"Login items added" in Ventura

@PhillyPhoto Apple has gotten a _lot_ of feedback that these notifications are detrimental to organizational managed Macs, and they have acknowledged that they need to provide the ability to suppress those messages. Exactly when that's going to arrive in the beta cycle is anyone's guess.

The notifications are very annoying but what really concerns me is how easy it is to effectively unmanage your machine by unchecking anything you don’t want. I hope I’m missing something, but at this point it seems like anyone can just kill all of our corporate security and management software.

I've only been administrating Macs for a year, but there is a general feel I've been getting. Things like users should be in control of the devices they use. The user should be comfortable using their device. With things like not having a replacement for a Firmware Password on M1 devices really shows Apple has not been thinking about businesses managing Macs until people put them on blast.

An interesting thread.

Why are there organisations out there that have JAMF, yet give everyone admin accounts?

This isn’t ISO or CSE+ compliant.

Regarding the notifications, I haven’t checked Ventura yet, but surely these can be killed with a custom tourist config profile?

I kill a heap of these on shared devices with many applications.

Hey Fluffy,
There are ways to set the recovery lock on the M1s right now, I am not using them though. I'm waiting for Jamf to drop their supported version but there are ways if you really need it.
https://community.jamf.com/t5/jamf-pro/anyone-using-the-m1-quot-set-recovery-lock-quot-command/m-p/244640 
https://gingerscripting.com/setting-an-apple-silicon-recovery-lock-password-through-the-jamf-api/ 

I get the sentiment all the time from employee's they want to install their own apps and be their own admins. The problem with that is they either A) Can barely use the Mac or B) Know just enough to get in trouble. 

Each upgrade now since Catalina they've been making it harder and harder to Administer over the macs. I completely understand the user of the mac's experience should come first and their privacy but we need to make it as easy and secure for them as possible to do their job. Apple's probably working on their own MDM solution, watch it have the power to do everything.

Following thread since when building test machines I get those popping up left and right.

This is a mess for my automated enrollment workflow for sure. Hope the stable version provides a way to block this for managed distributions

Apple recently posted a new PDF on AppleSeed called "2022 Login and Background Item Management Test Plan" that contains a sample config profile that you can use to suppress the notifications and prevent users from disabling the launchdaemons that your org configures in the System Settings app.

I have just begun to test this in my environment, so don't have a real-world example profile yet but I will post one when I've got everything working.

Do you have a link?

@PhillyPhoto If you don't have access to AppleSeed then a link wouldn't be useful, and if you do have access you'll know where to find the document @sshort referenced.

I don't use it that much, but I do have access but can't find anything that has PDFs.

@PhillyPhoto Go to the Downloads tab after logging in to AppleSeed and you'll find the document under Test Plans & Additional Resources

Got it, thanks!

A JSON would be really nice for this, wink wink Apple/Jamf

Have you managed to get this working yet @sshort ? I have been trying for a while, without success!

When I log into AppleSeed, this is the page I see, I dont see a downloads tab??

@mathewsl05 You have to log in to appleseed.apple.com using a Managed Apple ID (using a "regular" Apple ID re-directs you to a different site for Apple developers)

Yep, I think I JUST figured that out! Thank you :)

The configuration profile won't work until you sign it and upload it signed to Jamf Pro.

Tested on macOS beta 13 (build 22A5342f). Kudos to Bilal from made.com, he gave me this tip via Mac Admins Slack.

You can sign the profile via this command:

If this has to be signed first that's a real pain as it means every time you want to change it you're having to upload a new config to Jamf and then set the scope etc. and unscope the existing profile.

Agreed on the signing piece, I have signed our profile now and uploaded to Jamf. Apparently the GUI feature will be coming in a future release of Jamf, so we just have ti stick with it for now.

For those who don't want to hand-craft - imazing Profile Editor can be helpful. Doesn't help with scoping :)

Thanks, certainly made it easier using Imazing Profile Editor, just a pain you have to manually sign and then upload each time though, especially while you're testing.

I am in there and can't find it. Where it be breh? – NM, didn't see the managed ID. I am good. Thanks for pointing out this whitepaper.

can also use the Handcock app to sign things