Just to add to this & food for thought on the nuclear notification blocking approach vs. a focused blocking scheme.  Beyond giving end-users a choice, there's an obvious benefit to allowing this new security mechanism to do its job.  It's entirely possible for a standard user to install something (say DropBox from Self Service... or worse some random malware) that may only drop an agent into ~/Library/LaunchAgents.  If this is the case, it won't be visible from your admin account Sys prefs > General > Login Items.  Whether good or bad in your environment, something like this may go unchecked for some time, especially if there's no user warning.

Concurring with @jonw here, I haven’t been receiving notifications.  In some cases I used both a team identifier and a label prefix.

@jonw Thank you for reminding me to sign the profile. Works like a charm now. Going to test and verify again if the notifications appear during enrollment.  Let's just say that iMazing Profile Editor is a great help for this concern. 

Upon enrollment with the ServiceManagement profile, I do not see all the individual prompts for all the Login Items that were loaded, which is great.  However, there is just one, and perhaps an overall notification that states "Managed Login Items Added - Your organization added items that can run in the background. You can view these in Login Item Settings." This prompt has two options "Snooze for 1 Day" and "Snooze for 1 week".  I guess you could take or leave this prompt, but I'd prefer to not have it show up at all at enrollment, seems more like nudging the user to check. I do see the benefit for the end user to be prompted by "Background Items Added" if something else comes into play later on (as mentioned in an earlier post in this thread). Has anyone had any luck with suppressing the "Managed Login Items Added" notification without turning it completely off in case something else is installed later on? 

I find that @Baravis's solution with the image in this thread did a great job.  No notification popped up at all for the login items during the build.  

Well, this is cool. Got this from Jamf this morning about the upcoming 10.42 release:

Configuration Profiles for Managed Login Items

Jamf Pro now includes two predefined configuration profiles containing Managed Login Items payloads, installed by default on eligible computers in System Settings > Privacy & Security > Profiles. These configuration profiles prevent end users from disabling certain background services of apps installed by Jamf in System Settings > General Settings > Login Items > Allow in the Background.

Looks like 10.42 will take care of Jamf and App Installer related items for Login Items, but the release notes indicate that you may still need to create or upload a config profile for other apps/services.  If I read that wrong, please correct me, but that is what it appears to say. 

That looks correct, to me.  Jamf App Installers and Jamf software products are allowed by default.  Anything above and beyond that requires the use of a custom config for managed app installers (https://docs.jamf.com/technical-articles/Uploading_a_Configuration_Profile_for_Managed_Login_Items.html)

Hello @A-bomb , 
How did you manage to get "uninstall" and "install_monitor" disabled. I also have "bash",  "killall" and "Jamf Connect" showing as toggable. All scripts and applications with TeamID´s are disabled on my test-system but still have some unix-binaries showing as toggable. 

I used "sudo sfltool dumpbtm" to find all the Labels and Executable path´s I needed to block

I found then issues of the non-blocked items. I missed some custom LaunchDaemons / Agents Labels

And I was able to shut down Jamf Connect as a standard user until I added a new Label with "com.jamf.connect" in the profile.

The same was done for "uninstall" and "install_monitor" so now my panel is locked for all items I need to lock.

I'm sorry, I'm having a hard time understanding - can you clarify how you got "uninstall" and "install_monitor" locked?  Those are the last two that I've been having trouble with.  I can't seem to find a way to put them into a profile. Did you just use the path to them?  If so, is that considered a label, or something else?   (I'm using iMazing Profile Editor).  Thank you!

Hello, 
Sorry about the unclear answer here above :) 
I solved it by adding two more items in the com.apple.servicemanagement payload

Even if Microsoft is added as a TeamID in my profile that does not lock down some of their LaunchDaemons / Agents

Add a Rule Type with value Label and Rule Value of com.microsoft.dlp.install_monitor

Add another Label with Rule Value of com.microsoft.fresno.uninstall

If you have other binaries still unlocked press the information-i next to the lock-switch and you can find the binary used and look for the  LaunchDaemons / Agents using that binary (path to binary). When you found the correct Daemon or Agent copy the value for the key <key>Label</key> and put that in a new row in the profile. 

Hope that is more clear otherwise just write again.

(edit spelling)

Because there are still an increasing number of items that even admins cannot change when managed via MDM and giving everyone a standard user account heavily increases administrative burden on IT.

Thank you so much for the quick and thorough reply!  I'm going to try your method first thing tomorrow morning when I'm back in the office. 

@auser - yes you can.  Just built this one and it works so far...installed some test software and no notifications.

BTW, this is a great page for understanding this mess...he should do Apple's docs!

Login Items Management  @n8felton did the work.  👍

Thank you, this worked as I'd already added the custom Schema from here: https://www.alansiu.net/2021/01/13/managing-macos-notification-center-settings-using-a-jamf-profile/

For those less experienced in digging for Team Identifiers, Labels, etc., this page helped me out a lot:

https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6

Is anyone else ending up with this notification instead?

Yep.  Just the one... 👍

It's strange why Apple will post that notification. The user can't do anything about it anyway.

It can be closed with this applescript:

Well, Apple is Apple, but users can do something if the items are not locked down...they can potentially turn them off/on unless admins lock them down.  I'm not sure Apple will totally remove all notifications as they are user-centric.

I don't mind that one as I have all mine locked down and notifications are off for all...

Yes, it's just that as part of our enrollment process we install MS Teams (and a few other tools) and after we log user out (to activate FileVault) they login and land on desktop and this 1 weird notification sticks out.

It's not the end of the world, but it annoys me.

If the user at some later point installs some software and the notification is shown, I don't mind. It makes sense (maybe also for the user) that one action led to the other.

But in our enrollment scenario, this single notification stands out.

I get it.  I wish Apple would be user-centric, but when we're using Apple in the enterprise or EDU, let us manage them as we are tasked to do.  They still don't seem to get it, and likely never will.

They keep claiming Apple is Enterprise Centric, but alas, not so much.  

Yeah, I'm still waiting for this to be fixed:
https://community.jamf.com/t5/jamf-pro/big-sur-laptops-skipping-account-creation-during-dep-enrollment/td-p/236919

Is there any way whatsoever to block a notification like this for a .sh script? Presumably those don't have a Bundle ID (if they do I can't figure out how to find it) and this only applies to full blown .app applications?