macOS Ventura: Bringing Transparency to Login and Background Items

Posted on November 4, 2022

Written by

Mike Boylan

Staff Product Engineer at Kandji

For years now, many Mac apps have been installing components that launch automatically at login and/or that run in the background. It’s always been hard for users to keep track of these surreptitious bits of software that were running on their computers. With macOS Ventura, Apple has made it easier for users to see and control their login and background items. But Apple is giving Mac admins some say in the matter, as well.

What Are Login and Background Items?

If you’ve used macOS for any length of time, you know you can set apps to launch automatically at login. You probably also know that there are other, less visible processes running on your Mac that are launched at startup or login by launchd—the process on your Mac that launches other processes, either for individual users or for the system as a whole. Those processes are commonly referred to as launch agents (when run in the user context) or launch daemons (when they run as a system user, usually root). 

As explained in Apple’s developer documentation:

Launch daemons, launch agents, and startup items are helper executables that macOS starts on behalf of the user that extend the capabilities of apps or provide additional capabilities to users. A LaunchDaemon can provide persistent background service for an app, a LaunchAgent can provide auxiliary UI capabilities like menu bar extras, and a LoginItem can provide the ability to automount remote directories or launch applications when the user logs in.

For example, the Kandji Agent uses all three of these technologies on enrolled Mac computers, so that it can install apps and run scripts in the background, provide a menu bar app, and launch automatically at login.

How Login and Background Items Change in macOS Ventura 

With macOS Ventura, Apple has made items that launch at login or run in the background more visible. In macOS Ventura, when an installer package or app installs software components that launch at login or startup or that run in the background, macOS notifies the user in Notification Center. It also provides an easy way to disable such items in the new System Settings app (which replaces the long-standing System Preferences app). 

These changes are important for platform security. Previous versions of macOS allowed these items to be installed completely silently. In theory, that could mean that, in macOS Monterey or older versions of macOS, part of an app you didn’t explicitly open could be running in the background without your consent or knowledge. 

For example, here’s the notification a user would see when installing Zoom for the first time on macOS Ventura: 

Background item notification

That notification links to System Settings, where you can toggle Zoom’s ability to launch in the background on or off:

macOS Ventura login items settingsIf you set the preference to automatically launch the main Zoom app at login, it would appear in the top list as well.

Managing Login and Background Items in macOS Ventura

In screenshot above, note the text under Kandji, Inc.: “This item is managed by your organization.” Note further that the on/off switch for that item is grayed out; end-users can’t turn the Kandji background item off. Apple has made it possible for Mac admins to manage login and background items, and Kandji has provided a new library item that lets them do just that. 

Add Login & Background Items library itemThe new Login & Background Items library item enables admins to configure which background items should be locked in System Settings, so end-users cannot disable them. It provides multiple ways to specify the items you want to manage: 

Bundle Identifiers: This option maps to a bundle identifier of an app that has adopted Apple’s new SMAppService API. Check with the software vendor to know if this option can be used. (A quick way to get the Bundle ID of an app in Terminal: osascript -e 'id of app "App Name"'.)

Bundle Identifier Prefixes: This option lets you configure one rule for multiple apps that have adopted Apple’s new SMAppService API. Again, you’ll need to check with the software vendor to know whether this option can be used.

Configure background item library itemLabel: This is used for identifying launch agents and launch daemons. To find the label, inspect the plist files in /Library/LaunchAgents, /Library/LaunchDaemons, and those same folders in any user's home folder or within an app bundle in macOS Ventura). You can also use the command  sudo launchctl list to find labels of actively loaded or running items.

Label Prefix: This is similar to the bundle identifier prefix, but for labels. For example, if you have several custom launch daemons running on your systems, all with labels like com.myexamplecompany, you could specify that to allow all of your items to load.

Team Identifier: Most commercial software vendors sign their software with the same Apple Developer Team Identifier (also referred to as Team ID). Check their documentation for additional details.

Note: We recommend using the Team ID option whenever possible, as it is the most secure. Bundle identifiers and labels can potentially be spoofed by other software, but code-signing identities tied to Apple Developer Team Identifiers are foundational to macOS security and would be the most difficult to compromise or spoof. As of this writing, when using the Team ID, apps that add themselves or that users add to Login Items will also be disallowed from being toggled in System Settings. Use the app’s own preferences, or control-click on the Dock icon and use the Open at Login option under the Options menu as a workaround to toggle the item on or off.

Identifying all of the current login and background items configured on a Mac solely using what is shown in the System Settings interface might be challenging. Fortunately, it’s also possible to explore the configuration in Terminal with the command sudo sfltool dumpbtm. That will provide more detailed information about each item, its parent, the location of the item, and more. We don’t have the space here to go through the full output of that command, but mapping it to what is shown in System Settings is straightforward. Apple also has provided additional documentation in Apple Platform Deployment.

Learn all about configuring Kandji’s new Login & Background Items library item in this support article. Note that Kandji will not install a Login & Background Items library item on a Mac until it is running macOS Ventura or later. Note also that Kandji itself is automatically configured so it can’t be turned off by users in System Settings; learn more about that in this support article. And if one of Kandji’s Auto Apps includes login or background items, Kandji automatically disallows users from being able to turn them off.

About Kandji

Kandji offered support for macOS Ventura the day Apple released it. The Kandji team is constantly working on solutions to streamline your workflow and secure all of your Apple devices. With powerful and time-saving features such as zero-touch deployment, one-click compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace.

Request access to Kandji today.

 

Share post

Written by

Mike Boylan

Staff Product Engineer at Kandji

The Latest in Apple Enterprise Management