Posted on 09-26-2019 07:55 PM
On Catalina, every app is asking if you would like to allow or deny notifications and it gets annoying especially after you first upgraded to Catalina.
My question is, is there a way to whitelist or force allow the notification from a config profile or policy in Jamf? I would like know if it is possible to allow the notifications for certain company approve applications. Or this is not something the admin 'should' control?
Thanks
Posted on 09-27-2019 12:25 AM
You can use an MCX configuration profile to hide notifications for whitelisted apps which I believe Jamf pro will accept.
There is no notification option in Jamf pro yet so the MCX profile will show as blank once inside Jamf pro.
Posted on 10-08-2019 02:12 PM
I've started my Catalina testing and have noticed this as well.
I'm not familiar with MCX configuration profiles - would you happen to have an example of how one would whitelist an application so that notifications are automatically approved?
Posted on 10-08-2019 02:25 PM
Check out ProfileCreator, you can visit the Notifications payload under the macOS category to pre-approve your notifications settings. Just be aware that you're setting this for your users, and they cannot adjust it later on. My org will cover our base apps like Self Service/Sophos/Office/etc, but leave it up to each user to determine the notification settings for their self-installed apps.
I don't remember where I found this example to control Office app notifications, maybe the macadmins slack?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.Word</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.Excel</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.Powerpoint</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.Outlook</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.onenote.mac</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.OneDrive</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.OneDrive-mac</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate.fba</string>
<key>CriticalAlertEnabled</key>
<true/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>MCXToProfile.67ad2621-b510-4060-b171-7f7cf53517c9.alacarte.customsettings.c00e172d-4cb4-4631-8fd4-c7fa866efc00</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>c11e572d-4cb4-4231-8fd5-c7f6776efc00</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Set Office notifications</string>
<key>PayloadDisplayName</key>
<string>Set Office notifications</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.office.notifications</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>67be2621-b511-4220-b971-7f7cf56506c9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Posted on 10-08-2019 03:08 PM
Went through this exercise today. You have two options at the moment:
1) Do as mentioned above with the ProfileCreator project. You can whitelist all of the apps in your org that you want your users to not have to click accept for. The caveat is, your users are locked into those settings you set on your end. Meaning if your users want some level of privacy for their needs (turn off notifications from Slack while screen is locked), they are locked into what you deployed to them.
2) Do nothing and just warn your users ahead of time about the notifications.
I personally don't like either option. The over abundance of notifications about notifications permissions is a security concern for me. Being overly chatty for each permission annoys user to the point where they may just blindly click accept on any window that pops up. Rather than have one window with multiple permissions the app is requesting (and allowing users to uncheck a permission they don't want), Apple is training users to just click Accept out of the need to just get back to using their Mac.
Posted on 10-09-2019 06:38 AM
Thanks for the responses - I will take a look at the profile, but agree that locking users into a common set is not the best as optional applications can vary per device.
Is it possible to do a one time defaults write/plist buddy command to whitelist initial applications without locking the settings via a MDM profile?
Posted on 10-09-2019 08:16 AM
Fun fact, if you apply a notifications payload to a non-10.15 machine, it will report iOS only.
Posted on 10-09-2019 08:20 AM
@sshort what preference domain do you use for the o365 notifications?
Posted on 10-09-2019 08:26 AM
@jwojda The overall payload identifier is com.microsoft.office.notifications
, but you have to set each app identifier, which may be good or annoying based on your situation.
com.microsoft.Word
com.microsoft.Excel
com.microsoft.Powerpoint
com.microsoft.Outlook
com.microsoft.onenote.mac
com.microsoft.OneDrive
com.microsoft.OneDrive-mac
com.microsoft.autoupdate.fba
Posted on 10-09-2019 09:01 AM
Hmm, I set that, but it doesn't seem to work (?) nothing shows up in sys pref > notifications for the office stuff, and when I launch outlook it still asks if I want to.
When I did NoMAD it remains there, but greyed out.
Edit: worked when I added each bundle individually to the notifications payload.
Thank you!
Posted on 10-09-2019 09:22 AM
Posted on 10-09-2019 09:28 AM
I put together a How To article for the new Catalina Application Notification Banners. I will show you how to test, troubleshoot and manage Application Notifications.
https://mrmacintosh.com/how-to-manage-catalinas-new-application-notifications-with-a-profile/
Posted on 10-25-2019 01:04 PM
Anyone know the PPPC or Config profile settings to auto allow Self Service management notifications? I've attached a screenshot, thanks
Posted on 10-25-2019 01:09 PM
@B-35405 I just added the dict entry below to alleviate that prompt:
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.jamfsoftware.Management-Action</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
Posted on 12-02-2019 08:13 PM
Hi @B-35405, here is where Management Action application is located
If you use the script provided here https://gist.github.com/talkingmoose/9faf50deaaefafa9a147e48ba39bb4b0 by William Smith (AKA Talking Moose) you should be able to create a Configuration Profile to handle the "Management Action" Notification. I just saved it locally and then renamed it as the script gives the same name each time for the Configuration Profile - "Managed Notifications.mobilconfig". I just add the thing being managed to the name so in this case it becomes "Management Action - Managed Notifications.mobilconfig"
Then of course you upload it to the Jamf Pro server. Note that you won't see a payload as Jamf Pro doesn't currently handle the display of the Notifications. Give the Configuration Profile a name ... maybe again "Management Action - Managed Notifications", scope it and save it. Then check on a machine in scope and you should see the settings in play and not able to be changed. You should also see the new Configuration Profile in System Preferences > Configuration Profiles
Posted on 12-11-2019 04:20 PM
Please upvote a feature request:
Posted on 01-10-2020 09:12 AM
Hello,
Please, should we push this configuration profile using Computer or User level ?
Because when using talkingmoose / Manage App Notifications.bash (I take this opportunity to say thank you for this script which helps us a lot), when I upload the .mobilconfig file in Jamf, scope it, Computer Level, and save it, everything is ok and on the computer, I can see the profile in System Preferences> Profiles but I still have the notifications that appear and I can't see applications appeared in Notifications pane...
Thanks for your help