0

I started using a well-known program for self-control on MacOS called Cold Turkey. This program is very powerful, but it's not enough since I can open a Terminal as a non-admin user and execute the command:

launchctl unload ~/Library/LaunchAgents/launchkeep.name-of-the-program.plist

The question is simple: how can I prevent a non-admin user from doing this? I've searched a lot online, but there seem to be only partial solutions. Can I "move" the .plist file to the LaunchDaemons folder and make some adjustments? I tried doing this, but it doesn't seem to work.

I inquired with Felix, the developer of Cold Turkey, about whether it's possible to prevent a non-administrator user on a Mac from executing this command without requiring administrator privileges:

launchctl unload ~/Library/LaunchAgents/launchkeep.cold-turkey.plist

Felix responded that it's not feasible to prevent this due to the way macOS is designed and the necessary permissions required for the Safari extension to function properly.

Is there any hope left? I don't want to stop using the software; it's really good. Do you have any ideas?

Improve this question
5
  • 1
    Try putting it in the systemwide /Library/LaunchAgents/ directory (note the lack of a tilde in that path). LaunchAgents run on a per-user basis when users are logged in. LaunchDaemons are systemwide background processes that don't run as real users and run even when no one is logged in. That's why putting it in /Library/LaunchDaemons/ didn't work: when run that way, it wouldn't have had access to your user account context, which it probably needs if it's going to block you from goofing off or whatever.
    – Spiff
    Commented Apr 6 at 1:36
  • @Spiff, unfortunately, I can no longer copy and paste files into the System folder even after disabling SIP. I've just tried it now. I've also read other confirmations in comments on this site: "starting in Catalina, SIP is reinforced by a split file system which prevents writing to /System even with SIP turned off".
    – Alfred
    Commented Apr 6 at 12:09
  • read that path I gave you again. I was talking about the root level /Library/, not /System/Library/
    – Spiff
    Commented Apr 6 at 18:07
  • Ooh i see @Spiff, so should i try to do this in the terminal, right? First su adminaccount (since I think i need admin permissions to do this) and then sudo mv ~/Library/LaunchAgents/launchkeep.cold-turkey.plist /Library/LaunchAgents/
    – Alfred
    Commented Apr 6 at 19:42
  • @Spiff I think it is useless because there exists already two plist files from the developer.
    – Alfred
    Commented Apr 6 at 19:54

1 Answer 1

Reset to default
0

You might be able to use Gatekeeper (spctl).

For an example of its use see the post Block Specific Apps on macOS where the answer says:

You can use spctl (Gatekeeper) to create lists of approved and unapproved apps.

For example, suppose you want to allow Mail but block Chrome.

sudo spctl --add --label "ApprovedApps" /Applications/Mail.app 
sudo spctl --add --label "DeniedApps" /Applications/Chrome.app

The above command will will "label" Mail and Chrome as "Approved" and "Denied" respectively (you can use your own descriptors).

Now, to enable/disable apps, you issue the commands:

sudo spctl --enable --label "ApprovedApps" 
sudo spctl --disable --label "DeniedApps"

The advantage this has is that to add another app to either list, you just have to add the appropriate label:

sudo spctl --add --label "ApprovedApps" /Applications/Another.app

Additionally, you can forbid code from the Mac App Store from running (found in the spctl man page - [man spctl][1]).

spctl --disable --label "Mac App Store"

This will prevent anyone from downloading an App from the App store and installing/running it.

This restriction will not affect administrators.

Improve this answer
1
  • Yes @harrymc, but if I do this, I will never be able to use the program. I just want to occasionally block Firefox, so I don't waste too much time aimlessly browsing. If I wanted to completely block a program, I would probably use Google Santa. Anyways... thanks.
    – Alfred
    Commented Apr 6 at 16:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .