First of all: I want to thank everybody who actively contributes in the Appleseed Macadmins Slack channel and everybody who filled feedback to Apple using the Appleseed for IT program! It’s always a scary time when Apple releases their new macOS beta versions in June after the WWDC and we (Mac admins) discover tons of “little challenges” where no management solution is in place yet.
There are probably a handful of articles written and published for Apple Managed Login Items this week with the release of macOS Ventura. If you followed the Macadadmins Slack in the Appleseed for IT channel you probably read some recommendations what the “best” or “safest” option is to create a login items profile. There are a couple options to choose from to manage the toggle switch for the login/launchd item: BundleIdentifier, BundleIdentifierPrefix, Label, LabelPrefix and TeamIdentifier. The last one (TeamIdentifier) is considered the most “secure” way, because it checks vendors developer ID.
For some items I used the TeamIdentifier, for example the Adobe and Microsoft stuff as you can see in the snippet below:
But doing this I stumbled on a caveat.
Not only are the launchd items managed, but also the applications you want to auto start when you login to your Mac. Users can freely add prefered applications to this list, like I did with Photoshop and Word:
You notice they are “greyed out”. We all know what that means: It’s managed by your sysadmin! This results to the user who can’t remove Photoshop or MS Word anymore from its own personal added items in the list.
I have some doubts this “works as designed”. But if you don’t agree how this is implemented by Apple, please file feedback using the Appleseed for IT program!
Patrick van Nerum’s blog 