Learn about how and when to use the Login & Background Items Library Item
About Login and Background Items
Many apps running on a Mac may require login or background items to function correctly. Often these items launch at startup or during user login, and in the background, hence the name. For example, an app may run an updater daemon in the background to be able to process updates more easily for itself. In the case of the Kandji Agent, various processes run in the background to be able to perform a number of tasks, such as running custom scripts, enforcing parameters, and more, without requiring interaction from the user.
Changes in macOS Ventura
macOS Ventura introduces additional user privacy protections around login in background items so that users using a Mac are more aware of the apps and services that may be running in the background that may not even be visible to them (under some circumstances). macOS Ventura both alerts a user when an app has added a new login or background item, and provides a way for the user to disable it in System Settings > General > Login Items, as shown below:
Enforcing Login and Background Items with the Login & Background Items Library Item
Many pieces of software you use in your organization likely require login and/or background items to function correctly. You may have even configured your own background items to run via launch daemon or launch agent configurations that run custom scripts.
The Login & Background Items Library Item lets you configure any items that you want to be unable to be turned off by the user in System Settings. Items configured with the library item are marked as being managed by your organization in System Settings (as is shown for Kandji in the image in the section above).
The Login & Background Items Library Item will only be deployed to Mac computers running macOS 13 or later.
Configuring the Login & Background Items Library Item
- From the Library, find Login & Background Items and click Add & Configure
- Give your Library Item a Name
- Assign it to one or more Blueprints (optional)
- Click Add Background Item
- In the modal that appears enter the following information:
- The identifier Type (more details below)
- The Identifier itself
- An optional Comment (this is not used by macOS, but is for your reference)
- Press Save
- Optionally repeat steps 5 and 6 to add additional background items.
- Press Save
When asked for the identifier type (as shown below), this can be one of five options:
- Bundle Identifier
- This option maps to a bundle identifier of an app that has adopted Apple's SMAppService API. Check with the software vendor to know if this option can be used.
- Bundle Identifier Prefix
- This option lets you configure one rule for multiple apps sharing a bundle identifier prefix for apps that have adopted Apple's SMAppService API. Check with the software vendor to know if this option can be used.
- This is used for identifying launch agents and launch daemons. To find the label, inspect the properly list (plist) files in /Library/LaunchAgents, /Library/LaunchDaemons, and those same folders in any user's home directory. You can also use the `sudo launchctl list` command to find labels of actively loaded or running items.
- Label Prefix
- This is similar to the bundle identifier prefix, but for labels. For example, if you have several custom launch daemons running on your systems, all with labels like com.myexamplecompany, then you could simply specify that to allow all of your items to load.
- Team Identifier
- Most commercial software vendors sign their software with the same Apple Developer Team ID. Check their documentation for additional details.
Learn more about using MDM to manage background tasks on Mac in Apple Platform Deployment.
Note: Kandji recommends using the Team ID option whenever possible, as it is the most secure. Bundle identifiers and labels can potentially be spoofed by other software, but code signing identities tied to Apple Developer Team Identifiers are foundational to macOS security and would be the most difficult to compromise or spoof.
When using the Team ID, apps that add themselves, or that users add, to Login Items, will also be disallowed from being toggled in System Settings. Use the app’s own preferences, or control-click on the Dock icon and use the “Open at Login” option under the “Options” menu as a workaround to toggle the option on or off.
For Bundle Identifier Prefix and Label Prefix, use the "com.example" format, and be sure not to include a trailing period. Also, do not include other special characters such as "*".