macOS Ventura Deployment Support - Managed Login Items?

Wondering what the timeframe is for guidance/support for deployments of the Solarwinds Discovery Agent to macOS Ventura?

The Agent is installing okay-ish* on macOS Ventura 13.0, but the Agent is throwing a service management Login Items message about Ruby and I can't get the background service fully managed.

There's no TeamID for the executables, so I can only use the Label as shown in the launch daemon to try to manage the Login Item. This is not successful, and the end user has the ability to turn off the background item and presumably kill the Agent's ability to report in.

The screenshot below shows the ruby background item that has been turned off by the end user on the computer, along with other login items that have been properly managed and cannot be toggled.

Indeed, with Ruby in this state, when I try to do a forced inventory update from the agent, Apple system profiler throws an error and while the command claims "done!" the results do not show up in SWSD audit for the device.

*The applications still report "code object is not signed at all" when checking with the codesign command, and the permissions are . . . nonstandard for the locations where they end up.

Parents
  • Hey Jonson,

    Can you please explain what you are doing, step be step and what is the error that you are getting ? 

    Thanks 

    Rinat Gil

    Senior Product Manager

  • I am trying to set up control of background services in macOS Ventura, which are shown to end users in System Preferences along with the ability to turn off the service. In order to prevent users from turning off necessary background services -- like asset management clients -- a configuration profile is used to lock down the settings. I'm trying to find settings that will allow me to lock out the user from turning off the Solarwinds Discovery Agent.

    Apple documentation https://support.apple.com/guide/deployment/managed-login-items-payload-settings-dep07b92494/1/web/1.0

    The Solarwinds Discovery Agent's ruby executable shows up as a login item, as seen in the image I shared. If it's turned off by the user, it breaks inventory. I am forced to try to set up the management of the login item by the Label (com.solarwinds.discoveryagent) instead of the TeamID, as none of the Discovery Agent components appear to be signed. This doesn't work, however.

    All of the items in my profile for other applications that I've been able to specify with TeamIDs are functioning properly -- the control is greyed out for the user. The SW Discovery Agent is not compliant.

    The steps are:

    1. Observe that a login item "ruby - item from unidentified developer" appears after install of Solarwinds Discovery Agent on macOS Ventura
    2. Create a profile for the domain com.apple.servicemanagement
    3. Search in vain for a TeamID for Solarwinds Discovery Agent
    4. Find the Label in the Solarwinds Discovery Agent launch daemon
    5. Add a rule to the profile with Label as the Type and com.solarwinds.discoveryagent as the value
    6. Apply profile to computer with Solarwinds Discovery Agent installed, running macOS Ventura
    7. Observe that the ruby login item fails to be managed by the profile
  • Hey Johnson, Thanks for your response.


    Ruby software must run in the background as part of the Discovery Agent. 

    The Discovery agent is a compliance and uses the ruby process in the background. The ruby process background will be added as a signed on so that it will not showed as unidentified developer. 

    Our team is currently working on this issue. Will update. 

    Maybe you can use the Active Directory GPO to avoid the users in your organization to have the ability to turn off the service.

Reply
  • Hey Johnson, Thanks for your response.


    Ruby software must run in the background as part of the Discovery Agent. 

    The Discovery agent is a compliance and uses the ruby process in the background. The ruby process background will be added as a signed on so that it will not showed as unidentified developer. 

    Our team is currently working on this issue. Will update. 

    Maybe you can use the Active Directory GPO to avoid the users in your organization to have the ability to turn off the service.

Children
No Data