This post highlights improvements to the AUTOSTART plugin in mac_apt.
Since macOS 13 (Ventura), Login items and Background tasks are managed and tracked via .BTM files. This is located at the path:
/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v<xx>.btm
where <xx> is the version number, currently 13 on macOS 15.2
Much of this information (but not all!) is visible to the end user via the Login items & Extensions page under System Settings as shown below.
 |
| Figure 1 - Login items & Extensions from System Settings |
mac_apt's AUTOSTART plugin already processed BTM files, however this is now significantly improved. Previously BTM specific parameters were not being parsed and developer entries were also included (which are not autostart) which made them difficult to read and interpret, also missing some key information.
BTM files are NSKeyedArchives which when deserialised contain dictionaries of items (login and background tasks) per user.
 |
| Figure 2 - Snippet of single item from .BTM file |
How these are interpreted and transformed into the nice GUI view seen above is dependant mostly on the parameters 'type' and 'disposition'. The following values have been observed for these fields:
The 'type' value indicates if this item is an agent, daemon, app, user defined item or a spotlight or quicklook extension.
When a user toggles the option to OFF for an item in the "Allow in the Background" setting, this will clear the 'Allowed' bit in the Disposition flag thereby indicating 'Not Allowed'.
mac_apt now reads, interprets and shows the BTM parameters for disposition, type, container, developer and executableModifiedDate. The following output snippet filtered for "Not Allowed" will show the same output as that shown in System settings GUI. As seen in Fig 1 above (and Fig 4 below), 2 Citrix items are toggled to OFF, resulting in 6 apps belonging to these items being in the 'Not Allowed' group.
 |
| Figure 3 - Snippet of AUTORUNS output from mac_apt, filtered on BackgroundTask items and 'Not Allowed' disposition |
 |
| Figure 4 - Disabled items from System Settings |
This greatly simplifies the review of background applications. If the app itself disables a startup item, then the 'Enabled' flag is off, this will be missing from the BTM_Disposition column. mac_apt will populate the Disabled column with the value '1' to also indicate this.
Also added is an 'AppArguments' column, which should populate the full command line arguments from all processed files (BTM and plists).
Be aware that mac_apt will process all encountered .btm files, so you may see repeated data as there are likely older .btm files, vestigial artefacts from previous macOS versions. On my test system, I've got BackgroundItems-v9.btm and BackgroundItems-v13.btm. This may be useful from a forensics perspective to look at the autostarts from that point in time. You will have to filter on the 'Source' column in the output if you wish to see only current data.
