Posted on β10-26-2022 05:43 AM
Trying to set up a config profile for this new feature set. I have used Jamf's example and Apple's example as starting points, but the radio buttons for the items I have set to be managed are still able to be turned off and do not say they are managed like the Jamf apps are.
Has anyone else had success in getting a config profile to work for this yet?
Solved! Go to Solution.
Posted on β10-26-2022 06:23 AM
Use iMazing Profile Editor and this guide
https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6
Posted on β10-26-2022 06:23 AM
Use iMazing Profile Editor and this guide
https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6
Posted on β11-30-2022 01:29 PM
That article worked very well for me... except the last point, #18. On my test computer where I upgrade from macOS 12 to macOS 13, the "Managed Login Items - Jamf Apps" is pushed immediately, but not my custom defined "Managed Login Items". Mine gets pushed only after the computer checks-in, and I scoped it out as per the article #18 (Smart Group with a Profile Identifier of com.jamf.servicemanagement.backgroundapps).
I do have some users who would go look at what they can disable immediately after the upgrade, so I'm concerned about that. Any suggestions?
Posted on β10-26-2022 06:41 AM
Service Management - Managed Login Items in iMazing Profile Editor will help to create the profile.
"sudo sfltool dumpbtm" will list all the login items and details to add it in the profile.
Thanks
Posted on β10-31-2022 01:26 PM
Here's what I got to finally work. Save the below as a .mobileconfig file, and then upload it to Jamf after updating your org name. You'll have to generate new PayloadUUID's with uuidgen in terminal if you use this as a template for other applications.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Service Management - Managed Login Items</string>
<key>PayloadIdentifier</key>
<string>com.apple.servicemanagement.1ED2CC51-41E0-49EB-A8D1-E6B5C3A283CC</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>1ED2CC51-41E0-49EB-A8D1-E6B5C3A283CC</string>
<key>PayloadVersion</key>
<array>
<dict>
<key>Comment</key>
<string>Zoom</string>
<key>RuleType</key>
<string>Label</string>
<key>RuleValue</key>
<string>us.zoom.ZoomDaemon</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Zoom - Managed Background and Login Items</string>
<key>PayloadIdentifier</key>
<string>YOURORGHERE.87731DFF-DE49-482B-958F-0623F514D2AF</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>87731DFF-DE49-482B-958F-0623F514D2AF</string>
</dict>
</plist>
Posted on β11-06-2022 08:53 PM
Thanks! What is the Preference Domain assignment in this zoom example?
Posted on β11-11-2022 06:24 AM
For "Managed Login Items" the preference domain is always
com.apple.servicemanagement
Posted on β11-01-2022 04:46 AM
I had never tried iMazing before, thank you both that suggested it! Holy crap this is going to make things easier
Posted on β11-23-2022 09:13 AM
Can't get this to work. I tried the profile created by naschenbrenner above. I changed the UUID codes and uploaded it to Jamf. It pushes out to the workstation, and the profile installs. However the toggles in LoginItems can be still changed. The computer I am testing with is Ventura 13.0.1. It was upgraded from the Beta... so maybe something is not working right? I also tried to add the team id, and the LabelPrefix:
<dict>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>BJ4HAAB9B3</string>
</dict>
<dict>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>us.zoom</string>
</dict>
I will try to re-install the computer with Ventura 13.0.1 from scratch to see if this fixes the issue...
β11-29-2022 03:55 PM - edited β11-30-2022 03:26 PM
Hello,
Use the accepted solution mentioned above. It works really well and is very easy to create. I was quite impressed with it.
Posted on β12-12-2022 01:06 PM
Here is the Profile info from using Robert Hammen's info. Used iMazing Profile Editor to build it and then upload it. Works great...no more notifications. Just scoped to enrollment for Smart Group "macOS 13."
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.apple.BTMNotificationAgent</string>
<key>NotificationsEnabled</key>
<false/>
</dict>
</array>
<key>PayloadIdentifier</key>
<string>com.apple.notificationsettings.12c05d0d-6231-4621-9ac6-a781a626951b</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>12c05d0d-6231-4621-9ac6-a781a626951b</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Disable Background Task Management Notifications</string>
<key>PayloadDisplayName</key>
<string>Disable Background Task Management Notifications</string>
<key>PayloadIdentifier</key>
<string>com.apple.notificationsettings.5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
β12-13-2022 01:41 PM - edited β12-13-2022 01:43 PM
@scottb Thanks for sharing your solution Scott. A general question regarding your solution and Robert Hammen. Once we deploy the Disable Notifications to our fleet will it block ALL Notifications from any software or just the titles related to the Managed Logins?
I already have notifications disabled for Qualys, Forescout, FireEye etc. So wondering if I need to make more changes.
Thanks
β12-13-2022 02:31 PM - edited β12-13-2022 02:33 PM
@pueo - did you block Notifications or did you lock down those with Agents/Daemons (login)?
The one above will silence 'em all, and you don't (AFAIK) have to alter it. The one I made to lockdown the Login items I need to update as I add new Team Identifiers to the list. The profile above will stop you from being told about new Login Items being added...
Similar, but different items...
Posted on β12-13-2022 03:18 PM
For the apps I mentioned I used Notification and the specific Bundle ID to block them.
You say the one above will silence them all. Is that ALL notifications for ALL Apps or just New Login Items as mentioned in the last line. It was not clear to me.
Posted on β12-14-2022 09:59 AM
Login Item management is not built into the latest Jamf Pro version? We should continue to use Robert Hammen's solution?
Posted on β12-20-2022 07:37 AM
To block the "Managed Login Items Added" notification, use this simple procedure:
Posted on β12-20-2022 07:40 AM
Another way to block the "Managed Login Items Added" notification is to:
2 weeks ago
This works great for turning it off for all apps. What if I want to do if for one? Our security wants us to install the Rapid7 agent and I can't figure out how to do this just for that. Can you help?
Thanks!
2 weeks ago
I'm trying to grey out elastic-agent in the login items in Ventura but it still doesn't work!
after running this command "sudo sfltool dumpbtm" I got this about Elastic agent :
#15:
UUID: F8A306A3-45BB-4B2B-A1CE-DD5824BB6D7A
Name: elastic-agent
Developer Name: (null)
Type: legacy daemon (0x10010)
Disposition: [enabled, allowed, visible, notified] (11)
Identifier: co.elastic.elastic-agent
URL: file:///Library/LaunchDaemons/co.elastic.elastic-agent.plist
Executable Path: /usr/local/bin/elastic-agent
Generation: 1
Parent Identifier: Unknown Developer
I built a profile like this one below but it still doesn't work ! any tips please?
a week ago - last edited a week ago
Change the "Rule Type" from "BundleIdentifier" to "Label" and use the name of the plist without suffix ("co.elastic.elastic-agent") as the "Rule Value".