On Monday, October 24, macOS Ventura was released for all Macs since 2017. With Ventura, comes a lot of new features and improvements. One in particular is going to be of interest to us today, the new login and background item management features. This new feature helps users see what is running in the background of their Mac, the invisible becomes visible 👻.
In this article, we will see how we can manage this new feature with Workspace ONE UEM.
Login and Background Item in a nutshell
This new setting allows users to keep control over which applications or processes can run in the background. Each application that needs this functionality can notify the user that the application can run in the background. From an MDM provider's perspective, this functionality gives their applications the ability to assess device compliance, install applications or send push notifications. If we give users the ability to disable this feature, they will seize it and we risk losing some management capabilities.
With Apple's new capabilities, administrators can now manage login and background items in System Settings > General > Login Items.
Mute the notifications pannel
If during your testing you see a lot of notifications that tell you "The software of "Editor's name" has added items that may run in the background and so on" and you don't want to let your users see this behavior when they first log in to macOS Ventura, just follow this :
You can disable this feature by using a configuration profile with the payload "Notification settings". With Workspace ONE UEM, you can restrict the bundleID
com.apple.btmnotificationagent to do this.
Your user will no longer be overwhelmed by Login and Backgroud Item notifications!
How to manage Login and Background Item
Now that we can delete the notification from Login and Background Item, we can go further and see how we can prevent users to disable it and keep control on our Mac fleet.
Workspace ONE UEM doesn’t provide the capabilites to manage this through the new configuration profile DDUI yet. But you can manage this with the Custom Settings payload.
On the VMware Sample Code Github https://github.com/vmware-samples/euc-samples/tree/master/UEM-Samples, you can find the necessary to prevent users to disable the background item coming with Intelligent Hub.
<dict> <key>Rules</key> <array> <dict> <key>RuleType</key> <string>TeamIdentifier</string> <key>RuleValue</key> <string>V4Y7PP8KCJ</string> <key>Comment</key> <string>WS1 Assist</string> </dict> <dict> <key>RuleType</key> <string>TeamIdentifier</string> <key>RuleValue</key> <string>S2ZMFGQM93</string> <key>Comment</key> <string>WS1 Intelligent Hub</string> </dict> </array> <key>PayloadDescription</key> <string>Payload for Background Service Management</string> <key>PayloadDisplayName</key> <string>Disable Login Items for user selection</string> <key>PayloadIdentifier</key> <string>4DB96276-2319-44C2-AE11-C6E761FB0304</string> <key>PayloadUUID</key> <string>A9BF8FA9-CEA3-42A2-B8C1-E1998B84CBB0</string> <key>PayloadType</key> <string>com.apple.servicemanagement</string> <key>PayloadOrganization</key> <string>My Great Company</string> <key>PayloadScope</key> <string>System</string> </dict>
Add this to your Custom Settings configuration profile, to go from this…
… to this.
And that's how you can prevent the end user from disabling your MDM provider's application and keeping control of your fleet.
If you need to protect your organizational applications, you can reuse this block to prevent the user from disabling any background elements and add it to your custom settings profile.
<dict> <key>RuleType</key> <string>TeamIdentifier</string> <key>RuleValue</key> <string>XXXXXXXX</string> <key>Comment</key> <string>add an optional recommended comment</string> </dict>
You have many way to identify any background item you can manage, with the different values supported by
RuleType key :
To retrive the TeamIdentifier of the applications you want to manage, you can use this command in your favorite terminal app, for Google Chrome for example :
codesign -dv --verbose=4 /Applications/Google\ Chrome.app/ 2>&1 | grep TeamIdentifier you will obtain
How can you test before deploy to your fleet
We have seen in a previous article, how you can virtualize macOS beta or non-beta version on your Apple Sillicon Mac with UTM.
I invite you to read this article https://blog.mobinergy.com/how-to-virtualize-macos-ventura-on-mac-with-apple-sillicon-chip-the-easy-way/
Thanks for reading us and stay tuned for more technical content !