SecurityAgent taking focus for plugin in macOS 26.1

@DTS Engineer I've discovered more information. The process /usr/libexe/mdmclient runs every so often to check if the machine is enrolled in MDM (I believe). This process seems to invoke our security agent plugin to check the right com.apple.ServiceManagement.daemons.modifywhich is the same right we are already modifying when this happens. I have tried to return early in our security agent's invoke method if it is the mdmclient process, but that didn't seem to work. I am going to see if I can return even earlier, or, ignore it altogether.

We are seeing the same thing. We can reproduce the SecurityAgent focus steal by killing the mdmclient process and making our Intune Company Portal app do a resync.

@DTS Engineer Could we please get some feedback on this? This is affecting a lot of our Mac users.

Afogh, ehale, Thanks both you for the extra info.

Have either of your filed a bug about this yet? If so, please post the bug number.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Have either of your filed a bug about this yet? If so, please post the bug number.

Yes, I have reported a bug with this number: FB20987979

Hey Guys,

any information about that? Please see the following discussion:

https://discussions.apple.com/thread/256192312?cid=em-com-apple_watches_email_thread_owner-view_the_full_discussion-en-us-11282023&sortBy=newest_first&page=1

Yes, I have reported a bug with this number: FB20987979

@DTS Engineer Any update on this? Is this being fixed?

Any update on this?

No.

If anything changes here, you’ll be notified via Feedback Assistant.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@ehale Have you found any workarounds to the problem? Issue is still present in 26.2 RC...

@Afogh Yes, we have. If you keep "is-root" at the beginning of your list of rules (when needed), the system processes should be happier with that.

@Afogh Yes, we have. If you keep "is-root" at the beginning of your list of rules (when needed), the system processes should be happier with that.

That is really nice to hear! We are still struggling with this problem. If I may ask how does your own custom rule look like? Is that a evaluate-mechanisms where you list your plugin?

We're seeing this same behavior in our enterprise environment and have been able to isolate it to a specific mechanism in SecurityAgent's launch sequence.

Environment:

• macOS Tahoe 26.3
• MDM-managed Macs (Jamf Pro)
• Non-admin user accounts
• Admin By Request 5.2.0 (authorization plugin: AbrAuth)

What we found:

We built a lightweight detection tool using NSWorkspace activation notifications and a CGEvent tap to catch the moment focus shifts, then captured unified logs (±5 seconds around each event) filtered to the authorization subsystem, process lifecycle, and WindowServer.

The logs show a consistent chain:

1. A LaunchDaemon (mdmclient, JamfDaemon, or AssetSonar in our case) requests system.privilege.admin
2. authd evaluates the right and walks the authorization plugin chain
3. SecurityAgent spawns to host the plugin evaluation (AbrAuth:invoke)
4. SecurityAgent registers with WindowServer (SLSSetFrontProcessWithInfo with window=0)
5. Focus transfers to SecurityAgent — despite no window being displayed
6. The authorization succeeds, SecurityAgent exits, but the focus damage is done

Key detail: We also reproduced this with a minimal LaunchDaemon running as root (UID 0). The daemon requests system.privilege.admin with only kAuthorizationFlagExtendRights (flags 0x00000002) — no kAuthorizationFlagInteractionAllowed. authd grants the right immediately (SUCCESS, since the caller is root), but SecurityAgent still spawns, still registers with WindowServer, and still calls SLSSetFrontProcessWithInfo(window=0), stealing focus.

The unified logs also show SecurityAgent emitting an analytics event — com.apple.appkit.application.stoleKeyFocus — which it then drops as unused. Apple appears to have telemetry for this exact class of event.

Our question:

Is SecurityAgent expected to spawn and register with WindowServer for non-interactive authorization evaluations from root LaunchDaemons? The right is granted immediately, no UI is needed, yet SecurityAgent's AppKit initialization calls SetFrontProcess unconditionally. This seems like SecurityAgent should either (a) not spawn when no UI is required, or (b) not call SetFrontProcess when it has no window to present.

Workarounds we've confirmed:

• Admin By Request shipped a fix in v5.1.2 that avoids triggering the chain from their side
• An active ABR admin session prevents the steals (AbrAuth handles the authorization differently)
• The issue does not occur on non-MDM Macs where the user is a local admin (authd resolves the right directly without spawning SecurityAgent)

Filed FB22119525 with detailed unified log captures and a minimal reproducer. Includes side-by-side log comparisons of the same authorization request (AssetSonar requesting system.privilege.admin) with and without SecurityAgent spawning, showing the focus steal chain.

Filed FB22119525 with detailed unified log captures and a minimal reproducer.

Thanks for that, and for the detailed analysis.

I had a look at your bug, and the earlier FB20987979, and they’ll both likely end up duplicated to a bug filed by another developer, FB21639147. However, I’ve updated that ‘lead’ bug to highlight the analysis in your bug.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"