Uploading a Configuration Profile for Managed Login Items

Updated: 24 January 2023
Product: Jamf Pro
Versions Affected: 10.42.0 or later

24 January 2023

This article is no longer being updated. Beginning with Jamf Pro 10.43.0, you can create a configuration profile that includes the Managed Login Items payload in the user interface. For more information, see the Jamf Pro Release Notes 10.43.0.

In Jamf Pro 10.42.0 or later, you can create a configuration profile using the com.apple.servicemanagement payload for Managed Login Items to prevent end users from disabling certain background services of apps that are installed in your environment by uploading a profile that was built using Apple's software, (e.g., Profile Manager or Apple Configurator).

When the configuration profile is distributed to the computers in your scope, end users cannot disable certain background services of apps in System Settings > General Settings > Login Items > Allow in the Background.

Keep the following in mind when uploading your configuration profile:

  • Configuration profiles do not need to be signed to upload.

  • While this payload type is recognized in Jamf Pro 10.42.0 or later, the user interface does not display the contents of the profile for viewing or editing. This functionality will be released in a future version of Jamf Pro. To view the contents of a saved configuration profile, download the profile and inspect it on your computer.

  • The RuleType key can support the following values:

    • BundleIdentifier

    • BundleIdentifierPrefix

    • Label

    • LabelPrefix

    • TeamIdentifier

  • The Comment key is optional, but recommended.

More information on Managed Login Items is available as part of the AppleSeed for IT program from Apple. For information, see the AppleSeed for IT website.

For information about the Managed Login Items profile and payload details, see the com.apple.servicemanagement.yaml page on GitHub.

Requirements

  • Target computers with macOS 13 or later*

  • Jamf Pro 10.42.0 or later

  1. Build a configuration profile for the app or apps you want to manage login items for, similar to the following example:
    Note:

    The RuleType key in this example is TeamIdentifier, meaning all login items that were signed by the included team identifier will be managed and allowed. This example configuration profile is similar to the configuration profile Jamf Pro automatically installs for Jamf-built apps on computers with macOS 13 or later in Jamf Pro 10.42.0 or later.

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>PayloadDescription</key>
				<string>Allows for Jamf to register a launch daemons and launch agents</string>
				<key>PayloadDisplayName</key>
				<string>Managed Login Items - Jamf Apps</string>
				<key>PayloadIdentifier</key>
				<string>com.jamf.servicemanagement.backgroundapps.C300A686-F336-46AA-984E-00A79B429210</string>
				<key>PayloadUUID</key>
				<string>8C2FA619-3ABC-456B-ABA7-09C98180F435</string>
				<key>PayloadType</key>
				<string>com.apple.servicemanagement</string>
				<key>PayloadOrganization</key>
				<string>Jamf</string>
				<key>Rules</key>
				<array>
					<dict>
						<key>RuleType</key>
						<string>TeamIdentifier</string>
						<key>RuleValue</key>
						<string>483DWKW443</string>
						<key>Comment</key>
						<string>Allow login items for Jamf apps</string>
					</dict>
                    			<dict>
                        		<key>RuleType</key>
                        			<string>TeamIdentifier</string>
                        			<key>RuleValue</key>
                        			<string>Y4R2DPFAT8</string>
                        			<key>Comment</key>
                        			<string>Allow login items for Jamf Security apps</string>
                    			</dict>
				</array>
			</dict>
		</array>
		<key>PayloadDisplayName</key>
		<string>Managed Login Items - Jamf Apps</string>
		<key>PayloadIdentifier</key>
		<string>com.jamf.servicemanagement.backgroundapps.94D2DEF4-4235-4206-B076-313EDFD56282</string>
		<key>PayloadUUID</key>
		<string>00000000-0000-0000-A000-4A414D460178</string>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadScope</key>
		<string>System</string>
	</dict>
</plist>
  2. In Jamf Pro, click Computers at the top of the sidebar.
  3. Click Configuration Profiles in the sidebar.
  4. Click Upload .
  5. Choose the configuration profile you created in step 1 (.mobileconfig).
  6. Click the Scope tab and configure the scope of the configuration profile.
  7. Click Save .
  8. Click Download to view and inspect the contents of the configuration profile.
The configuration profile is applied to the target computers in your scope.