Similar to User Approved Kernel Extensions (UAKEL) and Privacy Preferences Policy Control (PPPC) in earlier macOS versions, Catalina will now prompt users to allow Notifications from each app. Administrators can manage these prompts using a Configuration Profile. These profiles do not require User Approved MDM.

Manage App Notifications.bash

#!/bin/bash

<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------

	Written by:William Smith
	Professional Services Engineer
	Jamf
	bill@talkingmoose.net
	https://gist.github.com/talkingmoose/9faf50deaaefafa9a147e48ba39bb4b0
	Reference: https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem
	
	Originally posted: October 5, 2019
	Last updated: October 16, 2019

	Purpose: Create configuration profiles to manage app notifications.
	Upload the configuration profile to Jamf Pro or save to your desktop.
	
	Instructions: Run the script with help, -h or --usage for help.

	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/

	"Fortune makes promises to many, keeps them to none.
	Live for each day, live for the hours, since nothing is forever yours."
	
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT


# Jamf Pro URL and credentials
URL="https://jamfproserver.talkingmoose.net:8443"
userName="API-Editor"
password="P@55w0rd"

organizationName="Talking Moose Industries"


# -- set some variables for the rest of the script ----------------------------

# regular expression for "help" and "usage"
regHelp="^-?-?[Hh]([Ee][Ll][Pp])?|[Uu]([Ss][Aa][Gg][Ee])?$"

# regular expressions for "true" and "false"
regTrue="^[Tt]([Rr][Uu][Ee])?|[Yy]([Ee][Ss])?$"
regFalse="^[Ff]([Aa][Ll][Ss][Ee])?|[Nn]([Oo])?$"

# regular expressions for "upload" and "save"
regUpload="^[Uu]([Pp][Ll][Oo][Aa][Dd])?$"
regSave="^[Ss]([Aa][Vv][Ee])?$"
regBoth="^[Bb]([Oo][Tt][Hh])?$"

# regular expressions for "none", "banners" and "alerts"
regNone="^[Nn]([Oo][Nn][Ee])?$"
regBanners="^[Bb]([Aa][Nn][Nn][Ee][Rr][Ss])?$"
regAlerts="^[Aa]([Ll][Ee][Rr][Tt][Ss])?$"

# generate two UUIDs for configuration profile payload identifiers
PayloadUUID1=$( /usr/bin/uuidgen )
PayloadUUID2=$( /usr/bin/uuidgen )

appDicts=""


# -- display usage information or parse app path for information --------------

appPath="$1"

if [[ "$appPath" =~ ${regHelp} ]]; then
	echo
	echo "Manage App Notifications

Purpose:       Create configuration profiles to manage app notifications
               Upload the configuration profile to Jamf Pro or save to your desktop
			   
Configuration: To upload to your Jamf Pro server, edit these lines before running the script.
               The API-Editor account needs the Create privilege for macOS Configuration Profiles in Jamf Pro

               URL=\"https://jamfproserver.talkingmoose.net:8443\"
               userName=\"API-Editor\"
               password=\"P@55w0rd\"
               
               organizationName=\"Talking Moose Industries\"

Usage:         \"$0\" [/path/to/application]

               Questions are followed by allowed responses with [default] responses in brackets.
               Responses are case insensitive and accept the first letter or entire word.
               Press return to accept the default response.
			   
Example:       $ \"$0\"

               Path to managed app (drag app into this Terminal window): /Applications/FaceTime.app
               
               ...

               or

               $ \"$0\" /Applications/FaceTime.app
               
               Allow Notifications from FaceTime ( [Yes] No ): Yes

               FaceTime alert style ( None [Banners] Alerts ): A
               Show notifications on lock screen ( [Yes] No ): n
               Show in Notification Center ( [Yes] No ): true
               Badge app icon ( [Yes] No ):  
               Play sound for notifications ( [Yes] No ): NO
               Critical Alerts Enabled ( Yes [No] ): FALSE
               
               Add another app ( [Yes] No ): n

               Upload to Jamf Pro or Save to Desktop? ( Both [Upload] Save ): U

               Your new Notifications configuration profile for FaceTime was uploaded to Jamf Pro and is ready for scoping.

               Would you like to view the profile now? ( [Yes] No ): yes"
	echo
	exit 0
else
	appBundleID=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleIdentifier 2>/dev/null )
	appExecutable=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleExecutable 2>/dev/null )
	appExecutableString=$( /usr/bin/sed -e 's/ /./g' <<< "$appExecutable" )
fi


function getApp	{

	# -- request path to managed app if no app path provided ----------------------
	
	while [[ "$appExecutable" = "" ]];
	do
		echo
		read -p "Path to managed app (drag app into this Terminal window): " appPath
		appBundleID=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleIdentifier 2>/dev/null )
		appExecutable=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleExecutable 2>/dev/null )
		appExecutableString=$( /usr/bin/sed -e 's/ /./g' <<< "$appExecutable" )
	done

}


function getNotificationsEnabled	{

	# -- choose notificationsEnabled ----------------------------------------------

	while [[ ! "$notificationsEnabled" =~ ${regTrue} && ! "$notificationsEnabled" =~ ${regFalse} ]];
	do
		echo
		read -p "Allow Notifications from $appExecutable ( [Yes] No ): " notificationsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		notificationsEnabled=${notificationsEnabled:-true}
	done


	if [[ "$notificationsEnabled" =~ ${regTrue} ]]; then
		notificationsEnabled="true"
	else
		notificationsEnabled="false"
	fi
}


function getAlertType	{

	# -- choose alertType ---------------------------------------------------------

	while [[ ! "$alertType" =~ ${regNone} && ! "$alertType" =~ ${regBanners} && ! "$alertType" =~ ${regAlerts} && "$notificationsEnabled" = "true" ]];
	do
		echo
		read -p "$appExecutable alert style ( None [Banners] Alerts ): " alertType # none, banners or alerts, case insensitive, first letter accepted, return to accept default
		alertType=${alertType:-Banners}
	done


	if [[ "$alertType" =~ ${regNone} ]]; then
		alertType="0"
	elif [[ "$alertType" =~ ${regBanners} ]]; then
		alertType="1"
	else
		alertType="2"
	fi
}


function getShowInLockScreen	{

	# -- choose showInLockScreen --------------------------------------------------

	while [[ ! "$showInLockScreen" =~ ${regTrue} && ! "$showInLockScreen" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Show notifications on lock screen ( [Yes] No ): " showInLockScreen # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		showInLockScreen=${showInLockScreen:-true}
	done


	if [[ "$showInLockScreen" =~ ${regTrue} ]]; then
		showInLockScreen="true"
	else
		showInLockScreen="false"
	fi
}


function getShowInNotificationCenter	{

	# -- choose showInNotificationCenter ------------------------------------------

	while [[ ! "$showInNotificationCenter" =~ ${regTrue} && ! "$showInNotificationCenter" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Show in Notification Center ( [Yes] No ): " showInNotificationCenter # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		showInNotificationCenter=${showInNotificationCenter:-true}
	done


	if [[ "$showInNotificationCenter" =~ ${regTrue} ]]; then
		showInNotificationCenter="true"
	else
		showInNotificationCenter="false"
	fi
}


function getBadgesEnabled	{

	# -- choose badgesEnabled -----------------------------------------------------

	while [[ ! "$badgesEnabled" =~ ${regTrue} && ! "$badgesEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Badge app icon ( [Yes] No ): " badgesEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		badgesEnabled=${badgesEnabled:-true}
	done


	if [[ "$badgesEnabled" =~ ${regTrue} ]]; then
		badgesEnabled="true"
	else
		badgesEnabled="false"
	fi
}


function getSoundsEnabled	{

	# -- choose soundsEnabled -----------------------------------------------------

	while [[ ! "$soundsEnabled" =~ ${regTrue} && ! "$soundsEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Play sound for notifications ( [Yes] No ): " soundsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		soundsEnabled=${soundsEnabled:-true}
	done


	if [[ "$soundsEnabled" =~ ${regTrue} ]]; then
		soundsEnabled="true"
	else
		soundsEnabled="false"
	fi
}


function getCriticalAlertsEnabled	{

	# -- choose criticalAlertsEnabled (does not appear in GUI) --------------------

	while [[ ! "$criticalAlertsEnabled" =~ ${regTrue} && ! "$criticalAlertsEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
	do
		read -p "Critical Alerts Enabled ( Yes [No] ): " criticalAlertsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		criticalAlertsEnabled=${criticalAlertsEnabled:-false}
	done


	if [[ "$criticalAlertsEnabled" =~ ${regTrue} ]]; then
		criticalAlertsEnabled="true"
	else
		criticalAlertsEnabled="false"
	fi
}

function uploadProfile	{

		# upload to Jamf Pro
		profilePayload=$( /usr/bin/xmllint --noblanks - <<< "$mobileconfig" | /usr/bin/sed -e 's/</\&lt;/g' -e 's/>/\&gt;/g' )
		profileXML="<os_x_configuration_profile>
	  <general>
		<name>Managed Notifications</name>
		<description>
		  <string>Manage Notifications settings.</string>
		</description>
		<site/>
		<category/>
		<distribution_method>Install Automatically</distribution_method>
		<user_removable>false</user_removable>
		<level>computer</level>
		<uuid>$PayloadUUID2</uuid>
		<payloads>$profilePayload</payloads>
	  </general>
	</os_x_configuration_profile>"

		# flatten the XML for the configuration profile to upload to Jamf Pro
		flatXML=$( /usr/bin/xmllint --noblanks - <<< "$profileXML" )
	
		# upload and create configuration profile
		result=$( /usr/bin/curl "$URL/JSSResource/osxconfigurationprofiles/id/0" \
		--silent \
		--insecure \
		--write-out "%{http_code}" \
		--user "$userName":"$password" \
		--header "Content-Type: text/xml" \
		--request POST \
		--data "$flatXML" 2>&1 )
	
		# evaluate HTTP status code
		resultStatus=${result: -3}
	
		if [[ $resultStatus = 201 ]]; then # 201 is successful
			echo
			echo "Your new Notifications configuration profile for $appExecutable was uploaded to Jamf Pro and is ready for scoping."
		
			# -- offer to open configuration profile in Jamf Pro ------------------

			while [[ ! "$openProfile" =~ ${regTrue} && ! "$openProfile" =~ ${regFalse} ]];
			do
				echo
				read -p "Would you like to view the profile now? ( [Yes] No ): " openProfile # true, false, yes or no; case insensitive, first letter accepted, return to accept default
				openProfile=${openProfile:-true}
			done


			if [[ "$openProfile" =~ ${regTrue} ]]; then
				resultXML=${result%???}
				profileID=$( /usr/bin/xpath '/os_x_configuration_profile/id/text()' <<< "$resultXML" 2>/dev/null )
				/usr/bin/open "$URL/OSXConfigurationProfiles.html?id=$profileID&o=r"
			fi
		
		else
			echo
			echo "Unable to upload your new Notifications configuration profile for $appExecutable [Response code: $resultStatus]."
			echo
			echo "CODE	DESCRIPTION
	000	Check server URL in script
	200	Request successful
	201	Request to create or update object successful
	400	Bad request. Verify the syntax of the request specifically the XML body.
	401	Authentication failed. Verify the credentials being used for the request.
	403	Invalid permissions. Verify the account being used has the proper permissions for the object/resource you are trying to access.
	404	Object/resource not found. Verify the URL path is correct.
	409	Conflict. Delete existing profile \"Set $appExecutable notifications\" first.
	500	Internal server error. Retry the request or contact Jamf support if the error is persistent."
		fi
}

function saveProfile	{
	echo
	echo "$mobileconfig" > "$HOME/Desktop/Managed Notifications.mobileconfig"
	echo "Your new Notifications configuration profile was saved to your desktop."
}


# -- ask for another app --------------------------------------------------

while [[ ! "$addApp" =~ ${regFalse} ]];
do
	getApp
	
	if [[ $appList = *"$appBundleID"* ]]; then
		echo
		echo "This app is already added to the list."
	else
		getNotificationsEnabled
		getAlertType
		getShowInLockScreen
		getNotificationsEnabled
		getShowInNotificationCenter
		getBadgesEnabled
		getSoundsEnabled
		getCriticalAlertsEnabled
	
		appDicts="$appDicts
					<dict>
						<key>AlertType</key>
						<integer>$alertType</integer>
						<key>BadgesEnabled</key>
						<$badgesEnabled/>
						<key>BundleIdentifier</key>
						<string>$appBundleID</string>
						<key>CriticalAlertEnabled</key>
						<$criticalAlertsEnabled/>
						<key>NotificationsEnabled</key>
						<$notificationsEnabled/>
						<key>ShowInLockScreen</key>
						<$showInLockScreen/>
						<key>ShowInNotificationCenter</key>
						<$showInNotificationCenter/>
						<key>SoundsEnabled</key>
						<$soundsEnabled/>
					</dict>"
				
		appList="$appList  $appBundleID"
	fi
	
	addApp=""
	
	while [[ ! "$addApp" =~ ${regTrue} && ! "$addApp" =~ ${regFalse} ]];
	do
		echo
		read -p "Add another app ( [Yes] No ): " addApp # true, false, yes or no; case insensitive, first letter accepted, return to accept default
		addApp=${addApp:-true}
	done

	if [[ "$addApp" =~ ${regTrue} ]]; then
		addApp="true"
		appExecutable=""
		notificationsEnabled=""
		alertType=""
		showInLockScreen=""
		notificationsEnabled=""
		showInNotificationCenter=""
		badgesEnabled=""
		soundsEnabled=""
		criticalAlertsEnabled=""
	else
		addApp="false"
	fi
done

# -- use this template XML to create a .mobileconfig file --------------------------

mobileconfig="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>NotificationSettings</key>
			<array>$appDicts
			</array>
			<key>PayloadDescription</key>
			<string>Managed Notifications</string>
			<key>PayloadDisplayName</key>
			<string>Managed Notifications</string>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>$PayloadUUID1</string>
			<key>PayloadOrganization</key>
			<string>$organizationName</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>$PayloadUUID1</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Managed Notifications</string>
	<key>PayloadDisplayName</key>
	<string>Managed Notifications</string>
    <key>PayloadEnabled</key>
    <true/>
	<key>PayloadIdentifier</key>
	<string>$PayloadUUID2</string>
	<key>PayloadOrganization</key>
	<string>$organizationName</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>$PayloadUUID2</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>"


# -- choose to upload to Jamf Pro or save to Desktop --------------------------

while [[ ! "$chooseOutput" =~ ${regUpload} && ! "$chooseOutput" =~ ${regSave} && ! "$chooseOutput" =~ ${regBoth} ]];
do
	echo
	read -p "Upload to Jamf Pro or Save to Desktop? ( Both [Upload] Save ): " chooseOutput # upload, save or both; case insensitive, first letter accepted, return to accept default
	chooseOutput=${chooseOutput:-upload}
done


if [[ "$chooseOutput" =~ ${regUpload} ]]; then
	uploadProfile
elif [[ "$chooseOutput" =~ ${regSave} ]]; then
	saveProfile
else
	uploadProfile
	saveProfile
fi

exit 0

Until Jamf adds the Notifications payload to macOS Configuration Profiles in Jamf Pro, I've put together this script to help with creating these profiles. You can save them as .mobileconfig files to your desktop or supply your Jamf Pro address and credentials to upload to your server.

To use the script:

1. Click the Download Zip button in the upper right corner of this page and locate the Manage App Notifications.bash script inside.
2. If you want the option to upload profiles to your server, edit the URL, userName, password and organizationName items near the top.
3. Drag the script into a new Terminal window.
4. Drag an app into the same Terminal window so that its path follows the script.
5. Press return and follow the prompts.

Keep in mind that until the Notifications payload is added to Jamf Pro, you won't see it appear in your profile. But the profile will still work. After the payload is added in a future version, the profiles should display the payload.

I hope folks find it useful. Please add comments and bug reports to the GitHub gist page.

This is awesome, thanks a ton for posting this. It looks like it's one profile per notification (application). I was hoping to have a single profile, that was acting on multiple applications. Great work, and thanks again!

Thanks for the feedback, @vandehey! I'll look into what it will take to add multiple items to the payload as I get more feedback.

Very helpful and a neat idea, thank you!
One idea I have is to add a third possible response to the upload or “write to disk” question, both. I’d make a pull request if it wasn’t a gist so thought I’d mention it

Thanks, @Dials-Mavis. Not a bad idea to offer both and should be fairly easy to do. I'll look into it.

This worked fantastically, @talkingmoose, thank you very much for this. Would also love an option to add multiple items to the payload if you get the chance to put that in.

Thanks for the feedback @vandehey, @Dials-Mavis and @GavinAndersonGuvnor!

This new version of the script now supports multiple apps in one profile and uploading to Jamf Pro and saving at the same time. Very limited testing, but appears to be working for me.

@talkingmoose Thanks so much, that's fantastic :)

This worked perfectly, thanks a TON for this! One thing of note....After importing it into JAMF, it looks like an empty profile. I realize that JAMF hasn't implemented any of these settings, but I expected to see something there. Regardless, works perfectly. Thanks again!

@vandehey, thanks for verifying!

You won’t see the Notifications payload in Jamf Pro until Jamf implement that payload into the GUI. Everything is there behind the scenes but Jamf Pro has no way to show you yet.

We had the same issue with PPPC and the PPPC Utility. Once you upgrade to a version of Jamf Pro that supports the Notifications payload, your earlier profiles will still work and show the payload.

@talkingmoose This is great and working perfectly with the Yo app. I like how it grays the settings out so the user can't turn them off. I'm also trying with Microsoft Update Assistant app but it doesn't seem to be working. Have you tried this one? It's not enabling notifications or graying the settings out.

@gsprague, it should work with Microsoft AutoUpdate just fine. That was one of the first apps I tried. Assuming you're pointing to /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app.

@talkingmoose Yes, that's the path I'm using. Does the application path work with escaped spaces? I'm not removing the backslashes. I'm also testing on macOS 10.15.1.

@gsprague You're maybe experiencing the same thing I did, where it was the MAU Daemon that kept coming up with a separate notification that needed allowed? I had to add an entry for the following to make that not come up any longer:

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app

@GavinAndersonGuvnor I want to force the MAU Notifications to be on and have all the settings grayed out in Sys Preferences : Notifications : Microsoft Update Assistant so the user cannot turn the notifications off. This is working with another app where all settings are grayed out and cannot be changed.

@talkingmoose It's working now. I wasn't using the complete path to MUA. Needed to go into the apps contents:
/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/Microsoft\ Update\ Assistant.app

Thanks!