Skip to main content

Managed Login Item

Starting with macOS Ventura (13.x), background items (such as LaunchAgents and LaunchDaemons) on present user notifications and System Settings allows the user to easily disable background items. Octory uses a background item and not enabling it will prevent Octory's launch. To make sure users cannot disable the background item, a Configuration Profile is needed to auto-approve and lock the background item. Most MDM solutions provide the ServiceManagementManagedLoginItems payload from the Apple MDM framework.

Rule types

The payload provide several rule types for background items:

  • BundleIdentifier: com.amaris.octory.launch
  • BundleIdentifierPrefix: com.amaris.octory
  • Label: com.amaris.octory.launch
  • LabelPrefix: com.amaris.octory
  • TeamIdentifier: 5G89W3T34F

When using anything other than TeamIdentifier as RuleType, you can still use the TeamIdentifier (5G89W3T34F) constraint to make sure only signed software from Amaris Consulting and not other background items (potentially spoofed) is matched by the profile, auto-approved and locked in System Settings.

Example

An example Configuration Profile is provided where the com.amaris.octory label prefix will be auto-approved and locked in System Settings, with the Amaris Consulting TeamIdentifier constraint.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Service Management - Managed Login Items</string>
<key>PayloadIdentifier</key>
<string>com.apple.servicemanagement.543A5646-3A60-4051-9A97-09CAA7D2E9BC</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>543A5646-3A60-4051-9A97-09CAA7D2E9BC</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>Comment</key>
<string>Octory</string>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>com.amaris.octory</string>
<key>TeamIdentifier</key>
<string>5G89W3T34F</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Managed Login Item - Octory</string>
<key>PayloadIdentifier</key>
<string>5F657BCE-1F93-44EB-9182-CFE3CC8F98CC</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5F657BCE-1F93-44EB-9182-CFE3CC8F98CC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

Create Configuration Profile

There are several ways to create a Configuration Profile for auto-approving a background item. Your MDM solution may support the payload to easily configure notifications in the user interface. If not, there are tools available that may help you creating a custom profile:

  • iMazing Profile Editor