Skip to content

The Eclectic Light Company

Macs, painting, and more
Main navigation
  • Downloads
  • M1 & M2 Macs
  • Mac Problems
  • Mac articles
  • Art
  • Macs
  • Painting
hoakley February 16, 2023 Macs, Technology

How Ventura is changing Login and Background Items

There was a time when the great majority of apps consisted of just an app bundle, created their own settings file in ~/Library/Preferences, and that was that. For various reasons, this became steadily more complicated, with some apps assembling arrays of files and folders in /Library/Application Support, and in recent years many apps have required helpers too. One common reason for this is that they need to perform certain functions with elevated privileges, such as root. To do that, they have become even more elaborate, with Login Items, property lists installed in folders like /Library/LaunchAgents, and more. This article explains how Ventura is trying to make things simpler again.

Traditional

Before Ventura, a modern app using a Login Item and privileged helper might have several additions to its bundle, and the main /Library folder. For an example app named MyApp, these could include

  • a Login Item, a lightweight app providing a menu bar dashboard, at MyApp.app/Contents/Library/LoginItems/AppDashboard.app
  • a privileged helper in a Mach-O binary, provided at MyApp.app/Contents/Library/LaunchServices/com.developer.apphelper, then installed to /Library/PrivilegedHelperTools/com.developer.apphelper
  • a property list for launchd to run the helper, installed in /Library/LaunchDaemons/com.developer.apphelper.plist.

Originally, the privileged helper and its property list might have been installed using an Installer package for the whole app, but there are neater ways to do this now, which ‘bless’ it by Service Management, and the Login Item needs to be properly registered and enabled with Service Management too. The property list is usually embedded in the helper binary, so the whole installation process is normally handled by the app running in its own bundle.

When the app does this, it can be smarter than any installer, and check the Login Item and privileged helper are both correctly installed and available each time it opens. If any component is missing, it can then reinstall them, and that’s why deleting property lists for LaunchAgents and LaunchDaemons can’t solve problems with Background Items: the next time you run that app, it merely reinstalls them, and you’re back to square one.

Just like any installer, apps that install Login and Background Items should also support uninstalling them. Otherwise, if you were to remove that app, the helper and its property list would be left behind. Not all apps offer that, and many users aren’t aware of the need to uninstall before removing that app.

Ventura

macOS Ventura introduces a new scheme for Login Items, helpers, and their property lists, that should solve those problems. Helpers and the property lists for LaunchAgents and LaunchDaemons are now kept within the app bundle:

  • Login Items should remain in /Contents/Library/LoginItems
  • executable code for helpers can be installed in various folders, but Apple suggests that /Contents/Resources might be most appropriate;
  • LaunchAgent property lists go into /Contents/Library/LaunchAgents;
  • LaunchDaemons property lists go into /Contents/Library/LaunchDaemons.

When placed there, Ventura will automatically make their association correctly, so no further installation or action is necessary. If those locations aren’t possible, then others can be associated with that app, although that becomes more complicated.

Because the user can now disable Login and Background Items in the Login Items settings, apps running Ventura can check the status of the Login and Background Items and warn the user of the effects of those settings on the app and its features. The app can also open the Login Items section in System Settings to help the user make any necessary changes.

LaunchDaemons and LaunchAgents need to be registered, which will normally be requested from the user. LaunchDaemons are system-level processes, so the user needs to authenticate to authorise them; however, that’s actually a benefit, as it results in the approval of other helpers, and fewer authorisations on the part of the user.

Better apps should still provide the user with the means to unregister these app components, for example when the user is going to remove that app. However, this new scheme should address this automatically, as simply removing the app should call Service Management to clean up when it next performs its routine housekeeping, normally the following night.

This new scheme has a significant security advantage as property lists for launchd are all retained in the app bundle, where they are protected by its code signature. Because of that, third parties can’t modify them, although that may not be to the liking of some advanced users, who also can’t tinker with them.

Transition

This new scheme only operates in Ventura. Apps which only run in Ventura and later can use it already, but existing apps and all that need to be compatible with previous versions of macOS need to offer the traditional system for compatibility. Some may support both schemes, but that makes an already complex issue even more challenging to get right. So for the time being, I’d only expect apps that can’t run in Monterey or earlier to use the new scheme.

The requirement to support both old and new schemes may be responsible for the problems that some are experiencing in managing Background Items in Ventura.

Destination

While Ventura has to support both old and new schemes, I expect that Apple will drop support for the old scheme as soon as it thinks that’s feasible. I think one of the ultimate intentions is for macOS to lock down LaunchAgents and LaunchDaemons folders in the main library, a big step forward in preventing malicious software from becoming persistent. We have yet to see how Apple will allow advanced users to install their own property lists for launchd, though.

Summary

  • Prior to Ventura, apps installed helpers and their property lists in folders in /Library.
  • New to Ventura is a scheme in which those are kept within the main app bundle.
  • Ventura thus has to cope with both schemes, which may account for some of the problems experienced with Background Items.
  • Apple may intend to further limit access to /Library/LaunchAgents and LaunchDaemons folders in future macOS to help prevent malware persistence.

Further reading

Apple’s traditional approach (2016)
Ventura’s new Service Management scheme.

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Pinterest
  • Email
  • Print

Like this:

Like Loading...

Related

Posted in Macs, Technology and tagged LaunchAgents, launchd, LaunchDaemons, login, Login Item, macOS 13, Service Management, Ventura. Bookmark the permalink.

15Comments

Add yours
  1. 1
    Old Coot on February 16, 2023 at 1:40 pm
    Reply

    “Apple will drop support for the old scheme as soon as it thinks”I am presuming, when most apps are written for M1 and M2 and beyond since there are literally thousand of apps that are written for Intel chips that will either bite the dust or get upgraded to the new architecture.

    LikeLiked by 1 person

    • 2
      hoakley on February 16, 2023 at 5:38 pm
      Reply

      This has nothing to do with architecture/platform, but I think is intended progress in security. The apps that I run now are pretty well all written for both architectures, and run very nicely on Apple silicon. However, until many of those apps are rewritten to use the new scheme, they’ll require support for the old scheme in macOS. Judging when that happens isn’t going to be easy, as older versions of those apps simply wouldn’t work when macOS only supports the new scheme. I suspect that will be several years yet.
      Howard.

      LikeLike

  2. 3
    Wes on February 16, 2023 at 4:59 pm
    Reply

    “LaunchDaemons and LaunchAgents [in the app bundle] need to be registered” – what’s the mechanism for this? Does the app have to run and request this itself, or does the Mac automatically detect them? How would a traditional PKG installer go about registering the appropriate Agent/Daemon when it’s located in the app bundle?

    LikeLiked by 1 person

    • 4
      hoakley on February 16, 2023 at 5:46 pm
      Reply

      Very good questions, and as I haven’t yet used an app that I know uses the new scheme, my answer must be provisional.
      The code of the app has to register the Login and Background Items with Service Management (it already has to now, though). In the case of a LaunchDaemon, that will inevitably require authentication as they work at a system level, so that’s at least one dialog for the user. I think that Service Management also seeks the user’s consent to add the items to Login and Background Items as appropriate, and that’s where the unhelpful prompts about developer names occur.
      Traditional PKG-based installers can’t handle either the pre-Ventura or Ventura mechanisms, as this isn’t just about putting the right files in the right places, but also requires the app to interact with Service Management, or nothing will work.
      These are sort of things that may account for some Login and Background Items causing problems now – I suspect some old printer software packages don’t do the right things, for instance.
      Howard.

      LikeLike

  3. 5
    Bryan Christianson on February 16, 2023 at 8:50 pm
    Reply

    I had a quick look at the new API and decided to do nothing with it until my hand is forced by SMJobBless and friends being removed from the SDK. Apple could drop the old API when Monterey is no longer supported by them but even that is not a given.

    The much frowned upon AuthorizationExecuteWithPrivileges() API was deprecated many years ago but is still present in the SDK, so really, it’s anybodies guess as to how it will play out.

    One thing I have wondered is if the new API will allow applications using it to be distributed via the Apple App Store. I suspect not but it would certainly be a good thing if that were the case.

    LikeLiked by 1 person

    • 6
      hoakley on February 16, 2023 at 8:59 pm
      Reply

      Thank you, Bryan – I value your opinion, as you’re the only one here who has had to negotiate this in real life.
      I believe that one of the intentions is that the new API will be allowed, within limits, in App Store apps. I’m convinced that in the longer term Apple wants to lock third parties out of the LaunchAgents and LaunchDaemons folders in /Library. That’s a relatively easy route to persistence for malware, and there aren’t many alternative strategies to tackle it.
      Howard.

      LikeLike

      • 7
        Milo on February 17, 2023 at 9:04 am
        Reply

        It’s true, that LaunchAgents and LaunchDeamons are the most popular way to persist malware on macOS. But I’m not sure locking only that down will really hamper bad actors.

        Here is a fascinating series about 29! ways to achieve persistence on macOS. Off course not all of them are as flexible and convenient as Agents and Deamons. But it shows how much work there would still be ahead to completely lock down the OS.

        https://theevilbit.github.io/beyond/

        LikeLiked by 1 person

        • 8
          hoakley on February 17, 2023 at 11:56 am

          Thank you. Yes, that’s an excellent series. It also repays reading some of the early articles too. For instance, the one on Login Items was written for Monterey. In Ventura, Login Items are no longer the secrets they used to be, as I’ve explained, so that’s another route secured now.
          Think of this like a house: a thief can always break a window and gain entry, but does that mean you shouldn’t lock the doors?
          Apple can’t completely lock down macOS in the way that iOS is. And if it tried, all our apps would break, and wouldn’t be able to have helpers etc. This is a gradual process in which each route needs to be better secured, and Background and Login Items is one important step in that process.
          Howard.

          LikeLike

        • 9
          Milo on February 17, 2023 at 1:13 pm

          I support door locks and would recommend anyone to use them too 🙂 I would only ask Apple not to completely brick the door one day. Fortunately we are not there yet and hopefully never will.

          LikeLiked by 1 person

  4. 10
    hstriepe on February 18, 2023 at 8:26 pm
    Reply

    Just a note, Lingon X supports these new schemes.

    LikeLiked by 1 person

    • 11
      hoakley on February 18, 2023 at 8:35 pm
      Reply

      Erm, are you sure? Lingon X works with and changes launchd property lists. Those used in the new scheme are protected by the code signature and notarization of the app, as they remain in the app bundle, so, according to Apple, they can’t be changed at all. This is I believe one of the points of friction of the new scheme: users won’t be able to modify those plists to change the behaviour of the helpers etc., and that’s intentional on the part of Apple.
      Howard.

      LikeLike

      • 12
        hstriepe on February 19, 2023 at 3:21 am
        Reply

        Just checked. I thought it would manipulate them with launchctl but it looks like it cannot do that. I just displays them. You are correct.

        LikeLiked by 1 person

        • 13
          hoakley on February 19, 2023 at 9:46 am

          Thanks for confirming.
          It’s a double-edged sword: improved security means limiting the controls for advanced users, although I’m not sure how many have actually taken advantage of the ability to change those property lists in the past.
          Howard.

          LikeLike

        • 14
          hstriepe on February 19, 2023 at 4:41 pm

          I just came off a deep dive to get the CyberPower PowerPanel Personal software for a new UPS functional and usable. An unsigned and unnotarized pile of Java, Python, Qt, and bash scripts running Intel only with a daemon named “daemon” (great for discerning it in the Activity Monitor,) it does a few things more than the built-in functionality of the Energy Saver panel.

          Debugging the system, since it could not communicate with the daemon after installation, I found that it was not triggering the Background Items permissions. Invoking the daemon via the command line fixed that. I then noticed it consumed 1.2% CPU on my Studio with 120MB of RAM, which seemed excessive for what it does.

          I wrote a set of bash scripts using launchctl to unload/disable and load/enable the daemon and app on demand to be able to set voltage thresholds for the UPS etc. Easier than crawling under the desk and fiddling with a one-button interface to set parameters (you know the kind: long presses & double presses, all in carefully sequenced cascades that are oh-so user-friendly.)

          I also got rid of its dock menu when it is running as a menu app, which necessitated another script to kill it since there was no longer a menu bar. Most likely a Qt interaction with the dock state.

          All of this took about 90 min. Most of it was to untangle the components of the app and research launchd and launchctl, which I had not used in years.

          Anyway, to underscore your point, PowerPanel installs its plists in /Library/LaunchAgents and /Library/LaunchDaemons. That makes it easy to debug and manipulate.

          But I do wish Cyberpwoer would invest in clean, native implementations of their software for a better user experience. As a $7.8B company, their volume should warrant that.

          LikeLiked by 1 person

        • 15
          hoakley on February 19, 2023 at 8:22 pm

          Ouch! That’s horrible.
          Howard.

          LikeLike

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Quick Links

  • Downloads
  • Mac Troubleshooting Summary
  • M1 & M2 Macs
  • Mac problem-solving
  • Painting topics
  • Painting
  • Long Reads

Search

Monthly archives

  • March 2023 (48)
  • February 2023 (68)
  • January 2023 (74)
  • December 2022 (74)
  • November 2022 (72)
  • October 2022 (76)
  • September 2022 (72)
  • August 2022 (75)
  • July 2022 (76)
  • June 2022 (73)
  • May 2022 (76)
  • April 2022 (71)
  • March 2022 (77)
  • February 2022 (68)
  • January 2022 (77)
  • December 2021 (75)
  • November 2021 (72)
  • October 2021 (75)
  • September 2021 (76)
  • August 2021 (75)
  • July 2021 (75)
  • June 2021 (71)
  • May 2021 (80)
  • April 2021 (79)
  • March 2021 (77)
  • February 2021 (75)
  • January 2021 (75)
  • December 2020 (77)
  • November 2020 (84)
  • October 2020 (81)
  • September 2020 (79)
  • August 2020 (103)
  • July 2020 (81)
  • June 2020 (78)
  • May 2020 (78)
  • April 2020 (81)
  • March 2020 (86)
  • February 2020 (77)
  • January 2020 (86)
  • December 2019 (82)
  • November 2019 (74)
  • October 2019 (89)
  • September 2019 (80)
  • August 2019 (91)
  • July 2019 (95)
  • June 2019 (88)
  • May 2019 (91)
  • April 2019 (79)
  • March 2019 (78)
  • February 2019 (71)
  • January 2019 (69)
  • December 2018 (79)
  • November 2018 (71)
  • October 2018 (78)
  • September 2018 (76)
  • August 2018 (78)
  • July 2018 (76)
  • June 2018 (77)
  • May 2018 (71)
  • April 2018 (67)
  • March 2018 (73)
  • February 2018 (67)
  • January 2018 (83)
  • December 2017 (94)
  • November 2017 (73)
  • October 2017 (86)
  • September 2017 (92)
  • August 2017 (69)
  • July 2017 (81)
  • June 2017 (76)
  • May 2017 (90)
  • April 2017 (76)
  • March 2017 (79)
  • February 2017 (65)
  • January 2017 (76)
  • December 2016 (75)
  • November 2016 (68)
  • October 2016 (76)
  • September 2016 (78)
  • August 2016 (70)
  • July 2016 (74)
  • June 2016 (66)
  • May 2016 (71)
  • April 2016 (67)
  • March 2016 (71)
  • February 2016 (68)
  • January 2016 (90)
  • December 2015 (96)
  • November 2015 (103)
  • October 2015 (119)
  • September 2015 (115)
  • August 2015 (117)
  • July 2015 (117)
  • June 2015 (105)
  • May 2015 (111)
  • April 2015 (119)
  • March 2015 (69)
  • February 2015 (54)
  • January 2015 (39)

Tags

APFS Apple AppleScript Apple silicon backup Big Sur Blake bug Catalina Consolation Console diagnosis Disk Utility Doré El Capitan extended attributes Finder firmware Gatekeeper Gérôme HFS+ High Sierra history of painting iCloud Impressionism iOS landscape LockRattler log logs M1 Mac Mac history macOS macOS 10.12 macOS 10.13 macOS 10.14 macOS 10.15 macOS 11 macOS 12 macOS 13 malware Mojave Monet Monterey Moreau MRT myth narrative OS X Ovid painting Pissarro Poussin privacy realism Renoir riddle Rubens Sargent scripting security Sierra SilentKnight SSD Swift symbolism Time Machine Turner update upgrade Ventura xattr Xcode XProtect

Statistics

  • 14,160,141 hits
Blog at WordPress.com.
Footer navigation
  • About & Contact
  • Macs
  • Painting
  • Language
  • Tech
  • Life
  • General
  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • Painting topics
  • Hieronymus Bosch
  • English language
  • LockRattler: 10.12 Sierra
  • LockRattler: 10.13 High Sierra
  • LockRattler: 10.11 El Capitan
  • Updates: El Capitan
  • Updates: Sierra, High Sierra, Mojave, Catalina, Big Sur
  • LockRattler: 10.14 Mojave
  • SilentKnight, silnite, LockRattler, SystHist & Scrub
  • DelightEd & Podofyllin
  • xattred, Metamer, Sandstrip & xattr tools
  • 32-bitCheck & ArchiChect
  • T2M2, Ulbow, Consolation and log utilities
  • Cirrus & Bailiff
  • Taccy, Signet, Precize, Alifix, UTIutility, Sparsity, alisma
  • Revisionist & DeepTools
  • Text Utilities: Nalaprop, Dystextia and others
  • PDF
  • Keychains & Permissions
  • LockRattler: 10.15 Catalina
  • Updates
  • Spundle, Cormorant, Stibium, Dintch, Fintch and cintch
  • Long Reads
  • Mac Troubleshooting Summary
  • LockRattler: 11.0 Big Sur
  • M1 & M2 Macs
  • Mints: a multifunction utility
  • LockRattler: 12.x Monterey
  • VisualLookUpTest
  • Virtualisation on Apple silicon
  • LockRattler: 13.x Ventura
Secondary navigation
  • Search

Post navigation

Apple has released a security update to Big Sur 11.7.4
In Memoriam Pierre-Paul Prud’hon 2: Nemesis

Begin typing your search above and press return to search. Press Esc to cancel.

  • Follow Following
    • The Eclectic Light Company
      • Join 3,176 other followers
    • Already have a WordPress.com account? Log in now.
    • The Eclectic Light Company
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
%d bloggers like this: