Thursday, October 27, 2022

Ventura’s “Open at Login” vs. “Allow in the Background”


  • Open at Login shows a list of login items, per the legacy kLSSharedFileListSessionLoginItems API. These items are always launched at login, and are intended to be under the control of the user.

  • Allow in the Background has different semantics. This is an allowlist. It doesn’t show what programs will be launched at login, it shows what programs are allowed to be launched at login.

You can see this with the SMLoginItemSetEnabled API:

  1. Enable your Service Management login item by calling SMLoginItemSetEnabled with true.

  2. The item shows up in the Settings list.

  3. Back in your app, disable your login item by calling SMLoginItemSetEnabled with false.

  4. The item still shows up in the list.

Via John Siracusa:

Can this really be true? If an app ever wants to be able to launch on login in Ventura, it must forever appear in the “Allow in the Background” section of the Login Items screen in System Settings?

The new SMAppService.mainApp.register() and unregister() calls will add and remove an app from the “Open at Login” section, but nothing seems to remove an app from the “Allow in the Background” section.


To be clear, the problem with Ventura listing apps set to launch on login under the “Allow in Background” section is that it implies they can “perform tasks when the app is not running,” as the text says. But launch on login is not that!

John Siracusa:

Ventura’s handling of “launch on login” will make users suspicious of apps that the OS says can do stuff when they’re not running, even if that isn’t true. And when a developer explains, the user won’t believe the truth because the OS says otherwise. It sows distrust and worry.

Guilherme Rambo:

There should definitely be a distinction between simple login items and launch agents / daemons, which are the things that do in fact allow an app to do stuff when it’s not running.

John Siracusa:

Also, this is only a problem for apps that want to work on pre-Ventura versions of macOS. If your app requires Ventura, you can use only the new Ventura-specific API to launch on login and keep your app out of the “runs in background” list.

Stephen Hackett:

I’m not sure this new notification in macOS Ventura could be less helpful if it tried. What items? What is “System” and why is it in quotes?

Ezekiel Elin:

I've filed a few FBs about this system over the summer, most notably that it tends to just dump a whole bunch of alerts on the user at once

Like, jeesh


5 Comments RSS · Twitter

Beatrix Willius

I have another problem with the "Run in Background". So far I haven't found out why both the list and the notification show my name and not the company or the app name. It was suggested to me that the list shows the name of the code certificate. But this doesn't make any sense to me because I see app names in the background task lists, too.

So Apple added yet another half baked security feature that will cause more problems and annoyances than it solves? You don't say!

Also not a lot of useful info associated with the osascript or python do you know who installed them or what script they are running?

I ran the following

grep osascript /Library/LaunchAgents/*.plist ~/Library/LaunchAgents/*.plist

and I have the following which matches the number of osascript entries in Login Items:

/Library/LaunchAgents/com.maintain.LogOut.plist: /usr/bin/osascript
/Library/LaunchAgents/com.maintain.Restart.plist: /usr/bin/osascript
/Library/LaunchAgents/com.maintain.ShutDown.plist: /usr/bin/osascript
/Library/LaunchAgents/com.maintain.Sleep.plist: /usr/bin/osascript
/Users/charlie/Library/LaunchAgents/com.alfredapp.1password.plist: /usr/bin/osascript

I don't currently have Cocktail installed as the Ventura version (v16.0) is not signed (another issue for another day). I'm assuming the versions here are left over from Cocktail v15 which I did have installed before upgrading to Ventura.

I removed the four .plist files with maintain in the list

sudo rm /Library/LaunchAgents/*.maintain.*.plist

I then quit and restarted System Settings, and now I only see one osascript entry. When I run the grep command above I only have alfred entry now. So maybe on to something here....

Hey all, I stumbled across this discussion while trying to find a fix for an error I've encountered related to an entry for an application within the Allow in the Background section. Any idea how to remove an orphaned entry within this list for an application no longer on the system?

Here's my thread on askdifferent:

Leave a Comment