macOSLAPS
macOSLAPS copied to clipboard
joshua-d-miller
macOS 13 Lists macOSLAPS Launch Daemon as "Joshua Miller"
macOS 13's first beta just dropped, and one of the changes is that now Launch Daemons show up in System Preferences > General > Login Items. It looks like the one used by macOSLAPS is listed in there as "Joshua Miller" instead of something related to the program itself.
Very small issue but may be worth addressing in a future release.
So I realize that macOS 13 is under NDA so we may not be able to start addressing this until a "public beta". I'm would need to determine where the option is that dictates that particular piece for the launchdaemon.
Public beta is out.
The Launch Services pane is picking it up from the Apple Developer Signing Certificate. It's not just you; any other individual developer would be affected by this.
There's three solutions to consider:
-
Login Items management. In late June, feedback was filed by dozens of Mac admins, who asked Apple to suppress the notifications and lock the switches for 'required' services installed by MDM. That way, users cannot turn off required Login Items (LaunchDaemons / Agents), and they won't be bombarded by dozens of notifications for login items. If the items are locked, users should not be responsible to acknowledge or dismiss the notifications in the first place so don't bother displaying them.
-
Set up an Apple Developer account as a business. Obviously this is $$$$ and headache and not justifiable for an open source project.
-
File feedback and call Apple WWDR to request the ability to display a 'd.b.a.' instead of your personal name. For privacy reasons a developer might not want their full first and last name attached to their projects.
Apple has additional information on this and what is required here now: https://developer.apple.com/documentation/servicemanagement/updating_helper_executables_from_earlier_versions_of_macos/
Note this paragraph specifically:
If a legacy LaunchAgent or LaunchDaemon doesn’t have the AssociatedBundleIdentifiers key in its property list, instead of the app name, System Settings displays the organization name in the app’s signing certificate.
Ah so it looks like we just need to update the LaunchDaemon to have that key
This key currently does not work in the latest developer beta. I have submitted Feedback and am hoping to hear a solution soon.
Good to know! I was also poking at it at one point and had similarly bad luck.
Perhaps related, but I was also unable to provide a managed login item MDM profile referring to the Bundle Identifier and instead had to go for the label.
For example, the below works, but using RuleType of BundleIdentifier with value edu.psu.macOSLAPS did not work last I tried. Perhaps some kind of different behavior when the bundle ID is referring to a binary instead of an application?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Test for always enabling and silencing login item notifications for macOS LAPS</string>
<key>PayloadDisplayName</key>
<string>Login Items</string>
<key>PayloadIdentifier</key>
<string>41F0715B-DB11-4805-B27A-491C744C3BBD.login.E066C17E-2D5C-4214-8169-ECB4CF64AB6C</string>
<key>PayloadUUID</key>
<string>E066C17E-2D5C-4214-8169-ECB4CF64AB6C</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadOrganization</key>
<string>Test</string>
<key>Rules</key>
<array>
<dict>
<key>RuleType</key>
<string>Label</string>
<key>RuleValue</key>
<string>edu.psu.macoslaps-check</string>
<key>Comment</key>
<string>macOS LAPS</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Test for always enabling and silencing login item notifications for macOS LAPS</string>
<key>PayloadDisplayName</key>
<string>Login Items - Jamf for Ventura Test</string>
<key>PayloadIdentifier</key>
<string>41F0715B-DB11-4805-B27A-491C744C3BBD</string>
<key>PayloadUUID</key>
<string>41F0715B-DB11-4805-B27A-491C744C3BBD</string>
<key>PayloadOrganization</key>
<string>Test</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
@joshua-d-miller did you get any feedback for this issue? The issue still remains in beta 10 (!) (it looks like Apple did not implement this feature yet: https://developer.apple.com/forums/thread/713493 )
I have feedback submitted but nothing back from them just yet. I just did a remove of LAPS, pkgutil forgetting and unloading and removing the launch daemon and using my latest Release Candidate to install. I've only posted it in Slack but please but will be putting it out here at some point today or tomorrow.
As of the latest macOS Beta, the popup no longer displays in the latest release of macOSLAPS 3.0.2. You will however still see Joshua Miller in the Login Items as I believe according to Apple that this is expected behavior. Please try the latest release and report back the results.
Unfortunately it looks like it is still popping that notification on clean installs of macOS 13 RC
Looks like Jamf 10.42 now supports managing this via a configuration profile, though it doesn't currently display it. Here's their technical article for creating and uploading a cert to handle it. Maybe adding a template for people to use to manage it could help address this? https://docs.jamf.com/technical-articles/Uploading_a_Configuration_Profile_for_Managed_Login_Items.html
Unfortunately given the way Apple has crafted this, it would involve me signing macOSLAPS with a completely new certificate that would break those who currently are using LAPS with the current signing certificate. Since the notifications can be hidden AND you can lock the LaunchDaemon from being disabled, I would say configuration profile is probably your best bet to resolve this. I hope to document this in the Wiki over the holiday break.
Sorry to chime in on a closed issue, but I believe AssociatedBundleIdentifiers could work to help with this. The catch is that I think that needs to refer to some app bundle that's signed with the same Developer ID as the executable referenced in the Program or ProgramArguments of the LaunchDaemon.
So, it's kinda silly, but you could create a dummy do-nothing app (or an app bundle wrapper that the actual macOSLAPS binary lives within) with the name "macOS LAPS" and a nice icon that's signed with your Dev ID and that could be deployed along with the macOSLAPS binary and the apps Bundle ID could be specified as the AssociatedBundleIdentifier in the LaunchDaemon, then that app name and icon will be displayed in the notification and the background items list.
