Agent Traces: Suppressing macOS Background Notification
Last updated: June 16, 2026
On macOS 13 (Ventura) and later, macOS notifies the user the first time it sees a new background service:
"Software from Attuned Corp. can run in the background."
This is expected, benign behavior. macOS attributes the service to the Developer ID team that signed it — Span (Attuned Corp, team KNH44SBYN4). The notification appears the first time each service is seen on a machine; reinstalls and upgrades do not re-notify.
To prevent the notification from appearing for your users, deploy the configuration profile below through your MDM.
General approach
Deploy a managed configuration profile that allowlists Span's background services:
span-coding-hooks-background-items.mobileconfig
Key points:
The profile must be deployed through your MDM as a managed profile to take effect.
The profile is allow-only — it only permits Span's background services and cannot disable, block, or change any other setting.
It coexists with any existing background-items profiles you have; their entries are preserved.
Deploy it before or alongside the Span Coding Hooks installer on new machines so the notification never appears. On machines that already saw the notification once, the profile cleans up the entry going forward.
The profile allowlists Span's background services two ways: by Team Identifier (
KNH44SBYN4), covering items signed with Span's Apple Developer ID, and by label prefix (com.span.), covering any Span launchd job by name. Both rules are included so every Span background service is matched (currently registry poller invokes/bin/shdirectly instead of a binary built and signed by us, which make the launchd job prefix clearing needed).
Conflict safety
This is an additive, allow-only profile. It does not modify or remove any existing configuration. To deploy it safely:
Deploy it as a new, separate configuration profile. Do not paste this payload into an existing profile, and do not edit an existing Managed Login Items profile.
Keep the
PayloadIdentifiervalues as-provided. Do not reuse an identifier already present in your environment.If your organization consolidates all managed login items into a single profile, append these two rules to that profile's existing
Rulesarray rather than replacing it.
Verification
After the profile lands on a test Mac:
sudo sfltool dumpbtmSpan's services should show as allowed / managed. In System Settings → General → Login Items & Extensions, they appear greyed out as "Managed by your organization," and the user cannot toggle them off. No notification should appear on subsequent installs or upgrades.
Mosyle
Console → Management → Management Profiles → Certificates / Custom Profiles → Add new profile
Upload
span-coding-hooks-background-items.mobileconfig.Assign to the relevant Device group (or user group).
Save — Mosyle deploys it as a managed profile automatically.
Jamf Pro
Either method works:
Native UI (Jamf Pro 11.x+):
Computers → Configuration Profiles → New.
Add the Service Management – Managed Login Items payload.
Add two rules:
Team Identifier =
KNH44SBYN4Label Prefix =
com.span.
Set Scope → Save.
Upload route (any version):
Computers → Configuration Profiles → Upload (next to New).
Select
span-coding-hooks-background-items.mobileconfig.Set Scope → Save.
Create a brand-new Configuration Profile for this — do not add the Managed Login Items payload onto an unrelated existing profile.
Workspace ONE
Resources → Profiles & Baselines → Profiles → Add → Add Profile → Apple macOS → Device.
Fill in General (name + assignment Smart Group).
Add a Custom Settings payload and paste the
com.apple.servicemanagementpayload XML (the inner<dict>…</dict>, or the full profile depending on your WS1 version's Custom Settings handling).Save & Publish.
IRU (Kandji)
Library → Add New → Custom Profile.
Name it (e.g. Span Coding Hooks — Background Items Allowlist) and upload
span-coding-hooks-background-items.mobileconfig.Assign the relevant Blueprint(s).
Save — Kandji deploys it as a managed profile.