Background Login Items - Ventura

DaneAbernathy
New Contributor III

Trying to set up a config profile for this new feature set. I have used Jamf's example and Apple's example as starting points, but the radio buttons for the items I have set to be managed are still able to be turned off and do not say they are managed like the Jamf apps are.

 

Has anyone else had success in getting a config profile to work for this yet?

1 ACCEPTED SOLUTION
19 REPLIES 19

Jason33
Contributor III

bootrec
New Contributor III

That article worked very well for me... except the last point, #18. On my test computer where I upgrade from macOS 12 to macOS 13, the "Managed Login Items - Jamf Apps" is pushed immediately, but not my custom defined "Managed Login Items". Mine gets pushed only after the computer checks-in, and I scoped it out as per the article #18 (Smart Group with a Profile Identifier of com.jamf.servicemanagement.backgroundapps). 

I do have some users who would go look at what they can disable immediately after the upgrade, so I'm concerned about that. Any suggestions?

karthikeyan_mac
Contributor III

Service Management - Managed Login Items in iMazing Profile Editor will help to create the profile. 
"sudo sfltool dumpbtm" will list all the login items and details to add it in the profile.

Thanks

naschenbrenner
New Contributor III
New Contributor III

Here's what I got to finally work. Save the below as a .mobileconfig file, and then upload it to Jamf after updating your org name. You'll have to generate new PayloadUUID's with uuidgen in terminal if you use this as a template for other applications. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Service Management - Managed Login Items</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.servicemanagement.1ED2CC51-41E0-49EB-A8D1-E6B5C3A283CC</string>
			<key>PayloadType</key>
			<string>com.apple.servicemanagement</string>
			<key>PayloadUUID</key>
			<string>1ED2CC51-41E0-49EB-A8D1-E6B5C3A283CC</string>
			<key>PayloadVersion</key>
			<array>
				<dict>
					<key>Comment</key>
					<string>Zoom</string>
					<key>RuleType</key>
					<string>Label</string>
					<key>RuleValue</key>
					<string>us.zoom.ZoomDaemon</string>
				</dict>
			</array>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Zoom - Managed Background and Login Items</string>
	<key>PayloadIdentifier</key>
	<string>YOURORGHERE.87731DFF-DE49-482B-958F-0623F514D2AF</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>87731DFF-DE49-482B-958F-0623F514D2AF</string>
</dict>
</plist>

 

Thanks! What is the Preference Domain assignment in this zoom example?

For "Managed Login Items" the preference domain is always

com.apple.servicemanagement

 

DaneAbernathy
New Contributor III

I had never tried iMazing before, thank you both that suggested it! Holy crap this is going to make things easier

awjohnso
New Contributor

Can't get this to work. I tried the profile created by naschenbrenner above. I changed the UUID codes and uploaded it to Jamf. It pushes out to the workstation, and the profile installs. However the toggles in LoginItems can be still changed. The computer I am testing with is Ventura 13.0.1. It was upgraded from the Beta... so maybe something is not working right? I also tried to add the team id, and the LabelPrefix:

<dict>
	<key>RuleType</key>
	<string>TeamIdentifier</string>
	<key>RuleValue</key>
	<string>BJ4HAAB9B3</string>
</dict>
<dict>
	<key>RuleType</key>
	<string>LabelPrefix</string>
	<key>RuleValue</key>
	<string>us.zoom</string>
</dict>

 I will try to re-install the computer with Ventura 13.0.1 from scratch to see if this fixes the issue...

pueo
Contributor II

Hello,

Use the accepted solution mentioned above. It works really well and is very easy to create.  I was quite impressed with it. 

scottb
Honored Contributor

Here is the Profile info from using Robert Hammen's info.  Used iMazing Profile Editor to build it and then upload it.  Works great...no more notifications.  Just scoped to enrollment for Smart Group "macOS 13."

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>NotificationSettings</key>
			<array>
				<dict>
					<key>BundleIdentifier</key>
					<string>com.apple.BTMNotificationAgent</string>
					<key>NotificationsEnabled</key>
					<false/>
				</dict>
			</array>
			<key>PayloadIdentifier</key>
			<string>com.apple.notificationsettings.12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadDisplayName</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.notificationsettings.5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

 

pueo
Contributor II

@scottb Thanks for sharing your solution Scott.  A general question regarding your solution and Robert Hammen. Once we deploy the Disable Notifications to our fleet will it block ALL Notifications from any software or just the titles related to the Managed Logins?
I already have notifications disabled for Qualys, Forescout, FireEye etc.  So wondering if I need to make more changes.

Thanks 

scottb
Honored Contributor

@pueo - did you block Notifications or did you lock down those with Agents/Daemons (login)?

The one above will silence 'em all, and you don't (AFAIK) have to alter it.  The one I made to lockdown the Login items I need to update as I add new Team Identifiers to the list.  The profile above will stop you from being told about new Login Items being added...

Similar, but different items...

pueo
Contributor II

@scottb 

For the apps I mentioned I used Notification and the specific Bundle ID to block them.

You say the one above will silence them all.  Is that ALL notifications for ALL Apps or just  New Login Items as mentioned in the last line. It was not clear to me.

MrRoboto
Contributor II

Login Item management is not built into the latest Jamf Pro version? We should continue to use Robert Hammen's solution? 

jbutler47
Contributor

To block the "Managed Login Items Added" notification, use this simple procedure:

 

  • Create a new Configuration Profile
    • Set to Computer level
  • Select the Notifications payload
    • Leave App Name blank
    • Enter "com.apple.btmnotificationagent" into the Bundle ID field
    • Select Disable for Critical alerts
    • Select Disable for Notifications
  • Scope to a test machine to test
  • Save Profile

 

 

jbutler47
Contributor

Another way to block the "Managed Login Items Added" notification is to:

 

  • Create a new Configuration Profile
  • Set to Computer Level
  • Select Notifications payload
  • Skip App Name field, leave it blank
  • Enter "com.apple.btmnotificationagent" for the Bundle ID
  • Select Disable for Critical Alerts
  • Select Disable for Notifications
  • Scope to test machine(s)
  • Save Profile

 

This works great for turning it off for all apps. What if I want to do if for one? Our security wants us to install the Rapid7 agent and I can't figure out how to do this just for that. Can you help?

Thanks!

MacJunior
Contributor II

I'm trying to grey out elastic-agent in the login items in Ventura but it still doesn't work!

after running this command "sudo sfltool dumpbtm" I got this about Elastic agent : 

#15:

                 UUID: F8A306A3-45BB-4B2B-A1CE-DD5824BB6D7A

                 Name: elastic-agent

       Developer Name: (null)

                 Type: legacy daemon (0x10010)

          Disposition: [enabled, allowed, visible, notified] (11)

           Identifier: co.elastic.elastic-agent

                  URL: file:///Library/LaunchDaemons/co.elastic.elastic-agent.plist

      Executable Path: /usr/local/bin/elastic-agent

           Generation: 1

    Parent Identifier: Unknown Developer

 

I built a profile like this one below but it still doesn't work ! any tips please?

Screenshot 2023-01-18 at 15.20.43.png

Change the "Rule Type" from "BundleIdentifier" to "Label" and use the name of the plist without suffix ("co.elastic.elastic-agent") as the "Rule Value".