Learn about Login & Background Items and how to configure them
What are Login & Background Items?
Login and background items refer to applications, processes, or scripts that are set to automatically start when a user logs in or when the system boots up. These items can enhance user experience by providing immediate access to frequently used applications or ensuring certain services are always running. Beginning with macOS Ventura, an end user receives alerts when an app has added a new login or background item and is provided with a way to disable it in System Settings > General > Login Items. To learn more about using MDM to manage background tasks in macOS, please see Apple's Platform Deployment guide.
How managed Login & Background Items work
Mac administrators can use configuration profiles that define managed login and background items. These profiles ensure that essential software and services are available immediately after login and cannot be disabled by end users, even those with local administrator credentials, enhancing security and improving the user experience. Managed Login and Background items rely on identifiers to allow specified background items.
Identifier Types
For Bundle Identifier Prefix and Label Prefix, use the "com.example" format, and be sure not to include a trailing period. Also, do not include other special characters such as "*".
When asked for the identifier type, you can select one of five options:
- Bundle Identifier
- This option maps to a bundle identifier of an app that has adopted Apple's SMAppService API. Check with the software vendor to determine if this option can be used.
- Bundle Identifier Prefix
- This option lets you configure one rule for multiple apps sharing a bundle identifier prefix for apps that have adopted Apple's SMAppService API. Check with the software vendor to determine if this option can be used.
- Label
- This is used to identify launch agents and launch daemons. To find the label, inspect the property list (plist) files in
/Library/LaunchAgents
,/Library/LaunchDaemons
, and those same folders in any user's home directory. You can also use the `sudo launchctl list` command to find labels of actively loaded or running items.
- This is used to identify launch agents and launch daemons. To find the label, inspect the property list (plist) files in
- Label Prefix
- This is similar to the bundle identifier prefix but for labels. For example, if you have several custom launch daemons running on your systems, all with labels like com.myexamplecompany, you could simply specify that prefix to allow all of your items to load.
- Team Identifier
- Most commercial app vendors sign their software with the same Apple Developer Team ID. Check their documentation for additional details.
Choosing an Identifier Type
Kandji suggests using the Team ID option whenever you can, as it's the most secure choice. While bundle identifiers and labels can be mimicked by other software, code-signing identities linked to Apple Developer Team Identifiers are a core part of macOS security, making them much harder to fake.
When you use the Team ID, apps that add themselves or that users add to Login Items can't be toggled in System Settings. Instead, you can use the app’s own settings, or right-click on the Dock icon and select “Open at Login” from the “Options” menu to turn the feature on or off.
Add a Login & Background Items Library Item
- Navigate to Library in the left-hand navigation bar.
- Click Add New on the top-right, and choose Login & Background Items.
- Click Add & Configure.
- Give the new Accessory & Storage Access Library Item a Name.
- Assign to your desired Assignment Maps or Classic Blueprints.
- Click Add Background Item.
- In the Modal that appears, enter the following details:
- The identifier Type (more details below)
- The Identifier itself
- An optional Comment (this is not used by macOS, but is for your reference)
- Click Save.
- Optionally, repeat steps 7 and 8 to add additional background items.
- Click Save again.