Starting in macOS Ventura (13), Apple introduced the Service Management profile, which allows administrators to silently approve Login Items and background services on managed devices. Without this profile, users will be prompted to allow background items each time new software adds one — and can manually disable them. Deploying the Service Management Device Setting prevents both of those interruptions.
Overview
When software is installed on macOS Ventura or later and adds a Login Item or background service, the OS notifies the user and allows them to disable it via System Settings > Login Items & Extensions. The Service Management Device Setting silently pre-approves specific Login Items by Team ID or Bundle ID, so users are never prompted and cannot toggle them off.
Note: This Device Setting requires macOS 13 (Ventura) or later.
Example notification:
How to Create the Device Setting
- Navigate to Catalog > Device Settings and click New.
- Select Service Management from the settings list.
- Enter a Payload Name to identify the Device Setting.
- Select the identifier type from the Rule Type dropdown:
-
Bundle Identifier — approves a specific application (e.g.,
com.example.app) - Team Identifier — approves all Login Items signed by a specific developer
-
Bundle Identifier — approves a specific application (e.g.,
- Paste the identifier into the Rule Value field.
- (Optional) Enter a Team Identifier as an additional constraint to limit the scope of the rule.
- (Optional) Add a Comment to describe the rule for future reference.
- Click Add Rule to save the entry. Repeat for each app or service that needs to be approved.
- Click Create Profile, then assign it to the appropriate policy.
Need the Team ID or Bundle ID for your app? See How to Get the Team ID, Bundle ID, and Code Requirement for instructions on finding these values.