Help

Prevent Users (admin) to disable SentinelOne in background items

Go to solution
072
New Contributor

Posted on ‎10-26-2023 06:09 AM

Hi,

 

We rolled out SentinelOne a couple of months ago, now we noticed users disabling SentinelOne under

LoginItems>Allow in the Background in the system settings. 

 

What is the best way to disable this? 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor III

Posted on ‎10-26-2023 08:31 AM

Use a configuration profile to manage the background item. Honestly, you want a configuration profile for pretty much every application you don't want users to be able to disable.

 

AJPinto_0-1698334128852.png

 

View solution in original post

Reply
8 REPLIES 8

Go to solution
PaulHazelden
Valued Contributor

Posted on ‎10-26-2023 06:27 AM

Build a config to add the Background items, and push it out from Jamf.
I used iMazing profile editor to make mine. It is in the Service Management section.
Find the Team identifier or bundle identifier etc, and add them in as a rule value.
Once they are installed, they are marked as managed by MDM and are not changeable.

0 Kudos
Reply

Go to solution
PaulHazelden
Valued Contributor
In response to PaulHazelden

Posted on ‎10-26-2023 06:42 AM

Original Post for this with instructions...

https://community.jamf.com/t5/jamf-pro/background-login-items-ventura/m-p/276568#M250670

0 Kudos
Reply

Go to solution
AJPinto
Honored Contributor III

Posted on ‎10-26-2023 08:31 AM

Use a configuration profile to manage the background item. Honestly, you want a configuration profile for pretty much every application you don't want users to be able to disable.

 

AJPinto_0-1698334128852.png

 

Reply

Go to solution
072
New Contributor
In response to AJPinto

Posted on ‎10-26-2023 09:04 AM

This seems to be working, is this also working for Monterey or only Ventura/Sonoma?

0 Kudos
Reply

Go to solution
AJPinto
Honored Contributor III
In response to 072

Posted on ‎10-26-2023 09:38 AM

This function was added in Ventura and continued in Sonoma. Background Items preference pane did not exist in Monterey, and they cannot be managed or disabled by the user.

0 Kudos
Reply

Go to solution
072
New Contributor

Posted on ‎10-26-2023 08:35 AM

I created the btmdump.text file, i see a lot of different Sentinel UUID's like Sentinel Labs Incl., SentinelOne Extensions, Sentinel_Helper etc etc. 

In the iMazing Profile Editor i created  Service Management - Managed Login Items, there i fill in 

Rule Type: TeamIdentifier, Rule Value, Comment and Team Identifier. 

Which rule value do i need to fill in?

For example the first UUID i has the following information: name, type, disposition, identifier, url, generation, embedded item identifier etc. Not sure which of these field can be used to fill in at the rule value in the iMazing Profile Editor.

 

0 Kudos
Reply

Go to solution
PaulHazelden
Valued Contributor

Posted on ‎10-27-2023 12:43 AM

Rule type has to match the Rule value
For Google I have a rule type of Team Identifier, and the Rule Value is EQHXZ8M8AV.
Team Identifiers are usually a code like this.
Bundle Identifier for Google is com.google.

Bundle Identifiers normmally follow this pattern.

0 Kudos
Reply

Go to solution
scottb
Honored Contributor

Posted on ‎10-27-2023 08:49 AM

This is what ours looks like - you can add/subtract items on the fly and it works great:

scottb_0-1698421768456.png

 

0 Kudos
Reply