macOS Catalina will prompt users to allow Notifications from each app that makes a request. Administrators can manage these prompts using a Configuration Profile. If running Jamf Pro 10.19 or later, I suggest instead using this manifest: https://github.com/talkingmoose/jamf-manifests/blob/master/macOS%20Notifications%20(com.apple.notificationset…

Manage App Notifications.bash

#!/bin/bash

<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------

	Written by:William Smith
	Professional Services Engineer
	Jamf
	bill@talkingmoose.net
	https://gist.github.com/talkingmoose/9faf50deaaefafa9a147e48ba39bb4b0
	Reference: https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem
	
	Originally posted: October 5, 2019
	Last updated: October 16, 2019

	Purpose: Create configuration profiles to manage app notifications.
	Upload the configuration profile to Jamf Pro or save to your desktop.
	
	Instructions: Run the script with help, -h or --usage for help.

	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/

	"Fortune makes promises to many, keeps them to none.
	Live for each day, live for the hours, since nothing is forever yours."
	
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT


# Jamf Pro URL and credentials
URL="https://jamfproserver.talkingmoose.net:8443"
userName="API-Editor"
password="P@55w0rd"

organizationName="Talking Moose Industries"


# -- set some variables for the rest of the script ----------------------------

# regular expression for "help" and "usage"
regHelp="^-?-?[Hh]([Ee][Ll][Pp])?|[Uu]([Ss][Aa][Gg][Ee])?$"

# regular expressions for "true" and "false"
regTrue="^[Tt]([Rr][Uu][Ee])?|[Yy]([Ee][Ss])?$"
regFalse="^[Ff]([Aa][Ll][Ss][Ee])?|[Nn]([Oo])?$"

# regular expressions for "upload" and "save"
regUpload="^[Uu]([Pp][Ll][Oo][Aa][Dd])?$"
regSave="^[Ss]([Aa][Vv][Ee])?$"
regBoth="^[Bb]([Oo][Tt][Hh])?$"

# regular expressions for "none", "banners" and "alerts"
regNone="^[Nn]([Oo][Nn][Ee])?$"
regBanners="^[Bb]([Aa][Nn][Nn][Ee][Rr][Ss])?$"
regAlerts="^[Aa]([Ll][Ee][Rr][Tt][Ss])?$"

# generate two UUIDs for configuration profile payload identifiers
PayloadUUID1=$( /usr/bin/uuidgen )
PayloadUUID2=$( /usr/bin/uuidgen )

appDicts=""


# -- display usage information or parse app path for information --------------

appPath="$1"

if [[ "$appPath" =~ ${regHelp} ]]; then
	echo
	echo "Manage App Notifications

Purpose:       Create configuration profiles to manage app notifications
               Upload the configuration profile to Jamf Pro or save to your desktop
			   
Configuration: To upload to your Jamf Pro server, edit these lines before running the script.
               The API-Editor account needs the Create privilege for macOS Configuration Profiles in Jamf Pro

               URL=\"https://jamfproserver.talkingmoose.net:8443\"
               userName=\"API-Editor\"
               password=\"P@55w0rd\"
               
               organizationName=\"Talking Moose Industries\"

Usage:         \"$0\" [/path/to/application]

               Questions are followed by allowed responses with [default] responses in brackets.
               Responses are case insensitive and accept the first letter or entire word.
               Press return to accept the default response.
			   
Example:       $ \"$0\"

               Path to managed app (drag app into this Terminal window): /Applications/FaceTime.app
               
               ...

               or

               $ \"$0\" /Applications/FaceTime.app
               
               Allow Notifications from FaceTime ( [Yes] No ): Yes

               FaceTime alert style ( None [Banners] Alerts ): A
               Show notifications on lock screen ( [Yes] No ): n
               Show in Notification Center ( [Yes] No ): true
               Badge app icon ( [Yes] No ):  
               Play sound for notifications ( [Yes] No ): NO
               Critical Alerts Enabled ( Yes [No] ): FALSE
               
               Add another app ( [Yes] No ): n

               Upload to Jamf Pro or Save to Desktop? ( Both [Upload] Save ): U

               Your new Notifications configuration profile for FaceTime was uploaded to Jamf Pro and is ready for scoping.

               Would you like to view the profile now? ( [Yes] No ): yes"
	echo
	exit 0
else
	appBundleID=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleIdentifier 2>/dev/null )
	appExecutable=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleExecutable 2>/dev/null )
	appExecutableString=$( /usr/bin/sed -e 's/ /./g' <<< "$appExecutable" )
fi


function getApp	{

	# -- request path to managed app if no app path provided ----------------------
	
	while [[ "$appExecutable" = "" ]];
	do
		echo
		read -p "Path to managed app (drag app into this Terminal window): " appPath
		appBundleID=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleIdentifier 2>/dev/null )
		appExecutable=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleExecutable 2>/dev/null )
		appExecutableString=$( /usr/bin/sed -e 's/ /./g' <<< "$appExecutable" )
	done

}


function getNotificationsEnabled	{

	# -- choose notificationsEnabled ----------------------------------------------

	while [[ ! "$notificationsEnabled" =~ ${regTrue} && ! "$notificationsEnabled" =~ ${regFalse} ]];
	do
		echo
		read -p "Allow Notifications from $appExecutable ( [Yes] No ): " notificationsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		notificationsEnabled=${notificationsEnabled:-true}
	done


	if [[ "$notificationsEnabled" =~ ${regTrue} ]]; then
		notificationsEnabled="true"
	else
		notificationsEnabled="false"
	fi
}


function getAlertType	{

	# -- choose alertType ---------------------------------------------------------

	while [[ ! "$alertType" =~ ${regNone} && ! "$alertType" =~ ${regBanners} && ! "$alertType" =~ ${regAlerts} && "$notificationsEnabled" = "true" ]];
	do
		echo
		read -p "$appExecutable alert style ( None [Banners] Alerts ): " alertType # none, banners or alerts, case insensitive, first letter accepted, return to accept default
		alertType=${alertType:-Banners}
	done


	if [[ "$alertType" =~ ${regNone} ]]; then
		alertType="0"
	elif [[ "$alertType" =~ ${regBanners} ]]; then
		alertType="1"
	else
		alertType="2"
	fi
}


function getShowInLockScreen	{

	# -- choose showInLockScreen --------------------------------------------------

	while [[ ! "$showInLockScreen" =~ ${regTrue} && ! "$showInLockScreen" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Show notifications on lock screen ( [Yes] No ): " showInLockScreen # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		showInLockScreen=${showInLockScreen:-true}
	done


	if [[ "$showInLockScreen" =~ ${regTrue} ]]; then
		showInLockScreen="true"
	else
		showInLockScreen="false"
	fi
}


function getShowInNotificationCenter	{

	# -- choose showInNotificationCenter ------------------------------------------

	while [[ ! "$showInNotificationCenter" =~ ${regTrue} && ! "$showInNotificationCenter" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Show in Notification Center ( [Yes] No ): " showInNotificationCenter # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		showInNotificationCenter=${showInNotificationCenter:-true}
	done


	if [[ "$showInNotificationCenter" =~ ${regTrue} ]]; then
		showInNotificationCenter="true"
	else
		showInNotificationCenter="false"
	fi
}


function getBadgesEnabled	{

	# -- choose badgesEnabled -----------------------------------------------------

	while [[ ! "$badgesEnabled" =~ ${regTrue} && ! "$badgesEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Badge app icon ( [Yes] No ): " badgesEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		badgesEnabled=${badgesEnabled:-true}
	done


	if [[ "$badgesEnabled" =~ ${regTrue} ]]; then
		badgesEnabled="true"
	else
		badgesEnabled="false"
	fi
}


function getSoundsEnabled	{

	# -- choose soundsEnabled -----------------------------------------------------

	while [[ ! "$soundsEnabled" =~ ${regTrue} && ! "$soundsEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Play sound for notifications ( [Yes] No ): " soundsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		soundsEnabled=${soundsEnabled:-true}
	done


	if [[ "$soundsEnabled" =~ ${regTrue} ]]; then
		soundsEnabled="true"
	else
		soundsEnabled="false"
	fi
}


function getCriticalAlertsEnabled	{

	# -- choose criticalAlertsEnabled (does not appear in GUI) --------------------

	while [[ ! "$criticalAlertsEnabled" =~ ${regTrue} && ! "$criticalAlertsEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Critical Alerts Enabled ( Yes [No] ): " criticalAlertsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		criticalAlertsEnabled=${criticalAlertsEnabled:-false}
	done


	if [[ "$criticalAlertsEnabled" =~ ${regTrue} ]]; then
		criticalAlertsEnabled="true"
	else
		criticalAlertsEnabled="false"
	fi
}

function uploadProfile	{

		# upload to Jamf Pro
		profilePayload=$( /usr/bin/xmllint --noblanks - <<< "$mobileconfig" | /usr/bin/sed -e 's/</\&lt;/g' -e 's/>/\&gt;/g' )
		profileXML="<os_x_configuration_profile>
	  <general>
		<name>Managed Notifications</name>
		<description>
		  <string>Manage Notifications settings.</string>
		</description>
		<site/>
		<category/>
		<distribution_method>Install Automatically</distribution_method>
		<user_removable>false</user_removable>
		<level>computer</level>
		<uuid>$PayloadUUID2</uuid>
		<payloads>$profilePayload</payloads>
	  </general>
	</os_x_configuration_profile>"

		# flatten the XML for the configuration profile to upload to Jamf Pro
		flatXML=$( /usr/bin/xmllint --noblanks - <<< "$profileXML" )
	
		# upload and create configuration profile
		result=$( /usr/bin/curl "$URL/JSSResource/osxconfigurationprofiles/id/0" \
		--silent \
		--insecure \
		--write-out "%{http_code}" \
		--user "$userName":"$password" \
		--header "Content-Type: text/xml" \
		--request POST \
		--data "$flatXML" 2>&1 )
	
		# evaluate HTTP status code
		resultStatus=${result: -3}
	
		if [[ $resultStatus = 201 ]]; then # 201 is successful
			echo
			echo "Your new Notifications configuration profile for $appExecutable was uploaded to Jamf Pro and is ready for scoping."
		
			# -- offer to open configuration profile in Jamf Pro ------------------

			while [[ ! "$openProfile" =~ ${regTrue} && ! "$openProfile" =~ ${regFalse} ]];
			do
				echo
				read -p "Would you like to view the profile now? ( [Yes] No ): " openProfile # true, false, yes or no; case insensitive, first letter accepted, return to accept default
				openProfile=${openProfile:-true}
			done


			if [[ "$openProfile" =~ ${regTrue} ]]; then
				resultXML=${result%???}
				profileID=$( /usr/bin/xpath '/os_x_configuration_profile/id/text()' <<< "$resultXML" 2>/dev/null )
				/usr/bin/open "$URL/OSXConfigurationProfiles.html?id=$profileID&o=r"
			fi
		
		else
			echo
			echo "Unable to upload your new Notifications configuration profile for $appExecutable [Response code: $resultStatus]."
			echo
			echo "CODE	DESCRIPTION
	000	Check server URL in script
	200	Request successful
	201	Request to create or update object successful
	400	Bad request. Verify the syntax of the request specifically the XML body.
	401	Authentication failed. Verify the credentials being used for the request.
	403	Invalid permissions. Verify the account being used has the proper permissions for the object/resource you are trying to access.
	404	Object/resource not found. Verify the URL path is correct.
	409	Conflict. Delete existing profile \"Set $appExecutable notifications\" first.
	500	Internal server error. Retry the request or contact Jamf support if the error is persistent."
		fi
}

function saveProfile	{
	echo
	echo "$mobileconfig" > "$HOME/Desktop/Managed Notifications.mobileconfig"
	echo "Your new Notifications configuration profile was saved to your desktop."
}


# -- ask for another app --------------------------------------------------

while [[ ! "$addApp" =~ ${regFalse} ]];
do
	getApp
	
	if [[ $appList = *"$appBundleID"* ]]; then
		echo
		echo "This app is already added to the list."
	else
		getNotificationsEnabled
		getAlertType
		getShowInLockScreen
		getNotificationsEnabled
		getShowInNotificationCenter
		getBadgesEnabled
		getSoundsEnabled
		getCriticalAlertsEnabled
	
		appDicts="$appDicts
					<dict>
						<key>AlertType</key>
						<integer>$alertType</integer>
						<key>BadgesEnabled</key>
						<$badgesEnabled/>
						<key>BundleIdentifier</key>
						<string>$appBundleID</string>
						<key>CriticalAlertEnabled</key>
						<$criticalAlertsEnabled/>
						<key>NotificationsEnabled</key>
						<$notificationsEnabled/>
						<key>ShowInLockScreen</key>
						<$showInLockScreen/>
						<key>ShowInNotificationCenter</key>
						<$showInNotificationCenter/>
						<key>SoundsEnabled</key>
						<$soundsEnabled/>
					</dict>"
				
		appList="$appList  $appBundleID"
	fi
	
	addApp=""
	
	while [[ ! "$addApp" =~ ${regTrue} && ! "$addApp" =~ ${regFalse} ]];
	do
		echo
		read -p "Add another app ( [Yes] No ): " addApp # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		addApp=${addApp:-true}
	done

	if [[ "$addApp" =~ ${regTrue} ]]; then
		addApp="true"
		appExecutable=""
		notificationsEnabled=""
		alertType=""
		showInLockScreen=""
		notificationsEnabled=""
		showInNotificationCenter=""
		badgesEnabled=""
		soundsEnabled=""
		criticalAlertsEnabled=""
	else
		addApp="false"
	fi
done

# -- use this template XML to create a .mobileconfig file --------------------------

mobileconfig="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>NotificationSettings</key>
			<array>$appDicts
			</array>
			<key>PayloadDescription</key>
			<string>Managed Notifications</string>
			<key>PayloadDisplayName</key>
			<string>Managed Notifications</string>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>$PayloadUUID1</string>
			<key>PayloadOrganization</key>
			<string>$organizationName</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>$PayloadUUID1</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Managed Notifications</string>
	<key>PayloadDisplayName</key>
	<string>Managed Notifications</string>
    <key>PayloadEnabled</key>
    <true/>
	<key>PayloadIdentifier</key>
	<string>$PayloadUUID2</string>
	<key>PayloadOrganization</key>
	<string>$organizationName</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>$PayloadUUID2</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>"


# -- choose to upload to Jamf Pro or save to Desktop --------------------------

while [[ ! "$chooseOutput" =~ ${regUpload} && ! "$chooseOutput" =~ ${regSave} && ! "$chooseOutput" =~ ${regBoth} ]];
do
	echo
	read -p "Upload to Jamf Pro or Save to Desktop? ( Both [Upload] Save ): " chooseOutput # upload, save or both; case insensitive, first letter accepted, return to accept default
	chooseOutput=${chooseOutput:-upload}
done


if [[ "$chooseOutput" =~ ${regUpload} ]]; then
	uploadProfile
elif [[ "$chooseOutput" =~ ${regSave} ]]; then
	saveProfile
else
	uploadProfile
	saveProfile
fi

exit 0

Until Jamf adds the Notifications payload to macOS Configuration Profiles in Jamf Pro, I've put together this script to help with creating these profiles. You can save them as .mobileconfig files to your desktop or supply your Jamf Pro address and credentials to upload to your server.

To use the script:

1. Click the Download Zip button in the upper right corner of this page and locate the Manage App Notifications.bash script inside.
2. If you want the option to upload profiles to your server, edit the URL, userName, password and organizationName items near the top.
3. Drag the script into a new Terminal window.
4. Drag an app into the same Terminal window so that its path follows the script.
5. Press return and follow the prompts.

Keep in mind that until the Notifications payload is added to Jamf Pro, you won't see it appear in your profile. But the profile will still work. After the payload is added in a future version, the profiles should display the payload.

I hope folks find it useful. Please add comments and bug reports to the GitHub gist page.

This is awesome, thanks a ton for posting this. It looks like it's one profile per notification (application). I was hoping to have a single profile, that was acting on multiple applications. Great work, and thanks again!

Thanks for the feedback, @vandehey! I'll look into what it will take to add multiple items to the payload as I get more feedback.

Very helpful and a neat idea, thank you!
One idea I have is to add a third possible response to the upload or “write to disk” question, both. I’d make a pull request if it wasn’t a gist so thought I’d mention it

Thanks, @Dials-Mavis. Not a bad idea to offer both and should be fairly easy to do. I'll look into it.

This worked fantastically, @talkingmoose, thank you very much for this. Would also love an option to add multiple items to the payload if you get the chance to put that in.

Thanks for the feedback @vandehey, @Dials-Mavis and @GavinAndersonGuvnor!

This new version of the script now supports multiple apps in one profile and uploading to Jamf Pro and saving at the same time. Very limited testing, but appears to be working for me.

@talkingmoose Thanks so much, that's fantastic :)

This worked perfectly, thanks a TON for this! One thing of note....After importing it into JAMF, it looks like an empty profile. I realize that JAMF hasn't implemented any of these settings, but I expected to see something there. Regardless, works perfectly. Thanks again!

@vandehey, thanks for verifying!

You won’t see the Notifications payload in Jamf Pro until Jamf implement that payload into the GUI. Everything is there behind the scenes but Jamf Pro has no way to show you yet.

We had the same issue with PPPC and the PPPC Utility. Once you upgrade to a version of Jamf Pro that supports the Notifications payload, your earlier profiles will still work and show the payload.

@talkingmoose This is great and working perfectly with the Yo app. I like how it grays the settings out so the user can't turn them off. I'm also trying with Microsoft Update Assistant app but it doesn't seem to be working. Have you tried this one? It's not enabling notifications or graying the settings out.

@gsprague, it should work with Microsoft AutoUpdate just fine. That was one of the first apps I tried. Assuming you're pointing to /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app.

@talkingmoose Yes, that's the path I'm using. Does the application path work with escaped spaces? I'm not removing the backslashes. I'm also testing on macOS 10.15.1.

@gsprague You're maybe experiencing the same thing I did, where it was the MAU Daemon that kept coming up with a separate notification that needed allowed? I had to add an entry for the following to make that not come up any longer:

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app

@GavinAndersonGuvnor I want to force the MAU Notifications to be on and have all the settings grayed out in Sys Preferences : Notifications : Microsoft Update Assistant so the user cannot turn the notifications off. This is working with another app where all settings are grayed out and cannot be changed.

@talkingmoose It's working now. I wasn't using the complete path to MUA. Needed to go into the apps contents:
/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/Microsoft\ Update\ Assistant.app

Thanks!

Why am I the only one that seems to be getting a permissions denied message when running the script or has anyone else encountered this?

If you downloaded the script, you’ll need to make it executable first.

In Terminal run chmod +x /path/to/script.

Then try running it again.

@talkingmoose Thank you kindly, that did the trick!

I ran into an unexpected side effect when creating a Notification Settings Configuration Profile for Enterprise Connect today (if anyone else thinks of doing that, don't. Enterprise Connect does not require one to display notifications) and had to engage Enterprise Connect support to figure out why. By installing a Notifications Setting specifying the alert style as Banner for ecAgent the process was prevented from displaying an Alert style notification. If you used this script's default of Banner and aren't sure that style notification is definitely what an app will display you may want to check and update your Notification Settings profiles.

@talkingmoose this is awesome thanks so much!

Took some liberties and had my son spice it up some as a coding project for him.
https://gist.github.com/Paul-Benton/ed0fcdbbccaa7fa87184082ed441e549

-converted to zsh
-added request for accepting default for all
-can now read a text file list of App paths (one per line) or single app path

Feel free to pull it back to your's if you want

@talkingmoose this is awesome thanks so much!

Took some liberties and had my son spice it up some as a coding project for him.
https://gist.github.com/Paul-Benton/ed0fcdbbccaa7fa87184082ed441e549

-converted to zsh
-added request for accepting default for all
-can now read a text file list of App paths (one per line) or single app path

Feel free to pull it back to your's if you want

This did not work for me. If I save off the mobile config, the format is not right.

found it, the "&" in our company name needed escaping.

found it, the "&" in our company name needed escaping.

Great, thanks for the super fast fix!

This makes it so easy, thanks so much for scripting it. I had one question for after it is uploaded to Jamf.
Once created and uploaded to Jamf is there a way to modify? For example I need to add more applications to it. Has anyone had to update what they already have in Jamf? How did you handle the jamf part of it? Did you remove it from jamf and upload it again?

@kirbybj, not with this script. However, since writing this script, Jamf Pro 10.19 added a great new feature where you can bring your own manifests to make your own custom Configuration Profiles.

Do this instead of the script:

1. Copy the JSON Schema manifest here to your clipboard.
2. In Jamf Pro, navigate to Computers > Configuration Profiles and click the New button to create a new profile. Name it something like "Managed App Notifications".
3. In the list of payloads in the middle, scroll down to the Application & Custom Settings payload and click the Configure button.
4. Choose Creation Method > Configure settings.
5. Source > Custom Schema.
6. Preference Domain: com.apple.notificationsettings
7. Paste the manifest into the Custom Schema field at the bottom of the window.
8. Click the Properties tab.
9. Click the Add Value button and you can enter the app's bundle ID (looks something like "com.google.Chrome") and choose the managed settings you'd like. You can Click the Add Value button to add more apps.

What you see should look something like this. You can add multiple apps and you can come back later and modify.

Thank you so much for that help. Our Jamf Pro was just upgraded last night to I believe to .21. We were on a very old version. Thanks for the help.

Is it somehow possible to let the users change the notification settings afterwards? We just want to predefine the settings but still let the users choose if they want to disable notifications afterwards.

Thank you, this will save me some time which its always very much appreciated :-)