tzeejay icon

About

Archive

Github

Making Your Mac App Launch on Login (An iOS Developers Opinion)

I have been a Mac user for quite a while now and while I understand how some underlying technologies work because I had played with them in the past, actually writing your own Mac app gives you an entirely different point of view. Today I had quite the “you have got to be fucking with me” moment.

I have tried to make Guardian Firewall for Mac, which is still in beta, launch on login/boot. The solutions I have found kept getting worse and worse and user interaction in any way seemed to not be required at all. Coming from iOS with it’s very locked down OS and requiring external user input for basically anything at this point because some developers just have to be terrible and abuse every little bit of API platform, I just couldn’t believe the state of the Mac at the moment when the solution to this problem is seemingly so obvious.

There are many ways to add launch items on Mac but the “oldest” way to accomplish this that I know of is by dropping a .plist file into ~/Library/LaunchAgents/ (or /Library/LaunchAgents for all users of the Mac). You define a few keys and values in the file and move on with your life. There are also other ways to do this but this variant is quite easy to explain and very flexible as it is just a plaintext file.

To me, the way to actually solve this problem from an app POV interacting with APIs would be to call a NSApplication method with a completion handler, similarly to how you ask for permissions on iOS or macOS to access location data. This way both sandboxed and non sandboxed apps can easily adopt this new API and the user is presented with a little modal alert containing a short explanation by the developer asking them for confirmation. Behind the scenes macOS creates a .plist file with a reference to the app and the drops it into ~/Library/LaunchAgents/.

This solution would offer a few key advantages:

  1. It guarantees backwards compatibility & existing apps will continue to function
  2. With the correct permissions (or by being root) a script or any sort of automation tool can still accomplish the same task
  3. All Mac developers get access to a supported & predictable API in an already established format
  4. Compatible with sandboxed or non sandboxed apps
  5. Going forward the user will have a clear expectation about the interaction
  6. API adoption can be enforced for sandboxed apps (I would absolutely endorse the app review enforcement in this case)

The current possibilities as for example described here, which include a little helper app that has no UI but is yet another target that needs to be included in the bundle and codesigned properly sound like nobody has had the chance to give all of this enough thought. Especially given the changes Apple has made over time to the Mac sandbox.
Making this change would make the Mac a more secure platform without limiting power users in any way.

18.11.2021