System Extensions
Certain antivirus/network security applications require access to the hard disk and memory of devices, in order to function properly. For this purpose, you might need to Allowlist certain extensions on these devices. As a part of macOS 10.13, Apple introduced User Approved Kernel Extension Loading (UAKEL) which gave users full control to approve or deny Kernel extensions during software installation.
However, Mac machines in which you remotely approve these extensions using an MDM solution must hold a User Approved MDM (UAMDM) status. Mobile Device Manager Plus' enrollment methods automatically grant the UAMDM status to managed Mac machines. As a result of this, you can Allowlist both Kernel Extensions and System Extensions which include Network, Driver, as well as Security extensions.
Note: To add Kernel Extensions on a Mac with Apple Silicon, refer here.
Prerequisite(s)
- OS requirement:
- macOS 10.13 or later - To approve Kernel Extensions
- macOS 10.14 or later - To approve System Extensions
- User Approved MDM (UAMDM) status is required on managed Macs.
- Incase of enrollment other than ABM/ASM for Apple silicon and you are trying to whitelist a kext, you have to change the security policy to reduced security in mac.
Profile Description
Profile Specification | Description |
---|---|
Allow users to approve kernel/system extensions manually | Enabling this allows users to manually approve or block the extensions which are not specified in this policy. |
Team identifier | To approve extensions developed by a vendor, provide their Team identifier. |
Allowed Extension Categories | Select at least one category of extensions you want to Allowlist. |
Extension bundle identifier(s) | To approve specific extensions developed by a vendor which belongs to particular categories, specify their unique bundle identifier(s). If this is left unspecified, all the extensions with the same Team identifier will be approved. |
- To Allowlist the complete set of extensions developed by a vendor, across all categories:
- Specify the Team identifier of the vendor and ensure all the Allowed Extension Categories are selected before saving the policy.
- To Allowlist a specific set of extensions developed by a vendor, which belongs to one or more categories:
- Specify the Team identifier of the vendor and ensure you select at least one or more Allowed Extension Categories before saving the policy.
- To Allowlist a particular extension developed by a vendor, which belongs to a specific category:
- Specify the Team identifier of the vendor, the particular Extension bundle identifier, and select the extension's category as well. You can also add multiple Extension bundle identifiers if need be.
How to obtain Team identifier and Extension bundle identifier(s)
- On a fresh installation of macOS 10.14 or later, install all the extensions your users require.
- When a request to load a third-party extension is made to the OS, you will be prompted to provide your consent.
- Now, go to System Preferences -> Security & Privacy, and click on Allow for all the required extensions.
NOTE: This approval is available for only 30 minutes. For it to reappear, the Mac machine must be restarted to load the extension once again.
- Once you approve all required extensions, open Terminal and run the following command:
systemextensionsctl list - The output will look like this. The first segment is the Team identifier; the second segment is the Extension bundle identifier; followed by the vendor's display name.
Troubleshooting tips
- The current system configuration does not allow the requested operation.
This error occurs when you configure a profile by allowlisting Kernel extension with System extension and distribute it to Silicon Macs.