Managing “Login Items” for macOS Ventura

  1. Download iMazing Profile Editor from, double-click the downloaded .dmg file to mount it, and copy the iMazing Profile Editor app to your Applications folder.
  2. Configure a macOS 13 device, or upgrade an existing device to macOS 13, and ensure your essential/required tools are installed and functional
  3. On the macOS 13 system, open Terminal and type:
    sudo sfltool dumpbtm
    A list of installed LaunchAgents, LaunchDaemons, and scripts will be displayed in the Terminal window.
  4. Scan (or grep) this list and copy each Team Identifier to a text document
  5. Open iMazing Profile Editor
  6. With a blank new profile, search for Service Management and add this payload to your new profile
  7. Click the + icon to add a new rule, and, for each Team Identifier you identified above, create a new Team Identifier entry, and, optionally, a comment.
  8. Clear the search results, click on the General tab, and edit the Name field (I use Managed Login Items —My CompanyName as my naming scheme).
  9. Now, save your profile, using the same naming scheme you used above. If you will be uploading this to your MDM, and you have a certificate installed on your Mac that can be used to sign the profile, I encourage you to choose this option, to prevent your MDM from attempting to interpret the payload.
  10. Upload the profile to your MDM, scoping it to install automatically onto your test macOS 13 system. (You cannot manually install this profile type).
  11. On your test macOS 13 system, confirm in System Settings->Privacy & Security->Profiles that your new profile has been deployed.
  12. Open System Settings->General->Login Items and note that at least some of your items can no longer be toggled off.
  13. For each additional item you need to manage, you need to determine an alternate method of identifying it. Your first, best option should be to look at each plist in /Library/LaunchAgents and /Library/LaunchDaemons, looking for a Label key, typically in the format
  14. In iMazing Profile Editor, go back into the profile you created, and, under the Service Management — Managed Login Items payload, click the + to add a Label, then enter each unique label you determined in step 13, along with an optional comment
  15. Re-save, sign, upload and scope your updated profile, and test again. Iterate until all of the items you wish to control are now prevented from being disabled by the user.
  16. Optionally, if you want to prevent users from seeing messages about Login Items being installed, you can create a Notifications profile, using any profile creation method you’re familiar with. You want to disable both Notifications and Critical Alerts for Bundle ID
  17. Scoping/deploying both your Managed Login Items and your Notifications payloads to macOS 13 systems should work (but may require an inventory update for your MDM to recognize that the Mac has been upgraded to macOS 13). Do not scope Managed Login Items to systems running macOS 12 or earlier, as macOS versions earlier than 13 do not understand this payload, which is evaluated only at the time of installation, not after an OS upgrade.
  18. If you are a Jamf Pro user, and are running version 10.42 or later, you can optionally create a Smart Group with a Profile Identifier of com.jamf.servicemanagement.backgroundapps (Jamf’s built-in Service Management profile in Jamf Pro 10.42 and later), and scope both your Managed Login Items and Notifications payloads to that Smart Group. This should push the profiles to the newly-upgraded macOS 13 device without requiring an inventory update.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Robert Hammen

Robert Hammen


IT Systems Engineer (macOS and iOS) at a reusable rocket company. @duranduran & Green Bay @packers fan. Spouse of @Skaared4Life. Opinions expressed are mine.