macOS LaunchAgents vs LaunchDaemons: The Admin’s Guide to Startup Persistence
Forget “Startup Items.” This is How macOS Really Auto-Starts.
You install an application, and it magically runs when you turn on your Mac. You log in, and your backup tool quietly starts in the background.
How? It’s not magic. It’s launchd.
For system administrators, this is the key to deploying and managing software. For security analysts, this is the number one place to hide malware and establish persistence.
Understanding the difference between LaunchAgents and LaunchDaemons isn’t academic—it’s a fundamental skill for anyone responsible for a Mac. This guide cuts through the confusion and gives you the practical knowledge you need.
Meet launchd: The Master Process
Before we dive in, know this: on macOS, launchd is the first process that starts (PID 1). It’s the master process that controls all other processes and services, similar to systemd on Linux or init.
Its job is to start, stop, and manage daemons (background services) and agents (user-facing services) based on XML configuration files called property lists (plists).
These plists are what we call LaunchAgents and LaunchDaemons.
The Showdown: LaunchAgents vs. LaunchDaemons
Here’s the breakdown that defines everything.
| Feature | LaunchDaemons | LaunchAgents |
|---|---|---|
| Scope | System-Wide | User-Specific |
| Runs As | root (or a specified system user) | Logged-in User |
| When It Runs | At System Boot (before login) | At User Login |
| File Location | /Library/LaunchDaemons/ | /Library/LaunchAgents/ (all users)~/Library/LaunchAgents/ (your user only) |
| GUI Access? | No. Runs entirely in the background. | Yes. Can display a GUI application. |
| Use Case | Web servers, database servers, security software, backup daemons. | User applications, menu bar utilities, sync clients. |
LaunchDaemons: The System-Wide Workhorses
- Purpose: For critical background services that need to run 24/7, regardless of who is using the machine.
- Location:
/Library/LaunchDaemons/(Requiressudoto modify) - Example: A web server, a centralized logging agent, or an MDM management daemon. If the machine is on, it’s running.
LaunchAgents: The User-Facing Helpers
- Purpose: To start applications for a specific user once they log in.
- Locations:
~/Library/LaunchAgents/(Only for your user account)/Library/LaunchAgents/(For all users on the system)
- Example: Your Slack or Dropbox application that launches when you log in. If no one is logged in, it’s not running.
The Practical Guide: How to Manage Them
You don’t need to be a wizard to control these. The command-line tool launchctl is your best friend.
1. Loading and Unloading a Service
You can manually start (load) or stop (unload) a job. This is essential for testing.
bash
# Load a LaunchDaemon (requires sudo) sudo launchctl load /Library/LaunchDaemons/com.company.servicename.plist # Unload a LaunchDaemon sudo launchctl unload /Library/LaunchDaemons/com.company.servicename.plist # Load a LaunchAgent for your user (no sudo needed) launchctl load ~/Library/LaunchAgents/com.company.helper.plist
2. See What’s Running
To see every single loaded agent and daemon (get ready for a long list):
bash
# View all loaded items launchctl list # Filter for a specific service launchctl list | grep -i "slack"
The Security Implications: Hunting for Malware
This is why this knowledge is non-negotiable for security.
Malware loves these locations. Installing a plist file here is the easiest way to guarantee your code runs again after a reboot.
Your Investigation Checklist:
- Check the Directories: Manually inspect the folders. Anything look suspicious?
~/Library/LaunchAgents//Library/LaunchAgents//Library/LaunchDaemons/
- Use
launchctl: Runlaunchctl listand look for unfamiliar process names. - Inspect the Plist: If you find a suspicious file, examine it. You can use the
plutilcommand or justcatit.bash# Check if the plist is formatted correctly plutil -lint /Library/LaunchDaemons/suspicious.file.plist # See what it’s set to run cat /Library/LaunchDaemons/suspicious.file.plistLook for theProgramArgumentskey—this tells you what command or script it is set to execute.
Conclusion: Control and Visibility
Understanding LaunchAgents and LaunchDaemons gives you two superpowers:
- Control: You can precisely manage what software runs on your Macs, both for users and the entire system.
- Visibility: You know where to look for persistence, making you a more effective administrator and a formidable threat hunter.
Stop guessing why something auto-starts. Start knowing.
Managing a fleet of Macs? This is where MDM solutions like Jamf Pro or Mosyle become essential, allowing you to deploy and manage these plists across your entire organization from a central console.
FAQ Section
Q: What is the difference between LaunchAgents and Login Items?
A: Login Items are a user-friendly, GUI-based feature managed through System Settings > General > Login Items. Under the hood, they are often implemented using LaunchAgents. The key difference is that Login Items are intended for user applications and are easily visible and manageable by the user. LaunchAgents are a lower-level, more powerful mechanism that can run scripts and background processes without any user interface, making them preferred for admin tasks and, unfortunately, malware.**
Q: How do I prevent a LaunchAgent or LaunchDaemon from running?
A: The safest method is to unload it and then move or delete the .plist file. First, use sudo launchctl unload /path/to/file.plist to stop the currently running job. Then, move the .plist file out of its LaunchAgents or LaunchDaemons directory (e.g., to your Desktop). Simply deleting the file without unloading it first may not stop the currently running process.**
Q: Can a LaunchDaemon open a graphical application?
A: No, this is a critical security and architectural rule. LaunchDaemons run in the system context before any user has logged in. They have no access to the graphical user interface (GUI). If a process needs to display a window to the user, it must be run as a LaunchAgent (or Login Item) within a user’s login session.**
Q: Where do third-party apps typically install their agents?
A: Reputable apps will often install their background helpers into /Library/LaunchDaemons/ for system-level daemons and /Library/LaunchAgents/ for user-level helpers that need to run for every user. User-specific applications, especially those downloaded from the App Store, will typically only install agents into the current user’s ~/Library/LaunchAgents/ directory. Finding agents in the user’s home directory is very common.**
