Background Agents That Need LAN Access Must Run as System Daemons on Modern macOS

On recent macOS versions, Local Network Privacy restrictions block user-space processes from opening LAN TCP connections. If you install background agent workers in the per-user context, they can silently lose local network reachability — no crash, no error, just hours of unexplained darkness. The failure is especially insidious because older OS versions may not enforce the restriction yet, masking the bug until a newer machine exposes it.

The fix is to run any networked background process in the system (root) context rather than the user context. System-level daemons are exempt from the privacy restriction. To avoid running your actual workload as root, drop privileges explicitly by specifying the target user and group in the daemon definition.

A practical checklist when moving a process to the system context: set the HOME environment variable explicitly (it won’t be inherited), write logs to a system log directory, pre-create log files with the correct ownership so the dropped-privilege user can write to them, and bootstrap the service into the system domain.

The deeper lesson: silent network failures across a heterogeneous fleet are often caused by OS-level policy that tightens between versions. When something works on one machine and fails on another running newer software, suspect platform enforcement changes before debugging your own code.