Jamf Nation Community

I found it somewhere a long time ago. bill@talkingmoose.net built it. The credit is in the code. You can just copy the code above from the first { to the last }

Oh I see it there.  Well thanks, Bill.  I did copy it, and it's working great, thanks a million. :)

How are you deploying your com.apple.servicemanagement profile?  I'm thinking I can just use Applications & Custom Settings -> Upload

I'm actually not using com.apple.servicemanagement at all. Just the one I posted.

Ah, gotcha!  You’re not concerned that users will just unmanage themselves by turning off the Jamf launch agent?

We only have about 25 admins out of over 800 users so the possiblity is very small. I watch the hell out of them and tighten the rope when they get out of line, which doesn't happen often. We can lock a machine as a last resort for compliance which we have only done once in over two years.

Oh cool.  Every org is just a bit different, hey?  Well, just wanted to check. :D  Thanks a ton for the content.

I just want to point out that a non-admin may still be able to disable certain LaunchAgents critical to management (at least in my testing), just be sure to test toggle all items in your environment if it's a concern to you.  

Also, thanks @A-bomb for your notification suppression config!  I've decided to double down and employ it along with our login & background item management profile.

Thanks for the heads up. I admit not testing every one but will today. Glad you are having success with the suppression. I have been considering both as well. 

Only Jamf Software (2 items) can be toggled off without admin. Thank God. I am going to work on whitelisting those as detailed on this thread. Thanks again.

No problem!  Yeah, going out on a limb here, you might not want a standard user willy nilly disabling anything Jamf haha! 😉  fwiw, a couple I ran into were from Outset, Munki, and Zoom.

@A-bomb - Do you know whether it's possible to disable these notifications by application path rather that bundle ID?

What I posted disables all of the new login and background items added notifications in Ventura. I don’t see the point of having those in our environment. What others have posted here is for specific login or background items. Application path is not recommended and never worked for us. Only using bundle ID did. It can be kind of a pain in the ass to get the bundle ID but once you get it and use it, you can forget about it.. 

Agreed, Bundle IDs are a nuisance.  This is how I derive mine.  You can either derive it from the app's Info.plist, using the commands below (location may vary, but should be in the *.app contents):

/usr/libexec/PlistBuddy -c 'print CFBundleIdentifier' /Applications/<application>.app/Contents/Info.plist 

or, sometimes in the codesign output, where you can also find the TeamIdentifier:

codesign -dr - /path/to/Application.app

Example:

(Commands in green, BundleIDs in yellow, TeamIdentifiers in red)

I am still looking for a solid solution to this issue. 

The popups are consent on macOS13.2 

@A-bomb is your configuration profile working to stop these in your environment? 
I replicated it on my JAMF instance and the issues persist. 

@bcrockett  You now have two choices.  Either 1) create a mobile config and upload it to Jamf Pro, or 2) use the new Managed Login Items in Jamf Pro 10.43.1.

I have been using the uploaded mobile config method with no issues to date and will be testing the new payload soon. 

Same.  Report back on the Jamf solution if you test.  I will be soon, but we'll see which one is best for ongoing work...

@jbutler47 I got this working using the new Managed Login Items!

I will share a more detailed config soon for now I have a screenshot of my config page. 

Have not looked at it yet, but that looks great!  Thanks for posting it up.  Have to add some new items so good time to check it out.

This has worked since it was posted...still works.

Login Items Management

Thank you for sharing that! 

I actually posted waaaaaaay back the profile code i used based off of that page.

It works.  Check it out and see!

Thank you, this worked as I'd already added the custom Schema from here: https://www.alansiu.net/2021/01/13/managing-macos-notification-center-settings-using-a-jamf-profile/

This is great. Can you post your code here? I can't get this to work.

You're looking for my launch agent enforcement code, specifically?  I think it's under NDA, but if you're on Slack I can send you a copy?

That would be sweet @A-bomb

Look at this beauty. Thanks again for your help @Baravis 

Do you find that the notifications for these background items suppress also? 

I do find that, yes.  Supposedly I should be seeing a “your organization is managing login items” pop-up, also, but I’ve yet to see that either.

I just did some testing on my MBA M1 running macOS 13 b11. Approving Login/Background Items does not suppress the notifications. Two separate Configuration Profiles are needed to achieve both. I was able to repeat this a few times too. I haven't seen “your organization is managing login items” either.

I’ll have to recheck my Apple Silicon test unit then, thanks for the heads up!

Hmmm. I thought that was how it functioned in the beginning. Maybe a bug in the beta. What are you deploying for the notifications? 

At present, nothing.  Notifications haven’t been popping up in my tests with the login item enforcement configuration profile in place.  I have to double check my tests, but I’ve been seeing 0 notifications on my Intel device.

They weren't popping up but rather sitting in Notification Center. When I applied the allow profile we worked on yesterday they stayed in there but when I applied the notification mute I posted here they immediately disappeared.

Hello @A-bomb , 
How did you manage to get "uninstall" and "install_monitor" disabled. I also have "bash",  "killall" and "Jamf Connect" showing as toggable. All scripts and applications with TeamID´s are disabled on my test-system but still have some unix-binaries showing as toggable. 

I used "sudo sfltool dumpbtm" to find all the Labels and Executable path´s I needed to block

I found then issues of the non-blocked items. I missed some custom LaunchDaemons / Agents Labels

And I was able to shut down Jamf Connect as a standard user until I added a new Label with "com.jamf.connect" in the profile.

The same was done for "uninstall" and "install_monitor" so now my panel is locked for all items I need to lock.

I'm sorry, I'm having a hard time understanding - can you clarify how you got "uninstall" and "install_monitor" locked?  Those are the last two that I've been having trouble with.  I can't seem to find a way to put them into a profile. Did you just use the path to them?  If so, is that considered a label, or something else?   (I'm using iMazing Profile Editor).  Thank you!