Please tell me we're going to be able to suppress these and a million notifications aren't the future for end users:

"Login items added" in Ventura

Has anyone got a real world example of a config profile they can share please?

Here is a part of my array, but the whole thing is under NDA, because of it's beta status.

For details on the profile see Apple Developer Documentation (Apple SEED, mentioned earlier in this thread).

<array>

  <dict>

    <key>RuleType</key>

    <string>TeamIdentifier</string>

    <key>RuleValue</key>

    <string>EQHXZ8M8AV</string>

    <key>Comment</key>

    <string>Google Inc.</string>

  </dict>

  <dict>

    <key>RuleType</key>

    <string>TeamIdentifier</string>

    <key>RuleValue</key>

    <string>S272Y5R93J</string>

    <key>Comment</key>

    <string>Citrix Systems, Inc.</string>

  </dict>

  <dict>

    <key>RuleType</key>

    <string>TeamIdentifier</string>

    <key>RuleValue</key>

    <string>9GQZ7KUFR6</string>

    <key>Comment</key>

    <string>Nudge</string>

  </dict>

  <dict>

    <key>RuleType</key>

    <string>TeamIdentifier</string>

    <key>RuleValue</key>

    <string>483DWKW443</string>

    <key>Comment</key>

    <string>Jamf Software</string>

  </dict>

  <dict>

    <key>RuleType</key>

    <string>TeamIdentifier</string>

    <key>RuleValue</key>

    <string>UBF8T346G9</string>

    <key>Comment</key>

    <string>Microsoft Corporation</string>

  </dict>

</array>

Has anyone got a real world example of a config profile they can share please?

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>PayloadDescription</key>

<string>Test Payload for Background Service Management</string>

<key>PayloadDisplayName</key>

<string>Background Service Management Test</string>

<key>PayloadIdentifier</key>

<string>com.example.56EE8C1E-9C20-483B-

AD0E-9558E6091035.privacy.04102481-C1F1-44F2-B548-

E0B554890493</string>

<key>PayloadUUID</key>

<key>PayloadType</key>

<string>com.apple.servicemanagement</string>

<key>PayloadOrganization</key>

<string>Example Org</string>

<key>Rules</key>

<array>

<dict>

<key>RuleType</key>

<string>BundleIdentifier</string>

<key>RuleValue</key>

<string>com.symantec.wssa.ui</string>

<key>Comment</key>

<string>Example bundle identifier</string>

</dict>

<dict>

<key>RuleType</key>

<string>BundleIdentifierPrefix</string>

<key>RuleValue</key>

<string>com.example</string>

<key>Comment</key>

<string>Example bundle identifier prefix</string>

</dict>

<dict>

<key>RuleType</key>

<string>Label</string>

<key>RuleValue</key>

<string>com.example.label</string>

<key>Comment</key>

<string>Example label</string>

</dict>

<dict>

<key>RuleType</key>

<string>LabelPrefix</string>

<key>RuleValue</key>

<string>com.example</string>

<key>Comment</key>

<string>Example label prefix</string>

</dict>

<dict>

<key>RuleType</key>

<string>TeamIdentifier</string>

<key>RuleValue</key>

<string>TeamID</string>

<key>Comment</key>

<string>Example Team ID</string>

</dict>

</array>

</dict>

</array>

<key>PayloadDisplayName</key>

<string>Background Service Configuration Profile</string>

<key>PayloadIdentifier</key>

<string>com.apple.servicemanagement.4DB96276-2310-44C2-AE11-

C6E761FB0304.privacy</string>

<key>PayloadUUID</key>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadScope</key>

<string>System</string>

</dict>

</plist>

Agreed on the signing piece, I have signed our profile now and uploaded to Jamf. Apparently the GUI feature will be coming in a future release of Jamf, so we just have ti stick with it for now.

Do know if this will before the OS releases?

@auser I wouldn't bet on it given that we're less than 30 days from the release of macOS Ventura (based on Apple's mention at the event earlier this month that it will be released in October)

is there a easy way to just block all the items?

Turns out it's actually pretty easy. I added it to our existing muted notifications as an application under Configuration Profiles > Application & Custom Settings > External Applications. Works like a charm! (XML at the bottom.) Yes, I know there is now a notifications section in JSS.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.apple.btmnotificationagent</string>
<key>NotificationsEnabled</key>
<false/>
<key>AlertType</key>
<integer>0</integer>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>BadgesEnabled</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
</dict>
</plist>

Turns out it's actually pretty easy. I added it to our existing muted notifications as an application under Configuration Profiles > Application & Custom Settings > External Applications. Works like a charm! (XML at the bottom.) Yes, I know there is now a notifications section in JSS.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.apple.btmnotificationagent</string>
<key>NotificationsEnabled</key>
<false/>
<key>AlertType</key>
<integer>0</integer>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>BadgesEnabled</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
</dict>
</plist>

Does this block all background apps notices from coming up?

I was wondering the same, I don't think it does based on what the docs say.

Does this block all background apps notices from coming up?

I did some testing yesterday, and it seems to be independent.

Turns out it's actually pretty easy. I added it to our existing muted notifications as an application under Configuration Profiles > Application & Custom Settings > External Applications. Works like a charm! (XML at the bottom.) Yes, I know there is now a notifications section in JSS.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.apple.btmnotificationagent</string>
<key>NotificationsEnabled</key>
<false/>
<key>AlertType</key>
<integer>0</integer>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>BadgesEnabled</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
</dict>
</plist>

There's a step missing here: which source did you choose for your external application? :)

Sorry. It's the Custom Schema used for the other 18 in place already. Schema at the bottom.

External Applications > Source > Custom Schema:

{
"title": "macOS Notifications (com.apple.notificationsettings)",
"description": "This payload specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later. https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page=57 https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem",
"__feedback": "bill@talkingmoose.net",
"properties": {
"NotificationSettings": {
"title": "Applications",
"description": "Specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later.",
"property_order": 10,
"type": "array",
"items": {
"title": "Application",
"type": "object",
"properties": {
"BundleIdentifier": {
"title": "Bundle Identifier",
"description": "Required. Bundle identifier of app to which to apply these notification settings.",
"type": "string"
},
"NotificationsEnabled": {
"title": "Allow Notifications from App",
"description": "Optional. Whether notifications are allowed for this app. Default is true.",
"type": "boolean"
},
"AlertType": {
"title": "App Alert Style",
"description": "Optional. The type of alert for notifications for this app.",
"type": "integer",
"options": {
"enum_titles": [
"None",
"Banners",
"Alerts"
]
},
"enum": [
0,
1,
2
]
},
"ShowInLockScreen": {
"title": "Show In Lock Screen",
"description": "Optional. Whether notifications can be shown in the lock screen. Default is true.",
"type": "boolean"
},
"ShowInNotificationCenter": {
"title": "Show In Notification Center",
"description": "Optional. Whether notifications can be shown in notification center. Default is true.",
"type": "boolean"
},
"BadgesEnabled": {
"title": "Badges Enabled",
"description": "Optional. Whether badges are allowed for this app. Default is true.",
"type": "boolean"
},
"SoundsEnabled": {
"title": "Sounds Enabled",
"description": "Optional. Whether sounds are allowed for this app. Default is true.",
"type": "boolean"
}
},
"required": [
"BundleIdentifier",
"NotificationsEnabled",
"AlertType",
"ShowInLockScreen",
"ShowInNotificationCenter",
"BadgesEnabled",
"SoundsEnabled"
]
}
}
}
}

Sorry. It's the Custom Schema used for the other 18 in place already. Schema at the bottom.

External Applications > Source > Custom Schema:

{
"title": "macOS Notifications (com.apple.notificationsettings)",
"description": "This payload specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later. https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page=57 https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem",
"__feedback": "bill@talkingmoose.net",
"properties": {
"NotificationSettings": {
"title": "Applications",
"description": "Specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later.",
"property_order": 10,
"type": "array",
"items": {
"title": "Application",
"type": "object",
"properties": {
"BundleIdentifier": {
"title": "Bundle Identifier",
"description": "Required. Bundle identifier of app to which to apply these notification settings.",
"type": "string"
},
"NotificationsEnabled": {
"title": "Allow Notifications from App",
"description": "Optional. Whether notifications are allowed for this app. Default is true.",
"type": "boolean"
},
"AlertType": {
"title": "App Alert Style",
"description": "Optional. The type of alert for notifications for this app.",
"type": "integer",
"options": {
"enum_titles": [
"None",
"Banners",
"Alerts"
]
},
"enum": [
0,
1,
2
]
},
"ShowInLockScreen": {
"title": "Show In Lock Screen",
"description": "Optional. Whether notifications can be shown in the lock screen. Default is true.",
"type": "boolean"
},
"ShowInNotificationCenter": {
"title": "Show In Notification Center",
"description": "Optional. Whether notifications can be shown in notification center. Default is true.",
"type": "boolean"
},
"BadgesEnabled": {
"title": "Badges Enabled",
"description": "Optional. Whether badges are allowed for this app. Default is true.",
"type": "boolean"
},
"SoundsEnabled": {
"title": "Sounds Enabled",
"description": "Optional. Whether sounds are allowed for this app. Default is true.",
"type": "boolean"
}
},
"required": [
"BundleIdentifier",
"NotificationsEnabled",
"AlertType",
"ShowInLockScreen",
"ShowInNotificationCenter",
"BadgesEnabled",
"SoundsEnabled"
]
}
}
}
}

Sweet, thanks @A-bomb! Did you build that yourself? Or is it available in the Appleseed Downloads or some other place?

I found it somewhere a long time ago. bill@talkingmoose.net built it. The credit is in the code. You can just copy the code above from the first { to the last }

Oh I see it there. Well thanks, Bill. I did copy it, and it's working great, thanks a million. :)

How are you deploying your com.apple.servicemanagement profile? I'm thinking I can just use Applications & Custom Settings -> Upload

I'm actually not using com.apple.servicemanagement at all. Just the one I posted.

Ah, gotcha! You’re not concerned that users will just unmanage themselves by turning off the Jamf launch agent?

We only have about 25 admins out of over 800 users so the possiblity is very small. I watch the hell out of them and tighten the rope when they get out of line, which doesn't happen often. We can lock a machine as a last resort for compliance which we have only done once in over two years.

Oh cool. Every org is just a bit different, hey? Well, just wanted to check. :D Thanks a ton for the content.

Have you managed to get this working yet @sshort ? I have been trying for a while, without success!

Yes! I finally got it working earlier today. 3 tips:

* Make sure you're running beta 10 or 11 for the profile to consistently work.

* iMazing Profile Editor has a helpful new "Service Management - Managed Login Items" payload template that makes creating a custom profile much easier.

* I had a lot of issues with `BundleIdentifer` as the `RuleType`. I recommend using `LabelPrefix` like my example profile: https://github.com/ducksrfr/mac_admin/blob/master/profiles/approved-background-services.mobileconfig

My current process order looks like this:

Profile Creation

Create and install a Jamf self-signed certificate: https://docs.jamf.com/technical-articles/Creating_a_Signing_Certificate_Using_Jamf_[…]CA_to_Use_for_Signing_Configuration_Profiles_and_Packages.html
1. Note: It's necessary to sign the configuration profile that you create because Jamf 10.41 does not yet have a a Policy item for com.apple.servicemanagement. Uploading a signed configuration profile pushes out valid configuration items, but Jamf is basically just being used as a dumb push service at this point, because it can't interpret that item properly
Download and install iMazing Profile Editor
Upload sample configs into iMazing Profile Editor or craft your own using the Service Management - Managed Login Item
iMazing Profile Editor config profile creation

codesign -dr - /path/to/Application.app/usr/libexec/PlistBuddy -c 'print CFBundleIdentifier' /Applications/FortiClient.app/Contents/Info.plist

5. Upload the configuration into Jamf

I'm scoping my configuration profile to all macOS Ventura machines. If you scope to current machines it gets installed (if you were wanting to preload), however the profile won't reload its settings when the Ventura install completes and you won't see the benefits of the config.

Instead, consider installing the config between the time a device updates from macOS 11/12 to macOS 13, and when a user logs in. To accomplish this, I created a policy that runs Inventory at startup on all devices.

Sorry. It's the Custom Schema used for the other 18 in place already. Schema at the bottom.

External Applications > Source > Custom Schema:

{
"title": "macOS Notifications (com.apple.notificationsettings)",
"description": "This payload specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later. https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page=57 https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem",
"__feedback": "bill@talkingmoose.net",
"properties": {
"NotificationSettings": {
"title": "Applications",
"description": "Specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later.",
"property_order": 10,
"type": "array",
"items": {
"title": "Application",
"type": "object",
"properties": {
"BundleIdentifier": {
"title": "Bundle Identifier",
"description": "Required. Bundle identifier of app to which to apply these notification settings.",
"type": "string"
},
"NotificationsEnabled": {
"title": "Allow Notifications from App",
"description": "Optional. Whether notifications are allowed for this app. Default is true.",
"type": "boolean"
},
"AlertType": {
"title": "App Alert Style",
"description": "Optional. The type of alert for notifications for this app.",
"type": "integer",
"options": {
"enum_titles": [
"None",
"Banners",
"Alerts"
]
},
"enum": [
0,
1,
2
]
},
"ShowInLockScreen": {
"title": "Show In Lock Screen",
"description": "Optional. Whether notifications can be shown in the lock screen. Default is true.",
"type": "boolean"
},
"ShowInNotificationCenter": {
"title": "Show In Notification Center",
"description": "Optional. Whether notifications can be shown in notification center. Default is true.",
"type": "boolean"
},
"BadgesEnabled": {
"title": "Badges Enabled",
"description": "Optional. Whether badges are allowed for this app. Default is true.",
"type": "boolean"
},
"SoundsEnabled": {
"title": "Sounds Enabled",
"description": "Optional. Whether sounds are allowed for this app. Default is true.",
"type": "boolean"
}
},
"required": [
"BundleIdentifier",
"NotificationsEnabled",
"AlertType",
"ShowInLockScreen",
"ShowInNotificationCenter",
"BadgesEnabled",
"SoundsEnabled"
]
}
}
}
}

@A-bomb - Do you know whether it's possible to disable these notifications by application path rather that bundle ID?

So been making good progress in preventing users from disabling login items but I got one that still tricky. Looks like in Ventura there is a "StartupScript.sh" located in the /Library/Application Support/JAMF/ManagementFrameworkScripts/ folder. Seems like a simple script to ensure everything is working. So would rather not have the user disable it as login item. Anyone have success in doing that?

Btw, iMazing Profile Editor rocks!

@A-bomb - Do you know whether it's possible to disable these notifications by application path rather that bundle ID?

What I posted disables all of the new login and background items added notifications in Ventura. I don’t see the point of having those in our environment. What others have posted here is for specific login or background items. Application path is not recommended and never worked for us. Only using bundle ID did. It can be kind of a pain in the ass to get the bundle ID but once you get it and use it, you can forget about it..

So been making good progress in preventing users from disabling login items but I got one that still tricky. Looks like in Ventura there is a "StartupScript.sh" located in the /Library/Application Support/JAMF/ManagementFrameworkScripts/ folder. Seems like a simple script to ensure everything is working. So would rather not have the user disable it as login item. Anyone have success in doing that?

Btw, iMazing Profile Editor rocks!

Try adding com.jamfsoftware.startupItem as a label or com.jamfsoftware as a label prefix.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded