Too many App notification permissions on Catalina

sychow
New Contributor

On Catalina, every app is asking if you would like to allow or deny notifications and it gets annoying especially after you first upgraded to Catalina.

My question is, is there a way to whitelist or force allow the notification from a config profile or policy in Jamf? I would like know if it is possible to allow the notifications for certain company approve applications. Or this is not something the admin 'should' control?

Thanks

16 REPLIES 16

Cayde-6
Release Candidate Programs Tester

You can use an MCX configuration profile to hide notifications for whitelisted apps which I believe Jamf pro will accept.

There is no notification option in Jamf pro yet so the MCX profile will show as blank once inside Jamf pro.

mnickels
New Contributor III

I've started my Catalina testing and have noticed this as well.

I'm not familiar with MCX configuration profiles - would you happen to have an example of how one would whitelist an application so that notifications are automatically approved?

sshort
Valued Contributor

Check out ProfileCreator, you can visit the Notifications payload under the macOS category to pre-approve your notifications settings. Just be aware that you're setting this for your users, and they cannot adjust it later on. My org will cover our base apps like Self Service/Sophos/Office/etc, but leave it up to each user to determine the notification settings for their self-installed apps.

I don't remember where I found this example to control Office app notifications, maybe the macadmins slack?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>NotificationSettings</key>
            <array>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.Word</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.Excel</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.Powerpoint</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.Outlook</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.onenote.mac</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.OneDrive</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>1</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.OneDrive-mac</string>
                    <key>CriticalAlertEnabled</key>
                    <false/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
                <dict>
                    <key>AlertType</key>
                    <integer>2</integer>
                    <key>BadgesEnabled</key>
                    <true/>
                    <key>BundleIdentifier</key>
                    <string>com.microsoft.autoupdate.fba</string>
                    <key>CriticalAlertEnabled</key>
                    <true/>
                    <key>GroupingType</key>
                    <integer>0</integer>
                    <key>NotificationsEnabled</key>
                    <true/>
                    <key>ShowInLockScreen</key>
                    <true/>
                    <key>ShowInNotificationCenter</key>
                    <true/>
                    <key>SoundsEnabled</key>
                    <true/>
                </dict>
            </array>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>MCXToProfile.67ad2621-b510-4060-b171-7f7cf53517c9.alacarte.customsettings.c00e172d-4cb4-4631-8fd4-c7fa866efc00</string>
            <key>PayloadType</key>
            <string>com.apple.notificationsettings</string>
            <key>PayloadUUID</key>
            <string>c11e572d-4cb4-4231-8fd5-c7f6776efc00</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Set Office notifications</string>
    <key>PayloadDisplayName</key>
    <string>Set Office notifications</string>
    <key>PayloadIdentifier</key>
    <string>com.microsoft.office.notifications</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>67be2621-b511-4220-b971-7f7cf56506c9</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

dmarcnw
New Contributor III

Went through this exercise today. You have two options at the moment:

1) Do as mentioned above with the ProfileCreator project. You can whitelist all of the apps in your org that you want your users to not have to click accept for. The caveat is, your users are locked into those settings you set on your end. Meaning if your users want some level of privacy for their needs (turn off notifications from Slack while screen is locked), they are locked into what you deployed to them.

2) Do nothing and just warn your users ahead of time about the notifications.

I personally don't like either option. The over abundance of notifications about notifications permissions is a security concern for me. Being overly chatty for each permission annoys user to the point where they may just blindly click accept on any window that pops up. Rather than have one window with multiple permissions the app is requesting (and allowing users to uncheck a permission they don't want), Apple is training users to just click Accept out of the need to just get back to using their Mac.

mnickels
New Contributor III

Thanks for the responses - I will take a look at the profile, but agree that locking users into a common set is not the best as optional applications can vary per device.

Is it possible to do a one time defaults write/plist buddy command to whitelist initial applications without locking the settings via a MDM profile?

jwojda
Valued Contributor II

Fun fact, if you apply a notifications payload to a non-10.15 machine, it will report iOS only.

jwojda
Valued Contributor II

@sshort what preference domain do you use for the o365 notifications?

sshort
Valued Contributor

@jwojda The overall payload identifier is com.microsoft.office.notifications, but you have to set each app identifier, which may be good or annoying based on your situation.

com.microsoft.Word
com.microsoft.Excel
com.microsoft.Powerpoint
com.microsoft.Outlook
com.microsoft.onenote.mac
com.microsoft.OneDrive
com.microsoft.OneDrive-mac
com.microsoft.autoupdate.fba

jwojda
Valued Contributor II

Hmm, I set that, but it doesn't seem to work (?) nothing shows up in sys pref > notifications for the office stuff, and when I launch outlook it still asks if I want to.

When I did NoMAD it remains there, but greyed out.

Edit: worked when I added each bundle individually to the notifications payload.
Thank you!

joelsenders
New Contributor III

ClassicII
Contributor III

I put together a How To article for the new Catalina Application Notification Banners. I will show you how to test, troubleshoot and manage Application Notifications.

https://mrmacintosh.com/how-to-manage-catalinas-new-application-notifications-with-a-profile/

B-35405
Contributor

Anyone know the PPPC or Config profile settings to auto allow Self Service management notifications? I've attached a screenshot, thanks
2f2ccf6ffdb14886be9b915a2ab0aedd

cstout
Contributor III
Contributor III

@B-35405 I just added the dict entry below to alleviate that prompt:

                    <dict>
                        <key>AlertType</key>
                        <integer>1</integer>
                        <key>BadgesEnabled</key>
                        <true/>
                        <key>BundleIdentifier</key>
                        <string>com.jamfsoftware.Management-Action</string>
                        <key>CriticalAlertEnabled</key>
                        <false/>
                        <key>NotificationsEnabled</key>
                        <true/>
                        <key>ShowInLockScreen</key>
                        <true/>
                        <key>ShowInNotificationCenter</key>
                        <true/>
                        <key>SoundsEnabled</key>
                        <true/>
                    </dict>

dlondon
Valued Contributor

Hi @B-35405, here is where Management Action application is located
2bc873bd05114a4a8391b56170058d45

If you use the script provided here https://gist.github.com/talkingmoose/9faf50deaaefafa9a147e48ba39bb4b0 by William Smith (AKA Talking Moose) you should be able to create a Configuration Profile to handle the "Management Action" Notification. I just saved it locally and then renamed it as the script gives the same name each time for the Configuration Profile - "Managed Notifications.mobilconfig". I just add the thing being managed to the name so in this case it becomes "Management Action - Managed Notifications.mobilconfig"

Then of course you upload it to the Jamf Pro server. Note that you won't see a payload as Jamf Pro doesn't currently handle the display of the Notifications. Give the Configuration Profile a name ... maybe again "Management Action - Managed Notifications", scope it and save it. Then check on a machine in scope and you should see the settings in play and not able to be changed. You should also see the new Configuration Profile in System Preferences > Configuration Profiles

daworley
Contributor II

Please upvote a feature request:

glpi-ios
Contributor III

Hello,

Please, should we push this configuration profile using Computer or User level ?

Because when using talkingmoose / Manage App Notifications.bash (I take this opportunity to say thank you for this script which helps us a lot), when I upload the .mobilconfig file in Jamf, scope it, Computer Level, and save it, everything is ok and on the computer, I can see the profile in System Preferences> Profiles but I still have the notifications that appear and I can't see applications appeared in Notifications pane...

Thanks for your help