plist file:
              sudo vim /Library/LaunchDaemons/com.themacjesus.mount.plist
  3. Edit the plist contents as necessary. Ensure that the path to the script that will mount the volumes is accessible and has the correct execute permissions set. When you’re done, press the Esc key, then type “:wq”, in order to both save and quit vim, returning to Terminal.
  4. Next, enter the following command to load the launch daemon:

          sudo launchctl load -w /Library/LaunchDaemons/com.themacjesus.mount.plist

Again, your experience could vary greatly depending on the tasks you’re setting out to automate. Something like mounting a volume based on the example above is straightforward and easy to accomplish while getting the hang of how to set up daemons to perform future tasks. It is recommended that if you can group certain tasks together by a trigger, for example, mounting volumes, setting environment variables, and pre-loading certain applications. These examples could all fall under a p-list designated at performing tasks during startup to simplify the user’s experience. Test out multiple task sets to see which one works best for your workflow.

Support Ukraine against russian fascists! Defend Europe from horde! Glory to Ukraine! 🇺🇦

🇺🇦 >>SUPPORT UKRAINE AGAINST RUSSIAN FASCISM<< 🇺🇦