This works via launchd, the blessed and proper approach on OS X, and is appropriate for an OSX worker running the worker daemon as a system service, launched at system boot.
If you are running your worker as the Desktop User (also known as "Desktop Worker" mode) which starts the worker when you log in, you don't need these, as the worker process is already set up to be shut down by launchd when you log out.
The attachment will contain 2 files:
-rw-r--r-- 0 root wheel 727 Aug 15 15:30 /Library/LaunchAgents/com.pipelinefx.WorkerLock.plist
-rwxr-xr-x 0 root admin 2251 Aug 15 15:36 /Applications/pfx/qube/scripts/workerLock.py
If you put the .plist in /Library/LaunchAgents, any user logging in or out of a GUI session (ssh or 'su' doesn't count) will (lock at login)/(unlock at logout) the worker. If you put the plist into the user's ~/Library/LaunchAgents, it will affect only that user. If you go the system-wide route, the .plist has to be owned by root.
It will also log the lock/unlock activity in /var/log/launchd-<username>.log (launchd takes care of creating the log file with the correct permissions, very polite)
[Aug 15, 2012 15:22:47] [login]: locked worker on localhost xxxx.local
[Aug 15, 2012 15:22:54] [logout]: unlocked worker on localhost xxxx.local
[Aug 15, 2012 15:23:48] [login]: FAILED to lock worker on localhost
[Aug 15, 2012 15:24:04] [logout]: FAILED to unlock worker on localhost
[Aug 15, 2012 15:37:02] [login]: locked worker on localhost xxxx.local
[Aug 15, 2012 15:37:16] [logout]: unlocked worker on localhost xxxx.local
The "FAIL"s are from me removing the "lock" privilege from the regular user for testing purposes.
I'm trying to figure out how we should best install these, I might add it to the QubeGUI so that regular users can set it up for either themselves without authentication or system-wide with an authentication dialog, while a sysadmin will also be able to set this up simply by dropping the files in place on the hosts.
[attachment deleted by admin]