Managing “Login Items” for macOS Ventura

macOS 13 Ventura includes new functionality in the new System Settings app to control services like LaunchAgents and LaunchDaemons — Apple is (confusingly) calling this Login Items (found in Settings->General). By default, Apple has chosen to display notifications to the user when these items are installed.

I won’t post a screen shot here until macOS 13 is released, but you can find examples of the controls, and the notifications, in this article:
https://www.sentinelone.com/blog/apples-macos-ventura-7-new-security-changes-to-be-aware-of/

The concern for folks who manage macOS at scale is that users are able to simply flip a toggle to disable their management tools. Or security tools. Making it that easy to turn off essential tools is obviously undesirable. Fortunately, in later betas of macOS 13, Apple has given system administrators the ability to prevent users from simply toggling off these essential tools. You will need to create a configuration profile to manage these settings. Apple documentation is here: https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.servicemanagement.yaml

This configuration profile can use a number of different rule types to prevent users from disabling Login Items. Step 3 below will cover running a command to list all potential items.

• For anything that shows up in the list with a Team Identifier — create a Team Identifier rule based on that value
• For anything that shows up in the list that didn’t have a Team Identifier — but you still want to manage it — suggest using a Label rule (not Label Prefix, unless you have to — as this may allow malicious software to leverage existing label prefixes, i.e. com.apple).

Some MDMs do not yet have the built-in functionality to create these Login Items/Service Management profiles (Jamf Pro does not, JumpCloud https://support.jumpcloud.com/s/article/Managing-JumpCloud-Login-Items and Kandji https://support.kandji.io/support/solutions/articles/72000578621-about-the-login-background-items-library-item) do.

Some folks have manually coded them, but, fortunately, there is a graphical profile creation tool out there that lets you easily create (and sign) a configuration profile that you can then add to your MDM.

1. Download iMazing Profile Editor from https://imazing.com/profile-editor, double-click the downloaded .dmg file to mount it, and copy the iMazing Profile Editor app to your Applications folder.
2. Configure a macOS 13 device, or upgrade an existing device to macOS 13, and ensure your essential/required tools are installed and functional
3. On the macOS 13 system, open Terminal and type:
   sudo sfltool dumpbtm
   A list of installed LaunchAgents, LaunchDaemons, and scripts will be displayed in the Terminal window.
4. Scan (or grep) this list and copy each Team Identifier to a text document
5. Open iMazing Profile Editor
6. With a blank new profile, search for Service Management and add this payload to your new profile
7. Click the + icon to add a new rule, and, for each Team Identifier you identified above, create a new Team Identifier entry, and, optionally, a comment.
8. Clear the search results, click on the General tab, and edit the Name field (I use Managed Login Items —My CompanyName as my naming scheme).
9. Now, save your profile, using the same naming scheme you used above. If you will be uploading this to your MDM, and you have a certificate installed on your Mac that can be used to sign the profile, I encourage you to choose this option, to prevent your MDM from attempting to interpret the payload.
10. Upload the profile to your MDM, scoping it to install automatically onto your test macOS 13 system. (You cannot manually install this profile type).
11. On your test macOS 13 system, confirm in System Settings->Privacy & Security->Profiles that your new profile has been deployed.
12. Open System Settings->General->Login Items and note that at least some of your items can no longer be toggled off.
13. For each additional item you need to manage, you need to determine an alternate method of identifying it. Your first, best option should be to look at each plist in /Library/LaunchAgents and /Library/LaunchDaemons, looking for a Label key, typically in the format com.company.item.plist
14. In iMazing Profile Editor, go back into the profile you created, and, under the Service Management — Managed Login Items payload, click the + to add a Label, then enter each unique label you determined in step 13, along with an optional comment
15. Re-save, sign, upload and scope your updated profile, and test again. Iterate until all of the items you wish to control are now prevented from being disabled by the user.
16. Optionally, if you want to prevent users from seeing messages about Login Items being installed, you can create a Notifications profile, using any profile creation method you’re familiar with. You want to disable both Notifications and Critical Alerts for Bundle ID com.apple.btmnotificationagent
17. Scoping/deploying both your Managed Login Items and your Notifications payloads to macOS 13 systems should work (but may require an inventory update for your MDM to recognize that the Mac has been upgraded to macOS 13). Do not scope Managed Login Items to systems running macOS 12 or earlier, as macOS versions earlier than 13 do not understand this payload, which is evaluated only at the time of installation, not after an OS upgrade.
18. If you are a Jamf Pro user, and are running version 10.42 or later, you can optionally create a Smart Group with a Profile Identifier of com.jamf.servicemanagement.backgroundapps (Jamf’s built-in Service Management profile in Jamf Pro 10.42 and later), and scope both your Managed Login Items and Notifications payloads to that Smart Group. This should push the profiles to the newly-upgraded macOS 13 device without requiring an inventory update.