Managed Login Item
If you are using macOSLAPS on macOS Ventura or higher you may have noticed that you receive a notification stating that Joshua Miller has added a login item. This is due to macOSLAPS using a LaunchDaemon to periodically run throughout the day and Apple's new stance on privacy settings with items that run in the background. These items can be managed under System Settings-->General-->Login Items
There are few options you can exercise depending on how you would like to proceed. You may continue to use the LaunchDaemon and use a Configuration Profile to lock the LaunchDaemon from being disabled and silence the notifications OR you can forego the LaunchDaemon by excluding it from your install and utilizing your MDM (Example: Jamf Policy) to run macOSLAPS from time to time.
If you'd like to keep the LaunchDaemon, then you will want to most likely apply the following configuration profiles. One will be for Notification Settings to silence when a new LaunchDaemon or Agent is added to the system and the other is to prevent macOSLAPS from being turned off. Examples are below: com.apple.notificationsettings
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BadgesEnabled</key>
<false/>
<key>BundleIdentifier</key>
<string>com.apple.BTMNotificationAgent</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>NotificationsEnabled</key>
<false/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
</dict>
</plist>
Next you will want to create a payload for Managed Login Items and add edu.psu.macoslaps-check as a Label. Example PLIST below:
com.apple.servicemanagement
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Rules</key>
<array>
<dict>
<key>Comment</key>
<string>LAPS</string>
<key>RuleType</key>
<string>Label</string>
<key>RuleValue</key>
<string>edu.psu.macoslaps-check</string>
</dict>
</array>
</dict>
</plist>
With the combined profiles the LaunchDaemon will remain enabled and the user will not be able to disable it. The notifications for when a Managed Login Item will also be silenced which may prove useful for other applications on the system as well.
With this method you can rely on your MDM Provider of choice to execute macOSLAPS periodically. In this example I will use Jamf Pro. In Jamf Pro we can create a policy that simply runs the Command /usr/local/laps/macOSLAPS on a daily basis or even a weekly basis if your password retention policy is longer for the admin account.
Additionally while using this method you are going to want to disable the LaunchDaemon from installing which you now do in macOSLAPS 3.0.0 and above by specifying an InstallerChoices.xml. This file is placed alongside the PKG install when installing and with the example below will prevent the LaunchDaemon from installing. Additionally, if you would rather just remove the LaunchDaemon you could specify a Post Install script that simply removes /Library/LaunchDaemons/edu.psu.macoslaps-check.plist.
InstallerChoices.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>installer_choice_1</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>installer_choice_2</string>
</dict>
</array>
</plist>
With the InstallerChoices.xml or removing the LaunchDaemon you rely solely on your MDM to run macOSLAPS at the time intervals that you specify.