45

Is there a Services.msc or ntsysv utility for OSX? I just want to harden my OSX by disabling any unwanted service and it's ports.

polyglot
  • 853

2 Answers2

59

The OS X equivalent of Windows services is Launchd. The OS X equivalent of services.msc on Windows is launchctl. The daemons managed by launchd can be on demand or can be triggered periodically (this is configurable in launchd.plist)

You can manage the daemons from the command line (from Terminal.app under /Applications/Utilities/) or by using a tool like Lingon.

From the command line:

  • List agents/jobs loaded using

    launchctl list

  • Disable and enable an agent using (persists between boots)

    launchctl enable <name> or launchctl disable <name>

  • Stop and start an agent immediately using

    launchctl kickstart <name> or launchctl kill <name>

The next commands are deprecated commands, which you might see on the Internet:

  • Remove an agent/job using

    launchctl remove <name>

  • Disable an agent/job for the currently booted session alone using

    launchctl unload <name>

  • Load an agent/job manually using

    launchctl load <name>

Additional references:

Community
  • 1
M K
  • 11,047
  • So effectively Launchd is the init.d equivalent and launchctl something like ntsysv? – polyglot Oct 21 '13 at 11:51
  • Yes, but launchctl is a command line tool (intended to be used from a terminal shell), unlike ntsysv that provides a graphical list. – M K Oct 21 '13 at 12:23
  • I am still finding it very hard to understand how Agents and Daemons work. I think that Daemons are more closer to Services. Are all Daemons work on Demand? meaning that they will only enable them selves when called by a program and then close, something like ssh. However, how can I figure out which Daemons/Agents are live and exposing their ports? Should I run Netstat and then disable those Daemons if not needed? – polyglot Oct 22 '13 at 08:04
  • The terms daemons and agents are sometimes used interchangeably. Per Apple's documentation, daemons cover system and user processes while agents are more about user processes. The daemons managed by launchd can be on demand or can be triggered periodically (this is configurable in launchd.plist). – M K Oct 22 '13 at 08:42
  • Use the command listed above - launchctl list to see the list of daemons. You can also use Activity Monitor to see all processes. Most of them use a convention of ending the name with "d", like launchd, syslogd and so on. – M K Oct 22 '13 at 08:47
  • If you'd like to control network connections by processes, you could also look at third party apps like Little Snitch. I'm updating my answer with more information on services, but if the scope of your question is different, please post a separate question to make it easy for people to answer. – M K Oct 22 '13 at 08:49
  • Lingon app is the bomb! Easily disabled all unnecessary scripts. Thanks a lot, you just made my work laptop more home friendly. <3 – kiradotee Oct 28 '16 at 20:40
  • 1
    An example would have been great. Actual example. – mjs Jan 23 '20 at 20:47
  • 1
    Uhm, it's now 2021 and launchctl unload or remove are still listed in the manpage. I doubt they are deprecated. – Toby Jan 09 '21 at 08:16
  • @polyglot to understand launchd imagine the concept of something to start/stop manage processes. Then make it overly complicated, inconsistent and poorly documented. That, in a nutshell, is launchd. – Cameron Lowell Palmer Sep 28 '21 at 20:02
  • Examples would be nice. Why doesnt launchctl disable com.apple.softwareupdated work? I tried using the plist file as the target and that doesnt work either. How about showing working examples? – Gregg Leventhal Oct 16 '21 at 15:55
  • The only thing you failed to do was provide an answer to the question. "How to disable services" you respond with "here a list of commands to enable services" oh right and here are a few deprecated ones you can't use to disable services" – Julian F. Weinert Jul 30 '23 at 11:25
  • I've found I have to use bootout to get it to stop a service. E.g.: sudo launchctl bootout gui/501/com.brother.LOGINserver. I disabled it prior to trying that, which did not kill it (and killing it just led to it being restarted. Bootout killed it dead). – Rick Dec 08 '23 at 05:44
3

note that for the MacOS 10.13, you need to use launchctl disable system/ this will stop the process, but would keep the definition in the system folder.

seeker145
  • 31