Jamf Nation Community

Thank you so much for the quick and thorough reply!  I'm going to try your method first thing tomorrow morning when I'm back in the office. 

Try adding com.jamfsoftware.startupItem as a label or com.jamfsoftware as a label prefix. 

That did the trick!  Thanks!

This is great. Can you post your code here? I can't get this to work.

This thread has two things going on. Locking them like you are referring to and suppressing notifications like I posted about with screenshots and schema. Can you post your XML and domain here?

There are a few options for notification suppression.  A-Bomb's is great for discrete suppression of notifications on apps.  You can take a more nuclear approach and block com.apple.btmnotifications, which is the object that manages login item notifications: Background Task Management Notifications.  You can also use the Notifications Preference Control and adjust to taste.  For example: 

Note that I'm not targeting this against any devices unless it becomes an issue.  Generally speaking, I want users to be notified to make a choice when a login item is added; we're also enforcing a large amount of organizational apps, so for anything beyond our approved software I want users to be able to make that choice.

Just to add to this & food for thought on the nuclear notification blocking approach vs. a focused blocking scheme.  Beyond giving end-users a choice, there's an obvious benefit to allowing this new security mechanism to do its job.  It's entirely possible for a standard user to install something (say DropBox from Self Service... or worse some random malware) that may only drop an agent into ~/Library/LaunchAgents.  If this is the case, it won't be visible from your admin account Sys prefs > General > Login Items.  Whether good or bad in your environment, something like this may go unchecked for some time, especially if there's no user warning.

Can you post your code here? I can't get this to work.

This solves it...

Baravis
My current process order looks like this:
Profile Creation

@jbutler47  This is not my experience.  With the profile in place nothing can be toggled on/off, admin or not.  If you can toggle ALL items as admin, I suspect your profile isn't properly signed.  If it's just a few, you might need to check your xml formatting or maybe try an alternative RuleType for those items.

Concurring with @jonw here, I haven’t been receiving notifications.  In some cases I used both a team identifier and a label prefix.

I find that @Baravis's solution with the image in this thread did a great job.  No notification popped up at all for the login items during the build.  

That looks correct, to me.  Jamf App Installers and Jamf software products are allowed by default.  Anything above and beyond that requires the use of a custom config for managed app installers (https://docs.jamf.com/technical-articles/Uploading_a_Configuration_Profile_for_Managed_Login_Items.h...)

Yep.  Just the one... 👍

It's strange why Apple will post that notification. The user can't do anything about it anyway.

It can be closed with this applescript:

tell application "System Events"
	try
		set _groups to groups of UI element 1 of scroll area 1 of group 1 of window "Notification Center" of application process "NotificationCenter"
		repeat with _group in _groups
			set temp to value of static text 1 of _group
			log temp
			if temp contains "Managed Login Items Added" then
				perform (first action of _group where description is "Close")
			end if
		end repeat
	end try
end tell

Well, Apple is Apple, but users can do something if the items are not locked down...they can potentially turn them off/on unless admins lock them down.  I'm not sure Apple will totally remove all notifications as they are user-centric.

I don't mind that one as I have all mine locked down and notifications are off for all...

Yes, it's just that as part of our enrollment process we install MS Teams (and a few other tools) and after we log user out (to activate FileVault) they login and land on desktop and this 1 weird notification sticks out.

It's not the end of the world, but it annoys me.

If the user at some later point installs some software and the notification is shown, I don't mind. It makes sense (maybe also for the user) that one action led to the other.

But in our enrollment scenario, this single notification stands out.

I get it.  I wish Apple would be user-centric, but when we're using Apple in the enterprise or EDU, let us manage them as we are tasked to do.  They still don't seem to get it, and likely never will.

They keep claiming Apple is Enterprise Centric, but alas, not so much.  

Yeah, I'm still waiting for this to be fixed:
https://community.jamf.com/t5/jamf-pro/big-sur-laptops-skipping-account-creation-during-dep-enrollme...

Hello Michael, How are you running applescript utilizing Jamf?  Thanks

This is the script, I execute:

#!/bin/zsh

# get current user
currentUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ { print $3 }')

runAsUser() {
    if [[ $currentUser != "loginwindow" ]]; then
        uid=$(id -u "$currentUser")
        launchctl asuser $uid sudo -u $currentUser "$@"
    fi
}

removeNotification() {
    runAsUser osascript -e "tell application \"System Events\"
	try
		set _groups to groups of UI element 1 of scroll area 1 of group 1 of window \"Notification Center\" of application process \"NotificationCenter\"
		repeat with _group in _groups
			set temp to value of static text 1 of _group
			log temp
			if temp contains \"Managed Login Items Added\" then
				perform (first action of _group where description is \"Close\")
			end if
		end repeat
	end try
end tell"
}

removeNotification

You may need a Configuration Profile to allow this (I can't remember if this is the case).

Thank you. You are correct regarding the Configuration Profile.  Requiring access to JamfManagementService.  Will work on getting that built, unless you have it handy.

I believe these are what I have set up to allow Jamf to run these commands without asking user for permission:

Thanks !  I utilized iMazing Profile and added Bundle Identifier com.jamf.management.Jamf. If that doesn't do it I will definitely utilize your detail.  Thanks again

@michael_madsen & @PhillyPhoto You can suppress the Managed Login Items Added notifications by deploying a Configuration Profile with a Notifications payload for Bundle ID com.apple.btmnotificationagent setting Critical Alert and Notifications to Disabled (note that this will disable all Managed Login Items Added notifications, not just for items you may have locked via a Managed Login Items payload) :

@Shaun Make sure the LaunchDaemon calling your .sh script has a Label entry in the .plist, and use that name in a Label rule in your Service Management - Managed Login Items payload.

I have a similar situation. We have a LaunchDaemon that runs a shell script. I do have a Label in the plist. It is com.company.thingy. I used iMazing Profile Editor to create a config for all my other apps (I used sfltool dumpbtm to get the bundles for them) and they are all locked in but the launch daemon that shows up in Login Items as "sh" is not locked down. I have the entry in the profile as follows:

Label | com.company.thingy | generic comment 

I can't figure out why it isn't locked down when the signed profile is installed.  Is there something else I'm missing?

Nevermind... I figured it out. I had text in the Team Identifier field. When I removed that extra text and re-applied the profile, it now works.