Hey list, I've been writing some security software, part of which is a system-wide agent (stored in /Library/LaunchAgents). I've almost got it working to the point that I'm satisfied for a 1.0 release. That was, until I realized two show-stopping facts. With a short trip to the terminal, any user is able to: 1. Kill the agent 2. Unload the agent using launchctl Well, duh, you might say. When I started out, I assumed that since the write privileges of /Library/LaunchAgents are root:whell, the agents loaded from that directory could only be affected by a user with administrator credentials. Unfortunately for me, that simply ain't so. (Granted, a non-privileged user can only temporarily disable the agent, as it will be reloaded when they logout and back in. But for my purposes, this is still unacceptable.) (Also I should mention that I can't write a daemon because the software must display a UI, and the UI itself is part of what shouldn't be killed without admin credentials.) To me, what I'm trying to do seems reasonable. It'd be nice if the UserName key was respected for agents installed in the system-wide LaunchAgents directory, so the agent would run in the GUI context of a certain user, but would be out-of-reach (to unprivileged users) as far as unloading or killing the process. On the other hand, I suppose respecting the UserName key conflicts with the whole notion of LaunchAgents running on behalf of the current user. Is my request reasonable or am I missing something? I'll also say that I've found a way to do what I need, but it directly violates the 10 Commandments of Launchd Agents. I would be eternally grateful if someone could suggest semi-rule-abiding way to secure a LaunchAgent from being controlled without authorization. Thanks! David