macOS Ventura Deployment Support - Managed Login Items?

Wondering what the timeframe is for guidance/support for deployments of the Solarwinds Discovery Agent to macOS Ventura?

The Agent is installing okay-ish* on macOS Ventura 13.0, but the Agent is throwing a service management Login Items message about Ruby and I can't get the background service fully managed.

There's no TeamID for the executables, so I can only use the Label as shown in the launch daemon to try to manage the Login Item. This is not successful, and the end user has the ability to turn off the background item and presumably kill the Agent's ability to report in.

The screenshot below shows the ruby background item that has been turned off by the end user on the computer, along with other login items that have been properly managed and cannot be toggled.

Indeed, with Ruby in this state, when I try to do a forced inventory update from the agent, Apple system profiler throws an error and while the command claims "done!" the results do not show up in SWSD audit for the device.

*The applications still report "code object is not signed at all" when checking with the codesign command, and the permissions are . . . nonstandard for the locations where they end up.

  • Hey Jonson,

    Can you please explain what you are doing, step be step and what is the error that you are getting ? 

    Thanks 

    Rinat Gil

    Senior Product Manager

  • I am trying to set up control of background services in macOS Ventura, which are shown to end users in System Preferences along with the ability to turn off the service. In order to prevent users from turning off necessary background services -- like asset management clients -- a configuration profile is used to lock down the settings. I'm trying to find settings that will allow me to lock out the user from turning off the Solarwinds Discovery Agent.

    Apple documentation https://support.apple.com/guide/deployment/managed-login-items-payload-settings-dep07b92494/1/web/1.0

    The Solarwinds Discovery Agent's ruby executable shows up as a login item, as seen in the image I shared. If it's turned off by the user, it breaks inventory. I am forced to try to set up the management of the login item by the Label (com.solarwinds.discoveryagent) instead of the TeamID, as none of the Discovery Agent components appear to be signed. This doesn't work, however.

    All of the items in my profile for other applications that I've been able to specify with TeamIDs are functioning properly -- the control is greyed out for the user. The SW Discovery Agent is not compliant.

    The steps are:

    1. Observe that a login item "ruby - item from unidentified developer" appears after install of Solarwinds Discovery Agent on macOS Ventura
    2. Create a profile for the domain com.apple.servicemanagement
    3. Search in vain for a TeamID for Solarwinds Discovery Agent
    4. Find the Label in the Solarwinds Discovery Agent launch daemon
    5. Add a rule to the profile with Label as the Type and com.solarwinds.discoveryagent as the value
    6. Apply profile to computer with Solarwinds Discovery Agent installed, running macOS Ventura
    7. Observe that the ruby login item fails to be managed by the profile
  • Hey Johnson, Thanks for your response.


    Ruby software must run in the background as part of the Discovery Agent. 

    The Discovery agent is a compliance and uses the ruby process in the background. The ruby process background will be added as a signed on so that it will not showed as unidentified developer. 

    Our team is currently working on this issue. Will update. 

    Maybe you can use the Active Directory GPO to avoid the users in your organization to have the ability to turn off the service.

  • Active Directory GPO is for domain-bound devices. This is for MDM-managed Macs, and I am attempting to use the Apple native and supported method for controlling the behavior. I can't use AD GPO.

    It might be a good idea for the development team to start looking at pre-release versions of macOS every year. The new features are always announced in June at Apple's WorldWide Developer's Conference, so developers have roughly four months to make updates and test.

    I'll wait for an update and mark this as partially functioning in my testing. I am interested to see what happens if a user turns off the login item for ruby, then we later get an update that allows full management of the login item, if the updated agent's ruby will automatically get turned on and be locked out, or if we need some other action to re-enable the agent's ruby (besides updating my configuration profile with the TeamID). Customers will need to know this.

    Thanks.