As I am sure everyone here
especially Greg Neagle :) are aware, newer versions of macOS display an ever increasing number of nag/notification messages.
One more recent category of such messages is an alert if an installer has added a launch daemon, launch agent or login item.
As usual from a security perspective Apple are right to add this although the (vast) number of all these various warnings etc. is becoming wearisome to veteran Mac users.
Oh the irony!
Anyway - the main point of this post is that whilst it is 'correct' behaviour that such warnings should be shown when an installer does install what are generically referred to as a login items, I have observed the following with regards to installing Munkitools.
- Multiple login items are flagged after installing MunkiTools (six if I remember correctly) again arguably correct behaviour
- Whenever an update for Munkitools is installed a new set of these alerts are displayed - arguably incorrect behaviour
Specifically regarding issue 2 above. If the update to Munkitools is installing new binaries clearly that has to take place, but 99% or more of the time the corresponding launch daemons or launch agents have not changed and there is therefore no need to reinstall them. Apple is displaying an alert each time it sees such an install and does not check to see if the contents before and after have changed. A warning when overwriting an existing entry is needed incase this is used by malware to replace a valid entry with a malicious entry.
As someone who also builds installer packages I can certainly see that always reinstalling them is by far a simpler process and always ensures the right ones are present but in theory extra logic could be added to the install process to only do this if needed.
Now that Apple are relentlessly nagging us to death each time this happens, this is making it arguably more desirable to be more efficient regarding the install process so as to avoid triggering these notifications.
So Greg, any change of an improvement here? As the content in this case does not I believe have any version label a hash value of the file would seem the logical approach. Since Munki already does hashes perhaps some of this work is already done in Munki. Otherwise it would have to be done in the installer package logic itself.
Note: I have AutoPkg download and add updated Munkitools installers to Munki and then Munki distributes the new version to all user Macs. Therefore hypothetically I could in my override recipe add entries to disable installing the launch daemons but this would be an all or nothing solution rather than actually checking if an install needs to be done.