Category filter
Configuration Profile to manage login and background items for Mac
Login items on Macs are applications, agents, or daemons set to launch automatically when a user logs into the system. By configuring managed login items, organizations can ensure that essential enterprise software and services are available immediately after login. This configuration can be controlled via mobile device management (MDM) solutions. It ensures that end users have no control over these items, as even users with administrator credentials cannot disable them through the typical user interface. IT admins can set up managed login items for their organization’s macOS devices using the configuration profile provided in this document. Hexnode’s Deploy Custom Configuration feature helps IT admins remotely install configuration profiles on macOS devices enrolled in Hexnode UEM.
- The following configuration profile will only work on devices enrolled in a Mobile Device Management (MDM) solution.
- The sample configuration profiles provided below are created using various profile creator applications.
- The following configuration profile only works for devices running macOS 13 and above.
Setup managed login items
The following configuration profile can be used to set up managed login items on macOS devices. The configuration profile uses the com.apple.servicemanagement payload to set up rules for managed login items. The applications, agents, or daemons matching the criteria defined by the rules in the configuration profile are set as managed login items.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>Service Management - Managed Login Items</string> <key>PayloadIdentifier</key> <string>com.apple.servicemanagement.6F8379E1-2B5E-4388-8E28-8A6BE6097512</string> <key>PayloadType</key> <string>com.apple.servicemanagement</string> <key>PayloadUUID</key> <string>6F8379E1-2B5E-4388-8E28-8A6BE6097512</string> <key>PayloadVersion</key> <integer>1</integer> <key>Rules</key> <array> <dict> <key>Comment</key> <string>set a comment for the Rule</string> <key>RuleType</key> <string>SpecifiedRuleType/string> <key>RuleValue</key> <string>Value for the RuleType</string> <key>TeamIdentifier</key> <string>A team identifier value to limit the scope of the rule</string> </dict> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Managed Login Items on Mac</string> <key>PayloadIdentifier</key> <string>MacBook-Air.933B5B2D-5B94-4D8E-9133-72AEA21103D8</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>933B5B2D-5B94-4D8E-9133-72AEA21103D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> |
The above configuration profile uses the following keys to setup managed login items:
| Keys | Description |
|---|---|
| Rules | This key is used to set up rules for managed login items. The applications, agents, or daemons matching the rules will be set as managed login items automatically on the device. |
| RuleType | This key defines the type of rule to compare the criteria of the login item. The key supports the following inputs:
|
| RuleValue | This key holds the value for the type of rule selected. For example, if you choose BundleIdentifier as the RuleType, provide the bundle identifier of the corresponding login item for this key. |
| Comment (optional) | You can assign a comment describing the rule using this key. |
| TeamIdentifier (optional) | This key can be used to limit the scope of the rule that the system uses after matching the RuleType and RuleValue of the login item. |
Sample Configuration profile
The following configuration profile will set up the Hexnode UEM Helper application as a managed login item on a macOS device enrolled in Hexnode UEM.
Values used for the keys are:
- RuleType – BundleIdentifier
- RuleValue – Bundle identifier of the Microsoft Teams Application – com.hexnode.hexnodegui
- Comment – A short description for the rule – “Setting Hexnode UEM Helper as a managed login item.”
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>Service Management - Managed Login Items</string> <key>PayloadIdentifier</key> <string>com.apple.servicemanagement.6F8379E1-2B5E-4388-8E28-8A6BE6097512</string> <key>PayloadType</key> <string>com.apple.servicemanagement</string> <key>PayloadUUID</key> <string>6F8379E1-2B5E-4388-8E28-8A6BE6097512</string> <key>PayloadVersion</key> <integer>1</integer> <key>Rules</key> <array> <dict> <key>Comment</key> <string>Setting Hexnode UEM Helper as a managed login item.</string> <key>RuleType</key> <string>BundleIdentifier</string> <key>RuleValue</key> <string>com.hexnode.hexnodegui</string> </dict> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Untitled</string> <key>PayloadIdentifier</key> <string>mitsusers-MacBook-Air.933B5B2D-5B94-4D8E-9133-72AEA21103D8</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>933B5B2D-5B94-4D8E-9133-72AEA21103D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> |
Upon successful profile installation Hexnode UEM Helper is listed under the System Setting/System Preferences > General > Login Items. Hexnode UEM Helper will be added to the list of background running apps as a managed login item. Even a user with admin credentials will not be able to disable this login item.
- To create and customize configuration profiles, you can use tools like Apple Configurator, Profile Manager or manually create them using text editors.
- Use non-encrypted .mobileconfig, .xml, or plist files to deploy profiles across macOS devices.
- Ensure that you do not associate conflicting configurations with the devices.
- It is recommended to manually validate the configuration profile execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the configuration profile.
