MacOS Authorisation Plugin Installation Strategy

Question

garrow OP

Created Mar ’25

Replies 4

Boosts 0

Participants 2

I am developing an Authorisation Plugin which talks to Launch daemons over XPC.

Above is working neat, now I have to decide on how to get it installed on a machine.

Installation requires.

Plugin Installation
Launch Daemon Installation

Both require

Moving binary and text (.plist) file into privileged system managed directory.
Firing install/load commands as root (sudo).

I have referred this post BSD Privilege Escalation on macOS, but I am still not clear how to approach this.

Q: My requirement is:

I can use .pkg builder and install via script, however I have some initialisation task that needs to be performed. User will enter some details talk to a remote server and get some keys, all goes well restarts the system and my authorisation plugin will welcome him and get him started.

If I cannot perform initialisation I will have to do it post restart on login screen which I want to avoid if possible.

I tried unconventional way of using AppleScript from a SwiftUI application to run privileged commands, I am fine if it prompts for admin credentials, but it did not work.

I don't want that I do something and when approving it from Apple it gets rejected.

Basically, how can I provide some GUI to do initialisation during installation or may be an app which helps in this.

Q: Please also guide if I am doing elevated actions, how will it affect app distribution mechanism. In Read Me for EvenBetterAuthorizationSample I read it does.

Thanks.

Answered by DTS Engineer in 829946022

Please also guide if I am doing elevated actions, how will it affect app distribution mechanism.

I’m not 100% I understand what you’re asking here, but my best guess is that it’s about App Store distribution versus direct distribution using Developer ID signing. If so, then the answer is clear: Authorisation plug-ins can’t be distributed on the App Store.

As to your overall strategy here, IMO it depends on the focus of your product. Most authorisation plug-in vendors target managed environments — business, education, and so on — and in that context an installer package makes a lot of sense. Management (MDM) systems have good infrastructure for dealing with installer packages.

Implementing a self-install mechanism makes more sense if you’re targeting normal Mac users. They typically expect to download the app, as a zip archive or disk image, and then just run it.

Of course, there’s nothing stopping you from doing both, other than the amount of extra engineering team it’ll consume.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’25

Recommended

Please also guide if I am doing elevated actions, how will it affect app distribution mechanism.

I’m not 100% I understand what you’re asking here, but my best guess is that it’s about App Store distribution versus direct distribution using Developer ID signing. If so, then the answer is clear: Authorisation plug-ins can’t be distributed on the App Store.

As to your overall strategy here, IMO it depends on the focus of your product. Most authorisation plug-in vendors target managed environments — business, education, and so on — and in that context an installer package makes a lot of sense. Management (MDM) systems have good infrastructure for dealing with installer packages.

Implementing a self-install mechanism makes more sense if you’re targeting normal Mac users. They typically expect to download the app, as a zip archive or disk image, and then just run it.

Of course, there’s nothing stopping you from doing both, other than the amount of extra engineering team it’ll consume.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

garrow OP

Mar ’25

Thanks for the above response it cleared doubts I had regards to distribution, however I have concerns over how to make an installer.

I found this Updating your app package installer to use the new Service Management API. As during installation I have to talk to remote server and also place files in privileged location, I was not clear how to approach this.

What I read .pkg cannot have highly customised UI and also all work needs to be done in scripts (shell) which seemed limited.

With above link I think I got some idea, with SM API I can package an app which can talk to launch daemon which resides inside my app and can do privileged actions of installing my auth plugin. I still have to pursue it and see it in action.

Mostly, I have been doing simple macOS and iOS apps, never faced these challenges so was confused how to approach things.

Install Flow: Talk To Remote Server -> Fetch some keys -> Install auth plugin and launch daemon which will help auth plugin -> Store fetched keys in System Keychain.

Above will initialise my auth plugin and it will be ready to use on next restart.

0

Answer 3

DTS Engineer OP

Apple

Mar ’25

I’m not an installer expert by any means. Installer packages can do all sorts of cool stuff. Sadly, we don’t have good documentation that covers the full breadth of their capabilities.

Regarding your specific issue, I’m gonna come back to this idea of audience. If you’re building an installer package because you’re targeting managed environments, then you should look at how your potential customers typically configured this sort of thing. They might, for example, already have a mechanism to push privileged settings, and you product could piggy back on top of that.

For example, there’s the obscure but cool <libmanagedconfigurationfiles.h> mechanism. For details, see WWDC 2023 Session 10041 Explore advances in declarative device management, starting around 19:20.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

garrow OP

Mar ’25

Thanks, I'll look into it.

0