Launch jobs
Launch Agents vs Launch Daemons
Launch Agents and Launch Daemons are two types of launchd jobs; i.e., background services or tasks that macOS can run automatically. Both are defined by plist files and managed by the launchd system process (which is PID 1, the init process on macOS). However, they differ in when and how they run, as well as their context (user-level vs system-level).
Together, launch agents and daemons constitute the recommended mechanism for automatically starting executables on macOS (superseding older methods like StartupItems). They are often collectively referred to as “launch items” or launch persistence mechanisms.
| Aspect | Launch Daemons | Launch Agents |
|---|---|---|
| Context & Privilege | System-wide background service (runs as root by default, at system level). No GUI interaction. | Per-user background service (runs as the logged-in user, in user space). Can interact with the user’s GUI session. |
| Trigger/Startup | Loaded at boot by launchd (before any user logs in). Can be set to run on boot or on-demand system events. Runs for the entire system, independent of user sessions. | Loaded at user login by per-user launchd. Runs only when that specific user is logged in (each user session has its own agents). |
| Locations of plist | /Library/LaunchDaemons for third-party or admin-added daemons (Apple’s are in /System/Library/LaunchDaemons). No per-user LaunchDaemons directory (system context only). | ~/Library/LaunchAgents for user-specific agents; /Library/LaunchAgents for agents that run for all users; (Apple’s in /System/Library/LaunchAgents). |
| Use Cases | System services that should run regardless of user login. E.g. hardware drivers, antivirus engines, update checkers that require root, networking daemons. Should not require user interaction or display. | User-specific or UI-related tasks. e.g., launching an app helper at login, starting a cloud sync for the user, or any per-user customization. Can show dialogs, menu bar items, etc., since it runs in user context. |
| Persistence & Scope | Persists across reboots and applies to the whole system. If enabled, will run on every boot (and often keep running). Typically run with higher privileges, making them powerful but also riskier if misused. | Persists across user logins (relaunches at each login for that user). If multiple users log in, each can have their own set of agents running. Runs with only the user’s privileges, limiting system-wide impact (but still potent for that user’s data). |
How they relate
Both Launch Agents and Daemons are managed by launchd and use the same plist format (the directory in which a plist is placed determines whether it’s treated as an agent or daemon). Conceptually, they fall under the broader category of “startup items” or auto-start services on macOS (Apple’s modern, unified approach to launching services, replacing older init/StartupItems).
In macOS’s architecture, launchd is the unified service manager (similar to init or systemd on other UNIX-like OS). It centralizes service management for both system and user. Thus, Launch Daemons and Agents are two flavors of launchd jobs: one for system-level services and one for user-level services. Both are persisted via plist files in known directories, and both can be loaded/unloaded or managed via the launchctl command-line tool (which interfaces with launchd).
From a security standpoint, Launch Agents/Daemons are primary mechanisms for persistence on macOS. Apple’s guidelines explicitly endorse launchd plists (“launch items”) as the proper way to have background programs start automatically. Not surprisingly, attackers also heavily abuse these mechanisms because any program dropped in these folders (with appropriate plist) will be executed by the OS at startup or login automatically.