Manage macOS Sensor as a Login Item using MDM

Starting with macOS Ventura, Apple allows users to enable or disable services such as Cyberhaven under General > Settings > Login Items.

This change from Apple is impacting all login items, not just Cyberhaven.

This documentation article will walk you through how to configure Cyberhaven as a managed login item so that you can prevent users from disabling Cyberhaven as a login item. The last part of the help article will mention the notifications for background items.

NOTE

1. Deploying this MDM profile is optional.

2. This MDM feature (configuring managed login items) is not supported by macOS versions before Ventura. Please check with your MDM if it can selectively apply this profile only to Ventura hosts.

3. This profile is not included in the Cyberhaven MDM profile that is available in your Cyberhaven dashboard.

4. 1. Deploying this MDM profile is optional.
5. 2. This MDM feature (configuring managed login items) is not supported by macOS versions before Ventura. Please check with your MDM if it can selectively apply this profile only to Ventura hosts.
6. 3. This profile is not included in the Cyberhaven MDM profile that is available in your Cyberhaven dashboard.

Option 1 - Using Jamf Managed Login Items

For MDMs that support creating configuration profiles Managed Login Items, you can use the UI to create a managed login items configuration profile. This was tested in Jamf Pro version 10.46.

1. Go to Computers -> Configuration Profiles -> New to create a new profile.

2. Go to the Managed Login Items section and add a rule based on team identifier 6KKW3K37TU*.*

   

After saving, the profile should look as follows.

Option 2: Using Kandji Login & Background Items Library Item

If you are running Kandji in your environment, then you can create a new configuration profile to manage Cyberhaven as a login item.

1. Go to Library > Login and Background items and add a new background item.

2. Add an item based on team identifier 6KKW3K37TU.

   

After saving, the profile should look as follows.

Option 3: Using JumpCloud Managed Login Items

If you are running JumpCloud in your environment, then you can create a new configuration profile to manage Cyberhaven as a login item.

1. In the JumpCloud Admin Portal, navigate to Device Management > Policy Management.

2. Click on the plus (+) symbol to create a new policy.

3. Under the Mac section, search for Managed Login Items and select Configure.

4. Enter a policy name and optional policy description.

5. Select the rule type as Team Identifier with a rule value 6KKW3K37TU.

   

6. Select the devices where you want to apply this policy.

7. Click Save.

Option 4: Generate the Managed Login Items profile manually

Use this option if your MDM provider does not have the option to configure Managed Login items from the UI.

The MDM profile requires four universally unique identifiers (UUIDs) generated through a tool such as uuidgen. You must paste the four UUID strings in the MDM profile before saving the profile.

1. Copy the following MDM profile to a notepad.

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http://www.apple.com/
   DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
       <dict>
           <key>PayloadContent</key>
           <array>
               <dict>
                   <key>PayloadDescription</key>
                   <string> Cyberhaven login items configuration profile </string>
                   <key>PayloadDisplayName</key>
                   <string> Cyberhaven Background Service Management </string>
                   <key>PayloadIdentifier</key>
                   <string> Note: use `uuidgen` to generate a unique identifier and paste it here </string>
                   <key>PayloadUUID</key>
                   <string> Note: use `uuidgen` to generate a unique identifier, different from the one above, and paste it here </string>
                   <key>PayloadType</key>
                   <string>com.apple.servicemanagement</string>
                   <key>PayloadOrganization</key>
                   <string> Note: Your company name </string>
                   <key>Rules</key>
                   <array>
                       <dict>
                           <key>RuleType</key>
                           <string>TeamIdentifier</string>
                           <key>RuleValue</key>
                           <string>6KKW3K37TU</string>
                           <key>Comment</key>
                           <string>Cyberhaven</string>
                       </dict>
                       <dict>
                           <key>RuleType</key>
                           <string>BundleIdentifier</string>
                           <key>RuleValue</key>
                           <string>io.cyberhaven.lightbeam</string>
                           <key>Comment</key>
                           <string>Cyberhaven bundle ID</string>
                       </dict>
                   </array>
               </dict>
           </array>
           <key>PayloadDisplayName</key>
           <string> Cyberhaven login items configuration profile. </string>
           <key>PayloadIdentifier</key>
           <string> Note: use `uuidgen` to generate a unique identifier, different from the one above, and paste it here </string>
           <key>PayloadUUID</key>
           <string> Note: use `uuidgen` to generate a unique identifier, different from the one above, and paste it here </string>
           <key>PayloadType</key>
           <string>Configuration</string>
           <key>PayloadScope</key>
           <string>System</string>
       </dict>
   </plist>

2. Paste the four UUID strings to replace the following note.Note: use uuidgen to generate a unique identifier, different from the one above, and paste it here

3. Save the notepad as a .mobileconfig file and upload the file as a configuration profile to your MDM. For example, if you are using Jamf, then navigate to Computers > Configuration Profiles and click Upload.

   

4. Click on the Scope tab to edit the scope of deployment so that the profile can be deployed to your fleet of macOS computers.

   

Cyberhaven will now show under Login Items as an application managed by your organization. End users will not be able to disable it.

Read more about managing Login Items from the following reference links.

• https://docs.jamf.com/technical-articles/Uploading_a_Configuration_Profile_for_Managed_Login_Items.html
• https://macblog.org/manage-custom-login-items/
• https://support.apple.com/en-gb/guide/deployment/depdca572563/web
• https://support.apple.com/en-gb/guide/deployment/dep07b92494/1/web/1.0

Notifications for Background Items Added

Since macOS Ventura, Apple introduced a system to notify when background items that automatically start at login time are added.

If you deployed the MDM profile above that sets up Cyberhaven as a managed login item, then the notification will read "Managed Login Items Added":

Without the MDM profile, the notification will look slightly different and will mention that Cyberhaven was set up as a login item:

Note that this notification may appear periodically. There is a known issue in some versions of macOS Ventura that can lead to a large number of notifications, you can read more about it on this external link: https://www.macrumors.com/2023/02/02/macos-background-items-added-notification-bug/

There is also the option to use MDM to silence all notifications from all login items. Please consider the security implications of enabling this setting. You can read more about this at this external link https://n8felton.wordpress.com/2022/10/24/login-and-background-item-management-in-macos-ventura-13/

Change Log

• Updated on 01/23/2025: New section added, "Option 3: Using JumpCloud Managed Login Items".