Jamf Nation Community

I've only been administrating Macs for a year, but there is a general feel I've been getting. Things like users should be in control of the devices they use. The user should be comfortable using their device. With things like not having a replacement for a Firmware Password on M1 devices really shows Apple has not been thinking about businesses managing Macs until people put them on blast.

Hey Fluffy,
There are ways to set the recovery lock on the M1s right now, I am not using them though. I'm waiting for Jamf to drop their supported version but there are ways if you really need it.
https://community.jamf.com/t5/jamf-pro/anyone-using-the-m1-quot-set-recovery-lock-quot-command/m-p/2... 
https://gingerscripting.com/setting-an-apple-silicon-recovery-lock-password-through-the-jamf-api/ 

I get the sentiment all the time from employee's they want to install their own apps and be their own admins. The problem with that is they either A) Can barely use the Mac or B) Know just enough to get in trouble. 

Each upgrade now since Catalina they've been making it harder and harder to Administer over the macs. I completely understand the user of the mac's experience should come first and their privacy but we need to make it as easy and secure for them as possible to do their job. Apple's probably working on their own MDM solution, watch it have the power to do everything.

Because there are still an increasing number of items that even admins cannot change when managed via MDM and giving everyone a standard user account heavily increases administrative burden on IT.

Do you have a link?

@PhillyPhoto If you don't have access to AppleSeed then a link wouldn't be useful, and if you do have access you'll know where to find the document @sshort referenced.

I don't use it that much, but I do have access but can't find anything that has PDFs.

@PhillyPhoto Go to the Downloads tab after logging in to AppleSeed and you'll find the document under Test Plans & Additional Resources

Got it, thanks!

When I log into AppleSeed, this is the page I see, I dont see a downloads tab??

@mathewsl05 You have to log in to appleseed.apple.com using a Managed Apple ID (using a "regular" Apple ID re-directs you to a different site for Apple developers)

Yep, I think I JUST figured that out! Thank you :)

Have you managed to get this working yet @sshort ? I have been trying for a while, without success!

Yes! I finally got it working earlier today. 3 tips:

* Make sure you're running beta 10 or 11 for the profile to consistently work.

* iMazing Profile Editor has a helpful new "Service Management - Managed Login Items" payload template that makes creating a custom profile much easier.

* I had a lot of issues with `BundleIdentifer` as the `RuleType`. I recommend using `LabelPrefix` like my example profile: https://github.com/ducksrfr/mac_admin/blob/master/profiles/approved-background-services.mobileconfig

I am in there and can't find it. Where it be breh? – NM, didn't see the managed ID. I am good. Thanks for pointing out this whitepaper.

can also use the Handcock app to sign things

Do know if this will before the OS releases? 

@auser I wouldn't bet on it given that we're less than 30 days from the release of macOS Ventura (based on Apple's mention at the event earlier this month that it will be released in October)

is there a easy way to just block all the items? 

@auser - yes you can.  Just built this one and it works so far...installed some test software and no notifications.

BTW, this is a great page for understanding this mess...he should do Apple's docs!

Login Items Management  @n8felton did the work.  👍

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>NotificationSettings</key>
			<array>
				<dict>
					<key>BundleIdentifier</key>
					<string>com.apple.BTMNotificationAgent</string>
					<key>NotificationsEnabled</key>
					<false/>
				</dict>
			</array>
			<key>PayloadIdentifier</key>
			<string>com.apple.notificationsettings.12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>12c05d0d-6231-4621-9ac6-a781a626951b</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadDisplayName</key>
	<string>Disable Background Task Management Notifications</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.notificationsettings.5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Here is a part of my array, but the whole thing is under NDA, because of it's beta status.

For details on the profile see Apple Developer Documentation (Apple SEED, mentioned earlier in this thread).

<array>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>EQHXZ8M8AV</string>
    <key>Comment</key>
    <string>Google Inc.</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>S272Y5R93J</string>
    <key>Comment</key>
    <string>Citrix Systems, Inc.</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>9GQZ7KUFR6</string>
    <key>Comment</key>
    <string>Nudge</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>483DWKW443</string>
    <key>Comment</key>
    <string>Jamf Software</string>
  </dict>
  <dict>
    <key>RuleType</key>
    <string>TeamIdentifier</string>
    <key>RuleValue</key>
    <string>UBF8T346G9</string>
    <key>Comment</key>
    <string>Microsoft Corporation</string>
  </dict>
</array>

Does this block all background apps notices from coming up? 

I did some testing yesterday, and it seems to be independent.

There's a step missing here: which source did you choose for your external application? :)

Sorry. It's the Custom Schema used for the other 18 in place already. Schema at the bottom.

External Applications > Source > Custom Schema:

{
"title": "macOS Notifications (com.apple.notificationsettings)",
"description": "This payload specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later. https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page=57 https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem",
"__feedback": "bill@talkingmoose.net",
"properties": {
"NotificationSettings": {
"title": "Applications",
"description": "Specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later.",
"property_order": 10,
"type": "array",
"items": {
"title": "Application",
"type": "object",
"properties": {
"BundleIdentifier": {
"title": "Bundle Identifier",
"description": "Required. Bundle identifier of app to which to apply these notification settings.",
"type": "string"
},
"NotificationsEnabled": {
"title": "Allow Notifications from App",
"description": "Optional. Whether notifications are allowed for this app. Default is true.",
"type": "boolean"
},
"AlertType": {
"title": "App Alert Style",
"description": "Optional. The type of alert for notifications for this app.",
"type": "integer",
"options": {
"enum_titles": [
"None",
"Banners",
"Alerts"
]
},
"enum": [
0,
1,
2
]
},
"ShowInLockScreen": {
"title": "Show In Lock Screen",
"description": "Optional. Whether notifications can be shown in the lock screen. Default is true.",
"type": "boolean"
},
"ShowInNotificationCenter": {
"title": "Show In Notification Center",
"description": "Optional. Whether notifications can be shown in notification center. Default is true.",
"type": "boolean"
},
"BadgesEnabled": {
"title": "Badges Enabled",
"description": "Optional. Whether badges are allowed for this app. Default is true.",
"type": "boolean"
},
"SoundsEnabled": {
"title": "Sounds Enabled",
"description": "Optional. Whether sounds are allowed for this app. Default is true.",
"type": "boolean"
}
},
"required": [
"BundleIdentifier",
"NotificationsEnabled",
"AlertType",
"ShowInLockScreen",
"ShowInNotificationCenter",
"BadgesEnabled",
"SoundsEnabled"
]
}
}
}
}