=Start=
缘由:
从安全角度来看,一个新特性是用户现在可以在系统设置中的一个位置管理登录项、启动代理和启动守护进程。以前,只有在设备启动或用户登录时才能看到执行的项目,需要使用终端或依赖第三方软件在 Finder 中查找隐藏的目录。这一直是有问题的,特别是对于 LaunchAgents,因为任何进程都可以添加一个持久化项,而不需要用户的授权或通知。
现在在 macOS Ventura 中,用户不仅可以看到哪些条目被设置为持久化,他们还可以在系统设置中单独控制它们。重要的是,当应用程序添加了一个 LaunchAgent, LaunchDaemon 或 Login Item,系统现在会产生一个通知警报。
由于 LaunchAgents 是 macOS 恶意软件中使用最广泛的持久性手段,这只能是一件好事。从安全的角度来看,对这个过程的额外可见性和控制当然是一件好事,这是我们欢迎的对 macOS 安全性的一个早就应该的重要改进。
然而,企业团队需要注意。这种防止恶意软件和误用的额外安全性也会影响到绝大多数合法使用这些项目的软件。首先,有额外的警报需要处理和解除。在某些情况下,如上面的示例,一个安装可能会产生多个警报。其次,也许更令人担忧的是,用户可能不理解在系统设置中禁用这些条目的影响。
如果你的组织使用具有此类持久性机制的基本软件,你将需要弄清楚如果用户禁用这些功能,你可能会收到什么样的支持调用。目前,尚不清楚 Ventura 的最终版本是否会包括通过 MDM 或其他机制锁定这些条目的能力,以防止用户禁用关键软件。
正文:
参考解答:
在当前macOS最新的系统 Ventura 13.2.1 上,提供了便捷的登录项管理功能(而且非常全面有效,不像以前的macOS系统,个人很难找全并禁用,有时只能通过暴力的杀进程删除目录来实现,但这么做一方面是动静太大,另一方面是也不一定能处理干净,现在好了,把可见性和主动性都交给了用户,对这方面有需求的用户应该还是挺高兴的)。
系统设置-通用-登录项
* 登录时打开
* 允许在后台
如何查看已禁用的开机自启动项目?
launchctl print-disabled system
cat /var/db/com.apple.xpc.launchd/disabled.plist
补充一些 launchctl 命令的样例:
launchctl print system
launchctl print user/$(id -u)
launchctl print user/0
launchctl print gui/$(id -u)
launchctl print-disabled system
launchctl print-disabled user/0
launchctl print-disabled user/$(id -u)
launchctl print-disabled gui/$(id -u)
==
$ man launchctl
...
~/Library/LaunchAgents Per-user agents provided by the user.
/Library/LaunchAgents Per-user agents provided by the administrator.
/Library/LaunchDaemons System wide daemons provided by the administrator.
/System/Library/LaunchAgents OS X Per-user agents.
/System/Library/LaunchDaemons OS X System wide daemons.
SYNOPSIS
launchctl subcommand [arguments ...]
DESCRIPTION
launchctl interfaces with launchd to manage and inspect daemons, agents and XPC services.
SUBCOMMANDS
launchctl allows for detailed examination of launchd's data structures. The fundamental structures are domains, services, and endpoints. A domain manages the execution policy for a collection of services. A service may be thought of as a virtual process that is always available to be spawned in response to demand. Each service has
a collection of endpoints, and sending a message to one of those endpoints will cause the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets.
Many subcommands in launchctl take a specifier which indicates the target domain or service for the subcommand. This specifier may take one of the following forms:
system/[service-name]
Targets the system domain or a service within the system domain. The system domain manages the root Mach bootstrap and is considered a privileged execution context. Anyone may read or query the system domain, but root privileges are required to make modifications.
user/<uid>/[service-name]
Targets the user domain for the given UID or a service within that domain. A user domain may exist independently of a logged-in user. User domains do not exist on iOS.
login/<asid>/[service-name]
Targets a user-login domain or service within that domain. A user-login domain is created when the user logs in at the GUI and is identified by the audit session identifier associated with that login. If a user domain has an associated login domain, the print subcommand will display the ASID of that login domain. User-
login domains do not exist on iOS.
gui/<uid>/[service-name]
Another form of the login specifier. Rather than specifying a user-login domain by its ASID, this specifier targets the domain based on which user it is associated with and is generally more convenient.
Note: GUI domains and user domains share many resources. For the purposes of the Mach bootstrap name lookups, they are "flat", so they share the same set of registered names. But they still have discrete sets of services. So when printing the user domain's contents, you may see many Mach bootstrap name registrations from
services that exist in the GUI domain for that user, but you will not see the services themselves in that list.
pid/<pid>/[service-name]
Targets the domain for the given PID or a service within that domain. Each process on the system will have a PID domain associated with it that consists of the XPC services visible to that process which can be reached with xpc_connection_create(3).
For instance, when referring to a service with the identifier com.apple.example loaded into the GUI domain of a user with UID 501, domain-target is gui/501/, service-name is com.apple.example, and service-target is gui/501/com.apple.example.
参考链接:
在 macOS Ventura 13.x 或更高版本上,在“登录项”中启用 Norton (在某些情况下,在“登录项”中禁用和启用 Norton 后,可能会遇到 Norton 产品扫描和 Norton 产品通知问题。要解决此问题,请退出所有打开的应用程序并重新启动 Mac。)
https://support.norton.com/sp/zh/cn/home/current/solutions/v20220916232603380
修复 Adobe Creative Cloud 的登录项问题 | macOS Ventura
https://helpx.adobe.com/cn/download-install/kb/background-processes-macos.html
在 Mac 上移除登录项以解决启动问题
https://support.apple.com/zh-cn/guide/mac-help/mh21210/mac
允许 Microsoft AutoUpdate 在后台运行
https://support.microsoft.com/zh-cn/office/%E5%85%81%E8%AE%B8-microsoft-autoupdate-%E5%9C%A8%E5%90%8E%E5%8F%B0%E8%BF%90%E8%A1%8C-93b5dd2a-2395-4780-80b6-00811b774f06
苹果全新版本macOS Ventura操作系统 macOS Ventura新功能
https://zhuanlan.zhihu.com/p/530265533
How does one check whether the OS X “disabled” flag for launchd services is set?
https://serverfault.com/questions/218402/how-does-one-check-whether-the-os-x-disabled-flag-for-launchd-services-is-set
launchctl – interface to launchd – Mac OS’s master task invoker
https://www.real-world-systems.com/docs/launchctl.1.html
https://ss64.com/osx/launchctl.html
How to completely remove a service from launchd added by mistake?
https://apple.stackexchange.com/questions/374495/how-to-completely-remove-a-service-from-launchd-added-by-mistake
macos_security/rules/os/os_httpd_disable.yaml
https://github.com/usnistgov/macos_security/blob/main/rules/os/os_httpd_disable.yaml
macOS系统的启动项
https://ixyzero.com/blog/archives/5335.html
macOS Ventura Bug Spits Out Perpetual ‘Background Items Added’ Notifications at Login, Here’s a Potential Fix
https://www.macrumors.com/2023/02/02/macos-background-items-added-notification-bug/
Perpetual “Background Items Added”
https://discussions.apple.com/thread/254341579
How to Stop Background Items Added notifications in macOS Ventura?
https://www.fireebok.com/resource/how-to-stop-background-items-added-notifications-in-macos-ventura.html
=END=