Launch agents

These are jobs that run in the context of a user login session, typically running with the privileges of that user and often used for per-user tasks or UI-related startup items. Launch agents are appropriate for things that should start when a specific user logs in (or for each user that logs in) and possibly interact with that user’s environment (for example, auto-launching an app or showing an icon in the menu bar).

Startup behavior

Each time a user logs in (graphically), a per-user launchd process is started for that session. That per-user launchd will load all plist files in the LaunchAgents locations:

  • the user’s own ~/Library/LaunchAgents (for agents specific to that user),
  • the global /Library/LaunchAgents (for agents that should run for all users), as well as
  • Apple’s /System/Library/LaunchAgents (system-provided agents).

Any agents with RunAtLoad=true will be launched immediately at login, while others might launch on specific triggers or on-demand. Agents run with the user’s identity and can interact with the GUI (they have access to the Window Server and user’s GUI session).

Locations

LaunchAgent plists intended for all users go in /Library/LaunchAgents. Those meant only for a particular user go in that user’s ~/Library/LaunchAgents. (As with daemons, macOS itself has default agents in the /System/Library/LaunchAgents directory; these are loaded for a user as needed, but third-party software should not put files in the System folder due to SIP protection.) The user-specific ~/Library/LaunchAgents is a common place for login items that only that user needs.

Use cases

Launch Agents are used for background utilities or helpers that a user might need when they log in. For example, an application that needs to start a helper process for the user (perhaps a cloud drive sync app, or a music player helper) could install a launch agent in /Library/LaunchAgents to start on login.

They are also used for things like Apple’s own menu bar extras or context menu agents that run in userland. From a security perspective, any code that an attacker wants to run with user privileges at login (persisting for that user) could be planted as a launch agent.