My enterprise app requires a launch daemon that provides services to support my Security agent plugin. I bundle everything in an App and install using AirWatch. This all used to work until something changed, either AirWatch or the MacOS version. Now the install fails because my SMAppService instance returns an error when .register is called: Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} If I install by opening my installer package as a user, the install always succeeds. The app is an enterprise app and is not distributed through the App Store. The app also installs a security extension. The security extension is installed and activated before any calls to SMAppService. I can't figure out what has changed in the last few months that would cause the error, or how to fix this. Any help or pointers would be appreciated.
SMAppService.daemon and AirWatch installation
How is your installer invoking SMAppService? By running the app as a command-line tool from the post-install script?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Yes. The app is run as a command line tool with an argument telling it to perform an install. That causes the calls with SMAppService.
The installation script has to update an endpoint security extension, so it first copies a signed app with the extension embedded in it and then executes that app and suspends security checks until the main app is installed. Then it runs the main app as a command line tool. The first app that updates the security extension is then removed.
The two steps are needed because the endpoint security extension prevents modifying the main app. When the main app acts in "install" mode, it configures a daemon and an agent. It configures a security agent plugin and updates authorization db to use it. The main app and security agent plugin communicate with the daemon using XPC.
A managed policy is installed that gives the app and the endpoint security extension full disk access.
My OS is 26.5
Thanks for all the details.
Yeah, I’ve never been happy with the whole ‘running your app as command-line tool’ process. It seems very brittle, especially in situations like yours where the installer package, and hence the post-install script, runs outside of a user context.
However, it is a documented, and hence supported, approach. Given that, we need to keep it working, so a bug report is called for.
Before I send you off in that direction, however, I want to ask about this:
My OS is 26.5
Because macOS 26.5 is still in beta, it’d be to your advantage to determine whether this problem was introduced by that update. If you retest this on macOS 26.4, does it have the same problem?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I worked around this by running the command line app using launchctl asuser 501 xxx