Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Similar to User Approved Kernel Extensions (UAKEL) and Privacy Preferences Policy Control (PPPC) in earlier macOS versions, Catalina will now prompt users to allow Notifications from each app. Administrators can manage these prompts using a Configuration Profile. These profiles do not require User Approved MDM.
#!/bin/bash
<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Professional Services Engineer
Jamf
bill@talkingmoose.net
https://gist.github.com/talkingmoose/9faf50deaaefafa9a147e48ba39bb4b0
Reference: https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem
Originally posted: October 5, 2019
Last updated: October 16, 2019
Purpose: Create configuration profiles to manage app notifications.
Upload the configuration profile to Jamf Pro or save to your desktop.
Instructions: Run the script with help, -h or --usage for help.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"Fortune makes promises to many, keeps them to none.
Live for each day, live for the hours, since nothing is forever yours."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
# Jamf Pro URL and credentials
URL="https://jamfproserver.talkingmoose.net:8443"
userName="API-Editor"
password="P@55w0rd"
organizationName="Talking Moose Industries"
# -- set some variables for the rest of the script ----------------------------
# regular expression for "help" and "usage"
regHelp="^-?-?[Hh]([Ee][Ll][Pp])?|[Uu]([Ss][Aa][Gg][Ee])?$"
# regular expressions for "true" and "false"
regTrue="^[Tt]([Rr][Uu][Ee])?|[Yy]([Ee][Ss])?$"
regFalse="^[Ff]([Aa][Ll][Ss][Ee])?|[Nn]([Oo])?$"
# regular expressions for "upload" and "save"
regUpload="^[Uu]([Pp][Ll][Oo][Aa][Dd])?$"
regSave="^[Ss]([Aa][Vv][Ee])?$"
regBoth="^[Bb]([Oo][Tt][Hh])?$"
# regular expressions for "none", "banners" and "alerts"
regNone="^[Nn]([Oo][Nn][Ee])?$"
regBanners="^[Bb]([Aa][Nn][Nn][Ee][Rr][Ss])?$"
regAlerts="^[Aa]([Ll][Ee][Rr][Tt][Ss])?$"
# generate two UUIDs for configuration profile payload identifiers
PayloadUUID1=$( /usr/bin/uuidgen )
PayloadUUID2=$( /usr/bin/uuidgen )
appDicts=""
# -- display usage information or parse app path for information --------------
appPath="$1"
if [[ "$appPath" =~ ${regHelp} ]]; then
echo
echo "Manage App Notifications
Purpose: Create configuration profiles to manage app notifications
Upload the configuration profile to Jamf Pro or save to your desktop
Configuration: To upload to your Jamf Pro server, edit these lines before running the script.
The API-Editor account needs the Create privilege for macOS Configuration Profiles in Jamf Pro
URL=\"https://jamfproserver.talkingmoose.net:8443\"
userName=\"API-Editor\"
password=\"P@55w0rd\"
organizationName=\"Talking Moose Industries\"
Usage: \"$0\" [/path/to/application]
Questions are followed by allowed responses with [default] responses in brackets.
Responses are case insensitive and accept the first letter or entire word.
Press return to accept the default response.
Example: $ \"$0\"
Path to managed app (drag app into this Terminal window): /Applications/FaceTime.app
...
or
$ \"$0\" /Applications/FaceTime.app
Allow Notifications from FaceTime ( [Yes] No ): Yes
FaceTime alert style ( None [Banners] Alerts ): A
Show notifications on lock screen ( [Yes] No ): n
Show in Notification Center ( [Yes] No ): true
Badge app icon ( [Yes] No ):
Play sound for notifications ( [Yes] No ): NO
Critical Alerts Enabled ( Yes [No] ): FALSE
Add another app ( [Yes] No ): n
Upload to Jamf Pro or Save to Desktop? ( Both [Upload] Save ): U
Your new Notifications configuration profile for FaceTime was uploaded to Jamf Pro and is ready for scoping.
Would you like to view the profile now? ( [Yes] No ): yes"
echo
exit 0
else
appBundleID=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleIdentifier 2>/dev/null )
appExecutable=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleExecutable 2>/dev/null )
appExecutableString=$( /usr/bin/sed -e 's/ /./g' <<< "$appExecutable" )
fi
function getApp {
# -- request path to managed app if no app path provided ----------------------
while [[ "$appExecutable" = "" ]];
do
echo
read -p "Path to managed app (drag app into this Terminal window): " appPath
appBundleID=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleIdentifier 2>/dev/null )
appExecutable=$( /usr/bin/defaults read "$appPath/Contents/Info.plist" CFBundleExecutable 2>/dev/null )
appExecutableString=$( /usr/bin/sed -e 's/ /./g' <<< "$appExecutable" )
done
}
function getNotificationsEnabled {
# -- choose notificationsEnabled ----------------------------------------------
while [[ ! "$notificationsEnabled" =~ ${regTrue} && ! "$notificationsEnabled" =~ ${regFalse} ]];
do
echo
read -p "Allow Notifications from $appExecutable ( [Yes] No ): " notificationsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
notificationsEnabled=${notificationsEnabled:-true}
done
if [[ "$notificationsEnabled" =~ ${regTrue} ]]; then
notificationsEnabled="true"
else
notificationsEnabled="false"
fi
}
function getAlertType {
# -- choose alertType ---------------------------------------------------------
while [[ ! "$alertType" =~ ${regNone} && ! "$alertType" =~ ${regBanners} && ! "$alertType" =~ ${regAlerts} && "$notificationsEnabled" = "true" ]];
do
echo
read -p "$appExecutable alert style ( None [Banners] Alerts ): " alertType # none, banners or alerts, case insensitive, first letter accepted, return to accept default
alertType=${alertType:-Banners}
done
if [[ "$alertType" =~ ${regNone} ]]; then
alertType="0"
elif [[ "$alertType" =~ ${regBanners} ]]; then
alertType="1"
else
alertType="2"
fi
}
function getShowInLockScreen {
# -- choose showInLockScreen --------------------------------------------------
while [[ ! "$showInLockScreen" =~ ${regTrue} && ! "$showInLockScreen" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
do
read -p "Show notifications on lock screen ( [Yes] No ): " showInLockScreen # true, false, yes or no; case insensitive, first letter accepted, return to accept default
showInLockScreen=${showInLockScreen:-true}
done
if [[ "$showInLockScreen" =~ ${regTrue} ]]; then
showInLockScreen="true"
else
showInLockScreen="false"
fi
}
function getShowInNotificationCenter {
# -- choose showInNotificationCenter ------------------------------------------
while [[ ! "$showInNotificationCenter" =~ ${regTrue} && ! "$showInNotificationCenter" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
do
read -p "Show in Notification Center ( [Yes] No ): " showInNotificationCenter # true, false, yes or no; case insensitive, first letter accepted, return to accept default
showInNotificationCenter=${showInNotificationCenter:-true}
done
if [[ "$showInNotificationCenter" =~ ${regTrue} ]]; then
showInNotificationCenter="true"
else
showInNotificationCenter="false"
fi
}
function getBadgesEnabled {
# -- choose badgesEnabled -----------------------------------------------------
while [[ ! "$badgesEnabled" =~ ${regTrue} && ! "$badgesEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
do
read -p "Badge app icon ( [Yes] No ): " badgesEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
badgesEnabled=${badgesEnabled:-true}
done
if [[ "$badgesEnabled" =~ ${regTrue} ]]; then
badgesEnabled="true"
else
badgesEnabled="false"
fi
}
function getSoundsEnabled {
# -- choose soundsEnabled -----------------------------------------------------
while [[ ! "$soundsEnabled" =~ ${regTrue} && ! "$soundsEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
do
read -p "Play sound for notifications ( [Yes] No ): " soundsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
soundsEnabled=${soundsEnabled:-true}
done
if [[ "$soundsEnabled" =~ ${regTrue} ]]; then
soundsEnabled="true"
else
soundsEnabled="false"
fi
}
function getCriticalAlertsEnabled {
# -- choose criticalAlertsEnabled (does not appear in GUI) --------------------
while [[ ! "$criticalAlertsEnabled" =~ ${regTrue} && ! "$criticalAlertsEnabled" =~ ${regFalse} && "$notificationsEnabled" = "true" ]];
do
read -p "Critical Alerts Enabled ( Yes [No] ): " criticalAlertsEnabled # true, false, yes or no; case insensitive, first letter accepted, return to accept default
criticalAlertsEnabled=${criticalAlertsEnabled:-false}
done
if [[ "$criticalAlertsEnabled" =~ ${regTrue} ]]; then
criticalAlertsEnabled="true"
else
criticalAlertsEnabled="false"
fi
}
function uploadProfile {
# upload to Jamf Pro
profilePayload=$( /usr/bin/xmllint --noblanks - <<< "$mobileconfig" | /usr/bin/sed -e 's/</\&lt;/g' -e 's/>/\&gt;/g' )
profileXML="<os_x_configuration_profile>
<general>
<name>Managed Notifications</name>
<description>
<string>Manage Notifications settings.</string>
</description>
<site/>
<category/>
<distribution_method>Install Automatically</distribution_method>
<user_removable>false</user_removable>
<level>computer</level>
<uuid>$PayloadUUID2</uuid>
<payloads>$profilePayload</payloads>
</general>
</os_x_configuration_profile>"
# flatten the XML for the configuration profile to upload to Jamf Pro
flatXML=$( /usr/bin/xmllint --noblanks - <<< "$profileXML" )
# upload and create configuration profile
result=$( /usr/bin/curl "$URL/JSSResource/osxconfigurationprofiles/id/0" \
--silent \
--insecure \
--write-out "%{http_code}" \
--user "$userName":"$password" \
--header "Content-Type: text/xml" \
--request POST \
--data "$flatXML" 2>&1 )
# evaluate HTTP status code
resultStatus=${result: -3}
if [[ $resultStatus = 201 ]]; then # 201 is successful
echo
echo "Your new Notifications configuration profile for $appExecutable was uploaded to Jamf Pro and is ready for scoping."
# -- offer to open configuration profile in Jamf Pro ------------------
while [[ ! "$openProfile" =~ ${regTrue} && ! "$openProfile" =~ ${regFalse} ]];
do
echo
read -p "Would you like to view the profile now? ( [Yes] No ): " openProfile # true, false, yes or no; case insensitive, first letter accepted, return to accept default
openProfile=${openProfile:-true}
done
if [[ "$openProfile" =~ ${regTrue} ]]; then
resultXML=${result%???}
profileID=$( /usr/bin/xpath '/os_x_configuration_profile/id/text()' <<< "$resultXML" 2>/dev/null )
/usr/bin/open "$URL/OSXConfigurationProfiles.html?id=$profileID&o=r"
fi
else
echo
echo "Unable to upload your new Notifications configuration profile for $appExecutable [Response code: $resultStatus]."
echo
echo "CODE DESCRIPTION
000 Check server URL in script
200 Request successful
201 Request to create or update object successful
400 Bad request. Verify the syntax of the request specifically the XML body.
401 Authentication failed. Verify the credentials being used for the request.
403 Invalid permissions. Verify the account being used has the proper permissions for the object/resource you are trying to access.
404 Object/resource not found. Verify the URL path is correct.
409 Conflict. Delete existing profile \"Set $appExecutable notifications\" first.
500 Internal server error. Retry the request or contact Jamf support if the error is persistent."
fi
}
function saveProfile {
echo
echo "$mobileconfig" > "$HOME/Desktop/Managed Notifications.mobileconfig"
echo "Your new Notifications configuration profile was saved to your desktop."
}
# -- ask for another app --------------------------------------------------
while [[ ! "$addApp" =~ ${regFalse} ]];
do
getApp
if [[ $appList = *"$appBundleID"* ]]; then
echo
echo "This app is already added to the list."
else
getNotificationsEnabled
getAlertType
getShowInLockScreen
getNotificationsEnabled
getShowInNotificationCenter
getBadgesEnabled
getSoundsEnabled
getCriticalAlertsEnabled
appDicts="$appDicts
<dict>
<key>AlertType</key>
<integer>$alertType</integer>
<key>BadgesEnabled</key>
<$badgesEnabled/>
<key>BundleIdentifier</key>
<string>$appBundleID</string>
<key>CriticalAlertEnabled</key>
<$criticalAlertsEnabled/>
<key>NotificationsEnabled</key>
<$notificationsEnabled/>
<key>ShowInLockScreen</key>
<$showInLockScreen/>
<key>ShowInNotificationCenter</key>
<$showInNotificationCenter/>
<key>SoundsEnabled</key>
<$soundsEnabled/>
</dict>"
appList="$appList $appBundleID"
fi
addApp=""
while [[ ! "$addApp" =~ ${regTrue} && ! "$addApp" =~ ${regFalse} ]];
do
echo
read -p "Add another app ( [Yes] No ): " addApp # true, false, yes or no; case insensitive, first letter accepted, return to accept default
addApp=${addApp:-true}
done
if [[ "$addApp" =~ ${regTrue} ]]; then
addApp="true"
appExecutable=""
notificationsEnabled=""
alertType=""
showInLockScreen=""
notificationsEnabled=""
showInNotificationCenter=""
badgesEnabled=""
soundsEnabled=""
criticalAlertsEnabled=""
else
addApp="false"
fi
done
# -- use this template XML to create a .mobileconfig file --------------------------
mobileconfig="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>$appDicts
</array>
<key>PayloadDescription</key>
<string>Managed Notifications</string>
<key>PayloadDisplayName</key>
<string>Managed Notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>$PayloadUUID1</string>
<key>PayloadOrganization</key>
<string>$organizationName</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>$PayloadUUID1</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Managed Notifications</string>
<key>PayloadDisplayName</key>
<string>Managed Notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>$PayloadUUID2</string>
<key>PayloadOrganization</key>
<string>$organizationName</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>$PayloadUUID2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>"
# -- choose to upload to Jamf Pro or save to Desktop --------------------------
while [[ ! "$chooseOutput" =~ ${regUpload} && ! "$chooseOutput" =~ ${regSave} && ! "$chooseOutput" =~ ${regBoth} ]];
do
echo
read -p "Upload to Jamf Pro or Save to Desktop? ( Both [Upload] Save ): " chooseOutput # upload, save or both; case insensitive, first letter accepted, return to accept default
chooseOutput=${chooseOutput:-upload}
done
if [[ "$chooseOutput" =~ ${regUpload} ]]; then
uploadProfile
elif [[ "$chooseOutput" =~ ${regSave} ]]; then
saveProfile
else
uploadProfile
saveProfile
fi
exit 0
@talkingmoose

This comment has been minimized.

Copy link
Owner Author

talkingmoose commented Oct 6, 2019

Until Jamf adds the Notifications payload to macOS Configuration Profiles in Jamf Pro, I've put together this script to help with creating these profiles. You can save them as .mobileconfig files to your desktop or supply your Jamf Pro address and credentials to upload to your server.

To use the script:

  1. Click the Download Zip button in the upper right corner of this page and locate the Manage App Notifications.bash script inside.
  2. If you want the option to upload profiles to your server, edit the URL, userName, password and organizationName items near the top.
  3. Drag the script into a new Terminal window.
  4. Drag an app into the same Terminal window so that its path follows the script.
  5. Press return and follow the prompts.

runscript

Keep in mind that until the Notifications payload is added to Jamf Pro, you won't see it appear in your profile. But the profile will still work. After the payload is added in a future version, the profiles should display the payload.

I hope folks find it useful. Please add comments and bug reports to the GitHub gist page.

@vandehey

This comment has been minimized.

Copy link

vandehey commented Oct 7, 2019

This is awesome, thanks a ton for posting this. It looks like it's one profile per notification (application). I was hoping to have a single profile, that was acting on multiple applications. Great work, and thanks again!

@talkingmoose

This comment has been minimized.

Copy link
Owner Author

talkingmoose commented Oct 7, 2019

Thanks for the feedback, @vandehey! I'll look into what it will take to add multiple items to the payload as I get more feedback.

@Dials-Mavis

This comment has been minimized.

Copy link

Dials-Mavis commented Oct 9, 2019

Very helpful and a neat idea, thank you!
One idea I have is to add a third possible response to the upload or “write to disk” question, both. I’d make a pull request if it wasn’t a gist so thought I’d mention it

@talkingmoose

This comment has been minimized.

Copy link
Owner Author

talkingmoose commented Oct 9, 2019

Thanks, @Dials-Mavis. Not a bad idea to offer both and should be fairly easy to do. I'll look into it.

@GavinAndersonGuvnor

This comment has been minimized.

Copy link

GavinAndersonGuvnor commented Oct 15, 2019

This worked fantastically, @talkingmoose, thank you very much for this. Would also love an option to add multiple items to the payload if you get the chance to put that in.

@talkingmoose

This comment has been minimized.

Copy link
Owner Author

talkingmoose commented Oct 17, 2019

Thanks for the feedback @vandehey, @Dials-Mavis and @GavinAndersonGuvnor!

This new version of the script now supports multiple apps in one profile and uploading to Jamf Pro and saving at the same time. Very limited testing, but appears to be working for me.

image

@GavinAndersonGuvnor

This comment has been minimized.

Copy link

GavinAndersonGuvnor commented Oct 17, 2019

@talkingmoose Thanks so much, that's fantastic :)

@vandehey

This comment has been minimized.

Copy link

vandehey commented Oct 17, 2019

This worked perfectly, thanks a TON for this! One thing of note....After importing it into JAMF, it looks like an empty profile. I realize that JAMF hasn't implemented any of these settings, but I expected to see something there. Regardless, works perfectly. Thanks again!

@talkingmoose

This comment has been minimized.

Copy link
Owner Author

talkingmoose commented Oct 17, 2019

@vandehey, thanks for verifying!

You won’t see the Notifications payload in Jamf Pro until Jamf implement that payload into the GUI. Everything is there behind the scenes but Jamf Pro has no way to show you yet.

We had the same issue with PPPC and the PPPC Utility. Once you upgrade to a version of Jamf Pro that supports the Notifications payload, your earlier profiles will still work and show the payload.

@gsprague

This comment has been minimized.

Copy link

gsprague commented Nov 4, 2019

@talkingmoose This is great and working perfectly with the Yo app. I like how it grays the settings out so the user can't turn them off. I'm also trying with Microsoft Update Assistant app but it doesn't seem to be working. Have you tried this one? It's not enabling notifications or graying the settings out.

@talkingmoose

This comment has been minimized.

Copy link
Owner Author

talkingmoose commented Nov 5, 2019

@gsprague, it should work with Microsoft AutoUpdate just fine. That was one of the first apps I tried. Assuming you're pointing to /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app.

@gsprague

This comment has been minimized.

Copy link

gsprague commented Nov 5, 2019

@talkingmoose Yes, that's the path I'm using. Does the application path work with escaped spaces? I'm not removing the backslashes. I'm also testing on macOS 10.15.1.

@GavinAndersonGuvnor

This comment has been minimized.

Copy link

GavinAndersonGuvnor commented Nov 5, 2019

@gsprague You're maybe experiencing the same thing I did, where it was the MAU Daemon that kept coming up with a separate notification that needed allowed? I had to add an entry for the following to make that not come up any longer:

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app

@gsprague

This comment has been minimized.

Copy link

gsprague commented Nov 5, 2019

@GavinAndersonGuvnor I want to force the MAU Notifications to be on and have all the settings grayed out in Sys Preferences : Notifications : Microsoft Update Assistant so the user cannot turn the notifications off. This is working with another app where all settings are grayed out and cannot be changed.

@talkingmoose It's working now. I wasn't using the complete path to MUA. Needed to go into the apps contents:
/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/Microsoft\ Update\ Assistant.app

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.