Explainedback-iconWhat are Mac kernel extensions?

What are Mac kernel extensions?

Kernel extensions or KEXTs are app bundles used by developers to achieve extended capabilities on Mac operating systems. These allow users to provide modules of codes to the macOS kernel-level dynamically.  

Mac kernel extensions leverage their kernel privileges and give provisions to modify the core operating system for the smooth working of complex apps. Apps install kernel extensions that allow them to perform operations for which macOS has no native feature or function. Antivirus software, firewalls, VPN clients, DNS proxies, USB drivers, and others make use of kernel extensions to execute their complex functions. There are extensions to drive graphic cards, network connectivity, and many more features particularly used for security and management purposes. Once a KEXT is added, it grants access to every area of the Mac being a part of the kernel.  

Though Kernel extensions seem useful in many aspects, they bring on some security risks. For instance, some extensions cause random crashes and may slow down the machine and some kernel extensions may not uninstall even after removing the apps to which they are associated on the device. In case of a vulnerability, the app takes down the entire macOS system. Apple has therefore implemented stringent security measures to protect kernel extensions starting from macOS 10.13. Apple grant end-users full control to approve or deny extensions while installing software and thereby preventing kernel-level attacks: User Approved Kernel Extension Loading (UAKEL).  

Users can whitelist kernel extensions by using a UEM or locally from the Mac device. They can easily approve extensions from the device when they are notified during the app installation.  Mac devices enrolled in a Unified Endpoint Management solution can be configured to approve extensions. Admins can either prohibit users from enabling kernel extensions or define the list of kernel extensions that can load without user consent.