Managed Login Items - Configuration Profile Timing

MTFIDjamf
Contributor II

History - We currently have all of our Computer Level Profiles install as the device is enrolled, apps/system settings/etc.    Followed the same workflow for the Managed Login Items (mix of Team ID and label, depending on need) for Ventura.

Issue - If the Profile is present (enrollment) before the base application stack is installed, post-app install the Login Item slider is NOT grayed out. No matter if rebooted, etc. Always able to slide it off/on.   Unexpected behavior as we see it.

If no Profile present, install our application stack, and THEN apply the Profile, the sliders are grayed out and cannot be altered. 

I suppose the question is...is this expected? 

Should the Login Items Profile not be applied until after the targeted applications are installed? This would run contrary to our normal workflow for Profiles that has been in use for some time (Profile first, then apps, etc). 

7 REPLIES 7

Tribruin
Valued Contributor II

That should not be correct. We apply our Managed Login Items profile immediately during enrollment, long before some of the affected applications get installed. And all of them are correctly enabled and greyed out. 

That is what we thought should be happening. Spoke with our Apple Rep and he advised asking here (maybe Slack) to get more input.
If more folks are seeing the opposite of what we see, sounds like it might be Jamf Support time...

AJPinto
Honored Contributor III

I have not seen this behavior. Is it just a single application doing the thing, or any application providing the conditions are met does the thing? (thing being the manage login items is not enforced correctly)

All applications that we have in scope of the Profile settings do the same thing. 

AJPinto
Honored Contributor III

Hrm, it could be a bug with that specific application and how it handles background services since that is a relatively new feature of macOS. 

 

The two things my brain goes to:

  • Is the application up to date, or is it running an older release from late last year or worse before Ventura was released?
  • Are you keeping your background services in their own configuration profiles, or are you lumping multiple together? 
    • Generally speaking unrelated items should be in individual configuration profiles. Lumping stuff together makes making changes more risky as you are messing with unrelated things and it can also cause issues.

Applications are up to date, most using built-in auto update mechanisms. Everything Ventura certified.

It is affecting all applications that we wish to block the user from touching the slide under Login Items. Whether we set one or five.

It is one Config Profile that is controlling only the settings for the Login Items (encompassing the apps we wish to gray out). Example name:  "Managed Login Items - OurCompanyName v1.0"

Loic
New Contributor III

Hi everyone

I'm getting this behavior while deploying CrowdStrike Falcon.
I'm pretty sure that the CrowdStrike Configuration Profile is installed before the Falcon app (since CPs are deployed  faster than policies).
I verified 3 laptops and all their Login Items for the particular CrowdStrike Profile is not greyed out 😑

Did you manage to fix this issue, please ?