Jamf Nation Community

DaneAbernathy · ‎10-26-2022

Trying to set up a config profile for this new feature set. I have used Jamf's example and Apple's example as starting points, but the radio buttons for the items I have set to be managed are still able to be turned off and do not say they are managed like the Jamf apps are.

Has anyone else had success in getting a config profile to work for this yet?

Jason33 · ‎10-26-2022

Use iMazing Profile Editor and this guide

https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6

View solution in original post

Jason33 · ‎10-26-2022

Use iMazing Profile Editor and this guide

https://hammen.medium.com/managing-login-items-for-macos-ventura-e78d627f88b6

bootrec · ‎11-30-2022

That article worked very well for me... except the last point, #18. On my test computer where I upgrade from macOS 12 to macOS 13, the "Managed Login Items - Jamf Apps" is pushed immediately, but not my custom defined "Managed Login Items". Mine gets pushed only after the computer checks-in, and I scoped it out as per the article #18 (Smart Group with a Profile Identifier of com.jamf.servicemanagement.backgroundapps).

I do have some users who would go look at what they can disable immediately after the upgrade, so I'm concerned about that. Any suggestions?

karthikeyan_mac · ‎10-26-2022

Service Management - Managed Login Items in iMazing Profile Editor will help to create the profile.
"sudo sfltool dumpbtm" will list all the login items and details to add it in the profile.

Thanks

naschenbrenner · ‎10-31-2022

Here's what I got to finally work. Save the below as a .mobileconfig file, and then upload it to Jamf after updating your org name. You'll have to generate new PayloadUUID's with uuidgen in terminal if you use this as a template for other applications.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Service Management - Managed Login Items</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.servicemanagement.1ED2CC51-41E0-49EB-A8D1-E6B5C3A283CC</string>
			<key>PayloadType</key>
			<string>com.apple.servicemanagement</string>
			<key>PayloadUUID</key>
			<string>1ED2CC51-41E0-49EB-A8D1-E6B5C3A283CC</string>
			<key>PayloadVersion</key>
			<array>
				<dict>
					<key>Comment</key>
					<string>Zoom</string>
					<key>RuleType</key>
					<string>Label</string>
					<key>RuleValue</key>
					<string>us.zoom.ZoomDaemon</string>
				</dict>
			</array>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Zoom - Managed Background and Login Items</string>
	<key>PayloadIdentifier</key>
	<string>YOURORGHERE.87731DFF-DE49-482B-958F-0623F514D2AF</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>87731DFF-DE49-482B-958F-0623F514D2AF</string>
</dict>
</plist>

RyanN · ‎11-06-2022

Thanks! What is the Preference Domain assignment in this zoom example?

chrisB · ‎11-11-2022

For "Managed Login Items" the preference domain is always

com.apple.servicemanagement

DaneAbernathy · ‎11-01-2022

I had never tried iMazing before, thank you both that suggested it! Holy crap this is going to make things easier

awjohnso · ‎11-23-2022

Can't get this to work. I tried the profile created by naschenbrenner above. I changed the UUID codes and uploaded it to Jamf. It pushes out to the workstation, and the profile installs. However the toggles in LoginItems can be still changed. The computer I am testing with is Ventura 13.0.1. It was upgraded from the Beta... so maybe something is not working right? I also tried to add the team id, and the LabelPrefix:

<dict>
	<key>RuleType</key>
	<string>TeamIdentifier</string>
	<key>RuleValue</key>
	<string>BJ4HAAB9B3</string>
</dict>
<dict>
	<key>RuleType</key>
	<string>LabelPrefix</string>
	<key>RuleValue</key>
	<string>us.zoom</string>
</dict>

I will try to re-install the computer with Ventura 13.0.1 from scratch to see if this fixes the issue...

pueo · ‎11-29-2022

Hello,

Use the accepted solution mentioned above. It works really well and is very easy to create. I was quite impressed with it.

scottb · ‎12-12-2022

Here is the Profile info from using Robert Hammen's info. Used iMazing Profile Editor to build it and then upload it. Works great...no more notifications. Just scoped to enrollment for Smart Group "macOS 13."

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>NotificationSettings</key>
			<array>
				<dict>
					<key>BundleIdentifier</key>
					<string>com.apple.BTMNotificationAgent</string>
					<key>NotificationsEnabled</key>
					<false/>
				</dict>
			</array>
			<key>PayloadIdentifier</key>
			<string>com.apple.notificationsettings.12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadDisplayName</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.notificationsettings.5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

pueo · ‎12-13-2022

@scottb Thanks for sharing your solution Scott. A general question regarding your solution and Robert Hammen. Once we deploy the Disable Notifications to our fleet will it block ALL Notifications from any software or just the titles related to the Managed Logins?
I already have notifications disabled for Qualys, Forescout, FireEye etc. So wondering if I need to make more changes.

Thanks

scottb · ‎12-13-2022

@pueo - did you block Notifications or did you lock down those with Agents/Daemons (login)?

The one above will silence 'em all, and you don't (AFAIK) have to alter it. The one I made to lockdown the Login items I need to update as I add new Team Identifiers to the list. The profile above will stop you from being told about new Login Items being added...

Similar, but different items...

pueo · ‎12-13-2022

@scottb

For the apps I mentioned I used Notification and the specific Bundle ID to block them.

You say the one above will silence them all. Is that ALL notifications for ALL Apps or just New Login Items as mentioned in the last line. It was not clear to me.

MrRoboto · ‎12-14-2022

Login Item management is not built into the latest Jamf Pro version? We should continue to use Robert Hammen's solution?

jbutler47 · ‎12-20-2022

To block the "Managed Login Items Added" notification, use this simple procedure:

Create a new Configuration Profile
- Set to Computer level
Select the Notifications payload
- Leave App Name blank
- Enter "com.apple.btmnotificationagent" into the Bundle ID field
- Select Disable for Critical alerts
- Select Disable for Notifications
Scope to a test machine to test
Save Profile

AviL · ‎04-23-2023

THANK YOU !!!!!!!

jbutler47 · ‎12-20-2022

Another way to block the "Managed Login Items Added" notification is to:

Create a new Configuration Profile
Set to Computer Level
Select Notifications payload
Skip App Name field, leave it blank
Enter "com.apple.btmnotificationagent" for the Bundle ID
Select Disable for Critical Alerts
Select Disable for Notifications
Scope to test machine(s)
Save Profile

pheath · ‎01-20-2023

This works great for turning it off for all apps. What if I want to do if for one? Our security wants us to install the Rapid7 agent and I can't figure out how to do this just for that. Can you help?

Thanks!

brad-h · ‎02-13-2023

You can still allow notifications per app, this just turns off the notification that a background item was added.

Musicmaker · ‎10-26-2023

A question. Does this only block the notifications like "Software from "" addet items that can run......." or does is block all notifications from this app?

We use Nomad. The Nomad item is successfully added to the login items.
Screenshot 2023-10-26 at 11.43.30.png
But when logging in and regularly during a logged in session we get these notifications:
Screenshot 2023-10-24 at 12.10.18.png

So, blocking these notifications is perfect. But, notifications from Nomad itself should be allowed.
We just don't want the notification as shown above.

naschenbrenner · ‎10-26-2023

Yes, if you follow @jbutler47's steps above it will disable any notification that a background item was added, but not the actual application notifications. NoMAD will continue to prompt users when their passwords are mismatched/approaching expiration.

MacJunior · ‎01-18-2023

I'm trying to grey out elastic-agent in the login items in Ventura but it still doesn't work!

after running this command "sudo sfltool dumpbtm" I got this about Elastic agent :

#15:

UUID: F8A306A3-45BB-4B2B-A1CE-DD5824BB6D7A

Name: elastic-agent

Developer Name: (null)

Type: legacy daemon (0x10010)

Disposition: [enabled, allowed, visible, notified] (11)

Identifier: co.elastic.elastic-agent

URL: file:///Library/LaunchDaemons/co.elastic.elastic-agent.plist

Executable Path: /usr/local/bin/elastic-agent

Generation: 1

Parent Identifier: Unknown Developer

I built a profile like this one below but it still doesn't work ! any tips please?

chrisB · ‎01-24-2023

Change the "Rule Type" from "BundleIdentifier" to "Label" and use the name of the plist without suffix ("co.elastic.elastic-agent") as the "Rule Value".

MacJunior · ‎02-13-2023

Actually it worked by choosing LabelPrefix as the rule type and the value is co.elastic

dlondon · ‎02-21-2023

Looks like Managed Login Items is a section in Jamf Pro in the built in Configuration Profiles section

brad-h · ‎02-21-2023

That's correct if you're using Jamf 10.42+

Prior to 10.42 you won't have that section available and will have to create your own config profile per the discussions in this thread.

karthikeyan_mac · ‎02-28-2023

@bootrec We had the same problem and ended up using a startup policy with a script to update inventory if the macOS is Ventura and scope the profiles to macOS Ventura smart group.

Thanks.

#!/bin/bash
#
# Run recon if the Mac is running macOS Ventura.
#
IFS='.' read osvers_major osvers_minor osvers_dot_version <<< "$(/usr/bin/sw_vers -productVersion)"
if [[ ${osvers_major} -eq 13 ]]; then
	echo "macOS Ventura $osvers_major.$osvers_minor.$osvers_dot_version"
	jamf recon
else
	echo "Device not running macOS Ventura. Inventory update not required at startup"
fi

SMR1 · ‎03-02-2023

I created the below, but I'm still getting the background notification message.

Create a new Configuration Profile
- Set to Computer level
Select the Notifications payload
- Leave App Name blank
- Enter "com.apple.btmnotificationagent" into the Bundle ID field
- Select Disable for Critical alerts
- Select Disable for Notifications
Scope to a test machine to test
Save Profile

Jamf Nation Community

Background Login Items - Ventura