"Login items added" in Ventura

PhillyPhoto
Contributor III

Please tell me we're going to be able to suppress these and a million notifications aren't the future for end users:

Screenshot 2022-07-26 at 20.47.17.png

92 REPLIES 92

sdagley
Honored Contributor III

@PhillyPhoto Apple has gotten a _lot_ of feedback that these notifications are detrimental to organizational managed Macs, and they have acknowledged that they need to provide the ability to suppress those messages. Exactly when that's going to arrive in the beta cycle is anyone's guess.

patthew
New Contributor

The notifications are very annoying but what really concerns me is how easy it is to effectively unmanage your machine by unchecking anything you don’t want. I hope I’m missing something, but at this point it seems like anyone can just kill all of our corporate security and management software.

Fluffy
Contributor III

I've only been administrating Macs for a year, but there is a general feel I've been getting. Things like users should be in control of the devices they use. The user should be comfortable using their device. With things like not having a replacement for a Firmware Password on M1 devices really shows Apple has not been thinking about businesses managing Macs until people put them on blast.

Hey Fluffy,
There are ways to set the recovery lock on the M1s right now, I am not using them though. I'm waiting for Jamf to drop their supported version but there are ways if you really need it.
https://community.jamf.com/t5/jamf-pro/anyone-using-the-m1-quot-set-recovery-lock-quot-command/m-p/2... 
https://gingerscripting.com/setting-an-apple-silicon-recovery-lock-password-through-the-jamf-api/ 

I get the sentiment all the time from employee's they want to install their own apps and be their own admins. The problem with that is they either A) Can barely use the Mac or B) Know just enough to get in trouble. 

Each upgrade now since Catalina they've been making it harder and harder to Administer over the macs. I completely understand the user of the mac's experience should come first and their privacy but we need to make it as easy and secure for them as possible to do their job. Apple's probably working on their own MDM solution, watch it have the power to do everything.


Qwheel
Contributor II

An interesting thread.

Why are there organisations out there that have JAMF, yet give everyone admin accounts?

This isn’t ISO or CSE+ compliant.

Regarding the notifications, I haven’t checked Ventura yet, but surely these can be killed with a custom tourist config profile?

I kill a heap of these on shared devices with many applications.

colordean
New Contributor II

Because there are still an increasing number of items that even admins cannot change when managed via MDM and giving everyone a standard user account heavily increases administrative burden on IT.

roiegat
Contributor III

Following thread since when building test machines I get those popping up left and right.

vic-ama
New Contributor

This is a mess for my automated enrollment workflow for sure. Hope the stable version provides a way to block this for managed distributions

sshort
Valued Contributor

Apple recently posted a new PDF on AppleSeed called "2022 Login and Background Item Management Test Plan" that contains a sample config profile that you can use to suppress the notifications and prevent users from disabling the launchdaemons that your org configures in the System Settings app.

I have just begun to test this in my environment, so don't have a real-world example profile yet but I will post one when I've got everything working.

Do you have a link?

sdagley
Honored Contributor III

@PhillyPhoto If you don't have access to AppleSeed then a link wouldn't be useful, and if you do have access you'll know where to find the document @sshort referenced.

I don't use it that much, but I do have access but can't find anything that has PDFs.

sdagley
Honored Contributor III

@PhillyPhoto Go to the Downloads tab after logging in to AppleSeed and you'll find the document under Test Plans & Additional Resources

Got it, thanks!

mathewsl05
New Contributor II

When I log into AppleSeed, this is the page I see, I dont see a downloads tab??

Screenshot 2022-09-14 at 10.45.23 AM.png

sdagley
Honored Contributor III

@mathewsl05 You have to log in to appleseed.apple.com using a Managed Apple ID (using a "regular" Apple ID re-directs you to a different site for Apple developers)

mathewsl05
New Contributor II

Yep, I think I JUST figured that out! Thank you :)

Have you managed to get this working yet @sshort ? I have been trying for a while, without success!

sshort
Valued Contributor

Yes! I finally got it working earlier today. 3 tips:

* Make sure you're running beta 10 or 11 for the profile to consistently work.

* iMazing Profile Editor has a helpful new "Service Management - Managed Login Items" payload template that makes creating a custom profile much easier.

* I had a lot of issues with `BundleIdentifer` as the `RuleType`. I recommend using `LabelPrefix` like my example profile: https://github.com/ducksrfr/mac_admin/blob/master/profiles/approved-background-services.mobileconfig

A-bomb
New Contributor III

I am in there and can't find it. Where it be breh? – NM, didn't see the managed ID. I am good. Thanks for pointing out this whitepaper.

davidi4
Contributor

A JSON would be really nice for this, wink wink Apple/Jamf

alexduffner
New Contributor II

The configuration profile won't work until you sign it and upload it signed to Jamf Pro.

Tested on macOS beta 13 (build 22A5342f). Kudos to Bilal from made.com, he gave me this tip via Mac Admins Slack.

 

You can sign the profile via this command:

/usr/bin/security cms -S -N "<YOUR TEAM ID>" -i "/path/to/file.mobileconfig" -o "/path/to/file-SIGNED.mobileconfig"

can also use the Handcock app to sign things

allanp81
Valued Contributor

If this has to be signed first that's a real pain as it means every time you want to change it you're having to upload a new config to Jamf and then set the scope etc. and unscope the existing profile.

awginger
Contributor

Agreed on the signing piece, I have signed our profile now and uploaded to Jamf. Apparently the GUI feature will be coming in a future release of Jamf, so we just have ti stick with it for now.

auser
New Contributor III

Do know if this will before the OS releases? 

sdagley
Honored Contributor III

@auser I wouldn't bet on it given that we're less than 30 days from the release of macOS Ventura (based on Apple's mention at the event earlier this month that it will be released in October)

auser
New Contributor III

is there a easy way to just block all the items? 

scottb
Honored Contributor

@auser - yes you can.  Just built this one and it works so far...installed some test software and no notifications.

BTW, this is a great page for understanding this mess...he should do Apple's docs!

Login Items Management  @n8felton did the work.  👍

 

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>NotificationSettings</key>
			<array>
				<dict>
					<key>BundleIdentifier</key>
					<string>com.apple.BTMNotificationAgent</string>
					<key>NotificationsEnabled</key>
					<false/>
				</dict>
			</array>
			<key>PayloadIdentifier</key>
			<string>com.apple.notificationsettings.12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadDisplayName</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.notificationsettings.5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

   

Macweazle
New Contributor III

For those who don't want to hand-craft - imazing Profile Editor can be helpful. Doesn't help with scoping :)

allanp81
Valued Contributor

Thanks, certainly made it easier using Imazing Profile Editor, just a pain you have to manually sign and then upload each time though, especially while you're testing.

user-MygFNHEclO
New Contributor

Has anyone got a real world example of a config profile they can share please?

Here is a part of my array, but the whole thing is under NDA, because of it's beta status.

For details on the profile see Apple Developer Documentation (Apple SEED, mentioned earlier in this thread).

<array>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>EQHXZ8M8AV</string>
    <key>Comment</key>
    <string>Google Inc.</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>S272Y5R93J</string>
    <key>Comment</key>
    <string>Citrix Systems, Inc.</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>9GQZ7KUFR6</string>
    <key>Comment</key>
    <string>Nudge</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>483DWKW443</string>
    <key>Comment</key>
    <string>Jamf Software</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>UBF8T346G9</string>
    <key>Comment</key>
    <string>Microsoft Corporation</string>
  </dict>
</array>

  

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>PayloadContent</key>
     <array>
           <dict>
                <key>PayloadDescription</key>
                <string>Test Payload for Background Service Management</string>
                <key>PayloadDisplayName</key>
                <string>Background Service Management Test</string>
                <key>PayloadIdentifier</key>
                <string>com.example.56EE8C1E-9C20-483B-
                AD0E-9558E6091035.privacy.04102481-C1F1-44F2-B548-
                E0B554890493</string>
                <key>PayloadUUID</key>
                <string>A9BF8FA9-CEA3-42A2-B8C1-E1998B84CBB0</string>
                <key>PayloadType</key>
                <string>com.apple.servicemanagement</string>
                <key>PayloadOrganization</key>
                <string>Example Org</string>
                <key>Rules</key>
                <array>
                <dict>
            <key>RuleType</key>
          <string>BundleIdentifier</string>
            <key>RuleValue</key>
            <string>com.symantec.wssa.ui</string>
            <key>Comment</key>
            <string>Example bundle identifier</string>
      </dict>
    <dict>
          <key>RuleType</key>
            <string>BundleIdentifierPrefix</string>
            <key>RuleValue</key>
            <string>com.example</string>
            <key>Comment</key>
            <string>Example bundle identifier prefix</string>
      </dict>
      <dict>
            <key>RuleType</key>
          <string>Label</string>
            <key>RuleValue</key>
            <string>com.example.label</string>
            <key>Comment</key>
            <string>Example label</string>
      </dict>
      <dict>
            <key>RuleType</key>
            <string>LabelPrefix</string>
            <key>RuleValue</key>
            <string>com.example</string>
            <key>Comment</key>
            <string>Example label prefix</string>
      </dict>
      <dict>
<key>RuleType</key>
                        <string>TeamIdentifier</string>
                        <key>RuleValue</key>
                        <string>TeamID</string>
                        <key>Comment</key>
                        <string>Example Team ID</string>
                    </dict>
                </array>
           </dict>
     </array>
     <key>PayloadDisplayName</key>
     <string>Background Service Configuration Profile</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.servicemanagement.4DB96276-2310-44C2-AE11-
     C6E761FB0304.privacy</string>
     <key>PayloadUUID</key>
     <string>79E2E390-641B-41FC-B11D-9DF6CAC71EE8</string>
     <key>PayloadType</key>
     <string>Configuration</string>
     <key>PayloadScope</key>
     <string>System</string>
</dict>
</plist>

 

A-bomb
New Contributor III

Turns out it's actually pretty easy. I added it to our existing muted notifications as an application under Configuration Profiles > Application & Custom Settings > External Applications. Works like a charm! (XML at the bottom.) Yes, I know there is now a notifications section in JSS.

screenshot  2022-09-28 at 5.16.17 PM.jpgscreenshot  2022-09-28 at 5.12.39 PM.jpgscreenshot  2022-09-28 at 5.12.51 PM.jpg

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.apple.btmnotificationagent</string>
<key>NotificationsEnabled</key>
<false/>
<key>AlertType</key>
<integer>0</integer>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>BadgesEnabled</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
</dict>
</plist>

 

auser
New Contributor III

Does this block all background apps notices from coming up? 

A-bomb
New Contributor III

I did some testing yesterday, and it seems to be independent.

Baravis
New Contributor III

There's a step missing here: which source did you choose for your external application? :)

A-bomb
New Contributor III

Sorry. It's the Custom Schema used for the other 18 in place already. Schema at the bottom.

External Applications > Source > screenshot  2022-10-07 at 10.12.08 AM.jpgscreenshot  2022-10-07 at 10.15.47 AM.jpgscreenshot  2022-10-07 at 10.16.08 AM.jpgscreenshot  2022-10-07 at 10.16.24 AM.jpgCustom Schema:

{
"title": "macOS Notifications (com.apple.notificationsettings)",
"description": "This payload specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later. https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page=57 https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem",
"__feedback": "bill@talkingmoose.net",
"properties": {
"NotificationSettings": {
"title": "Applications",
"description": "Specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later.",
"property_order": 10,
"type": "array",
"items": {
"title": "Application",
"type": "object",
"properties": {
"BundleIdentifier": {
"title": "Bundle Identifier",
"description": "Required. Bundle identifier of app to which to apply these notification settings.",
"type": "string"
},
"NotificationsEnabled": {
"title": "Allow Notifications from App",
"description": "Optional. Whether notifications are allowed for this app. Default is true.",
"type": "boolean"
},
"AlertType": {
"title": "App Alert Style",
"description": "Optional. The type of alert for notifications for this app.",
"type": "integer",
"options": {
"enum_titles": [
"None",
"Banners",
"Alerts"
]
},
"enum": [
0,
1,
2
]
},
"ShowInLockScreen": {
"title": "Show In Lock Screen",
"description": "Optional. Whether notifications can be shown in the lock screen. Default is true.",
"type": "boolean"
},
"ShowInNotificationCenter": {
"title": "Show In Notification Center",
"description": "Optional. Whether notifications can be shown in notification center. Default is true.",
"type": "boolean"
},
"BadgesEnabled": {
"title": "Badges Enabled",
"description": "Optional. Whether badges are allowed for this app. Default is true.",
"type": "boolean"
},
"SoundsEnabled": {
"title": "Sounds Enabled",
"description": "Optional. Whether sounds are allowed for this app. Default is true.",
"type": "boolean"
}
},
"required": [
"BundleIdentifier",
"NotificationsEnabled",
"AlertType",
"ShowInLockScreen",
"ShowInNotificationCenter",
"BadgesEnabled",
"SoundsEnabled"
]
}
}
}
}