Eugene
Raynor

Why Mac system extensions are the modern replacement to kernel extensions (KEXTs)

Eugene Raynor

Jul 22, 2021

17 min read

Apple has always strived to achieve the best in safety and security for their devices. So much so that when we’re talking about desktops, Macs are the go-to choice for businesses that require reliability and security. It is no wonder then that Apple decided to make the move from the legacy kernel extensions to the safer and more secure Mac system extensions. But what was the reason behind this move? Why were KEXTs considered as such a big security risk? And what exactly, are system extensions? Here is everything you need to know about Apple’s move away from the legacy KEXTs, and the coming of Mac system extensions.

Load system extensions on your corporate Macs with Hexnode UEM

What are Mac system extensions?

Mac system extensions are a category of software or specific application bundles, used to extend the functionality of a macOS device. System extensions work very similar to kernel extensions. But the difference is – unlike KEXTs (which runs in the kernel space), system extensions run in the user space outside the kernel, like other apps and software. To get to know more about Mac system extensions, I think a basic overview of the legacy KEXTs and how it works, is necessary. So here goes.

What are Mac kernel extensions?

Kernel extensions, sometimes referred to as KEXTs, are application bundles, or basically, pieces of code that are used to extend macOS functionality, by allowing software to load directly into the macOS kernel.

In the most basic terms, what a kernel extension does is – it enables the specified software and its components to load into the macOS kernel (the core of the operating system), and thereby, sets up the interaction between the software components and the kernel. Why is this advantageous? Well, this provides the software with the ability to address the macOS hardware directly, and enables access to low-level OS interactions, including access to peripheral hardware, memory management, task management, and disk management functionalities.

Configuring kernel extensions on a Mac
Configuring kernel extensions on a Mac
 

For example, let’s say a third-party firewall requires access to your system memory and macOS hard drive data. By allowing the necessary kernel extensions to load on you Mac, you provide this firewall with access to modify the core OS components (the kernel), and enable the app to execute its functions correctly.

In addition to firewalls, many other Mac utilities, including antivirus software, VPN clients, USB drivers, DNS proxies, communication software, network connectivity tools, file syncing tools, and more, make use of kernel extensions to successfully perform their complex functions.



Why do kernel extensions pose a security threat to your macOS system?

By reading this blog so far, you might have realized it, but yes. Unfortunately, kernel extensions do pose a security threat to your macOS system. While KEXTs are a beautiful addition that gives developers the freedom to create apps with complex functionalities, it also presents the folks at Apple with quite a few security challenges.

You see, kernel extensions aren’t bound by your Mac’s security policies. When a KEXT is loaded into the macOS kernel, it gets access to all the hardware functionalities on the device. Hence, every app that uses kernel extensions must certainly have no room for error in its workflows. Even a minor vulnerability that may make the app crash or malfunction could put your entire system at risk. In worst cases, even brick it. What’s more, there have even been attempts (some successful) by hackers who took advantage of these vulnerabilities to breach your system.

Security threats on a Mac
Security threats on a Mac
 

Considering these potential vulnerabilities, Apple was ready with an initial response. Starting from macOS 11, third-party kernel extensions require user approval and a complete macOS restart before loading the changes into the kernel. They also demanded that the secure boot be configured to ‘Reduced Security’ before loading kernel extensions.

However, even with these security measures, hackers have discovered approaches to bypass user approval and expose your macOS system through KEXTs. Hence today, citing risks to the integrity and reliability of your operating system, Apple no longer recommends using kernel extensions for macOS devices. Instead, they advise users to prefer solutions that don’t require extending the kernel. So, what are these solutions they’re talking about? Yep! You guessed it. Enter – Mac system extensions.

Why you should migrate to Mac system extensions

Mac system extensions are the modern-day replacements that Apple has suggested in place of kernel extensions for macOS devices. With system extensions, Apple provides new frameworks for developers to perform tasks (with KEXTs, developers were limited with just one framework). This includes eliminating restrictions on dynamic memory allocation, synchronization, and latency, the ability to use any framework in the macOS SDK, and the utilization of any programming language, including Swift (kernel extensions were limited to C and C++).

Now, in terms of function, macOS system extensions work very similarly to kernel extensions. So much that if you’re the end-user, you probably won’t notice the difference. However, unlike KEXTs, Mac system extensions don’t make use of the kernel space. That is, they are not loaded directly into the macOS kernel. Instead, they run in the user space, as other apps and software do, and are controlled and kept at bay by your Mac’s security rules.

What does this mean? If a system extension crashes, the rest of the macOS system and its apps remain unaffected and keep functioning. This factor makes system extensions the more reliable and secure option when compared to KEXTs.

The announcement at the Worldwide Developers Conference (WWDC) 2019, on the deprecation of kernel extensions and the replacement with Mac system extensions, was a sign that Apple had realized the potential risks posed by kernel extensions (KEXTs), and shifted their focus to better tech. Likewise, this is a call for the rest of the IT world to follow suit.

Mac kernel extensions  Mac system extensions 
Software is loaded directly into the macOS kernel (kernel space)  Software is not loaded into the kernel space. Instead, utilizes the user space 
Kernel extensions are not bound by macOS security policies  Like any other software, system extensions are bound by macOS security policies 
In cases of vulnerabilities, takes down the entire macOS system  In case of vulnerabilities, does not bring down the entire system 
Restrictions on dynamic memory allocation, synchronization, latency  No such restrictions 
KEXTs cannot use system frameworks  System extensions can use any framework in the macOS SDK 
Kernel extensions only support C/C++ languages  System extensions support all languages, including Swift 

What are the three Mac system extension frameworks?

Okay, so let’s get to the big question. If system extensions function outside the kernel space, then how could they achieve functionalities on par with kernel extensions? Especially when system extensions are bound by Mac’s software rules and kernel extensions are not?

Easy. It’s because these system extensions are granted special privileges, with the help of frameworks (or special APIs) that provide apps with direct access to their associated hardware and internal kernel interfaces (without requiring them to load directly to the kernel).

Configuring system extensions on a Mac
Configuring system extensions on a Mac
 

Currently, three frameworks are used by Mac system extensions to replace the functions offered by legacy KEXTs.

DriverKit framework

The DriverKit framework defines the fundamental behaviour for device drivers on your Mac. This framework determines your driver’s basic structure, and provides support for handling events and allocating memory. You can use the DriverKit framework to create drivers for USB, serial, network interface, and human interface devices and install them on your Mac. (Due to their close relationship to the macOS hardware, driver extensions must still be written in C or C++ and must make use of the DriverKit framework.)

Network Extension framework

With the Network Extension framework, you can customize and extend core networking functionalities, including – changing the system’s Wi-Fi configurations, creating and managing VPN configurations, implementing an on-device content filter, creating and managing system-wide DNS configurations, and more.

Endpoint Security framework

The Endpoint Security framework is an API for monitoring system events for potentially malicious activity and even blocking system events to better conform with macOS security policies. Basically, it replaces legacy KEXTs that monitor security events with KAUTH interfaces. Endpoint Security Frameworks (and APIs) are utilized by security apps such as endpoint detection and response, anti-virus software, and data loss prevention apps.

Are Mac system extensions a complete replacement to KEXTs?

Although macOS system extensions provide functionalities similar to kernel extensions (that too in a more reliable and secure manner), for now, a complete transition to system extensions isn’t possible. This is because some kernel extensions still use KPIs that are not supported by the available three system extension frameworks. This includes KPIs for virtualization software such as VirtualBox and Parallels (which could enable you to run platforms such as Windows within a Mac). As a result, the kernel extensions for such software still operate outside the possible system extension frameworks. And in such cases, IT must continue to use KEXTs until Apple offers a suitable system extension replacement.

What users should know before approving extensions on their Mac

Here are a couple of things that users should know before approving system and kernel extensions on their Macs.

IT admin checking system specifications on a Mac
IT admin checking system specifications on a Mac
 
  • Apple is currently in the process of phasing out kernel extensions and replacing them with system extensions. Hence, you may receive alerts when software on your Mac loads deprecated or unsupported KEXTs. In such cases, it is better to ask developers to transition to the system extension counterparts.
  • Like kernel extensions, system extensions will require permission to access or modify the core OS components on your Mac. This permission can be granted manually by the end-user user or can be completely bypassed using a UEM solution.
  • If you are confused about whether an extension that is requesting to be installed on your Mac is a KEXT or a system extension, you can verify this with the help of terminal commands.

We’ve provided detailed explanations in the upcoming sections on how to deal with each of these cases.

What does the ‘Legacy System Extension’ alert on macOS devices signify?

When loading deprecated or unsupported kernel extensions on macOS Catalina (10.15.4) devices and above, end-users will usually receive an alert stating, the software you are trying to load uses a deprecated KPI, asking you to contact the developer for alternatives.

Here, the ‘Legacy System Extension’ mentioned in the dialog boxes are in reality, kernel extensions that use a deprecated KPI. The function of this alert is to give you advance notice that the loaded extension will soon be unsupported for future versions of macOS.

Now if, as an IT admin, you do not want your end-users to receive such alerts, you can prevent them from popping up by pre-approving these KEXTs with the help of a UEM solution. First, identify the corresponding software and its kernel extensions that are causing these alerts. Next, locate the Team ID of the software, and if necessary, the Bundle ID of the KEXT (information on ‘how to locate Team ID and Bundle ID’ is provided in the next section), and enter these fields in the corresponding kernel extension configuration policy for your UEM. In the case of Hexnode UEM, the procedure for configuring kernel extensions is highlighted in the upcoming sections.

Bypass user approval for system extension loading
Bypass user approval for system extension loading
 

However, it is essential to ensure that you contact the developers and advise them to transition to the use of system extensions for their software, as Apple will be phasing out kernel extensions in the future. (If the software is utilizing unsupported KPIs, the kernel extension will not load. In such cases, your only option is to contact your developer and ask them to transition to the system extension counterparts.)

System extension replacements for deprecated KPIs

The following are the system extension replacements for their corresponding deprecated or unsupported Kernel Programming Interfaces (KPIs).

Unsupported: The KPI is no longer supported. Any kernel extension using an unsupported KPI will not load.

Deprecated: The KPI is available but will become unsupported in the future.

Loading one of the following KPIs with a system extension replacement will trigger the ‘Legacy System Extension’ dialogue box.

KPI  System extension replacement  Unsupported after  Deprecated after 
KAUTH  EndpointSecurity macOS Big Sur 11.0  macOS Catalina 10.15 
Network filter  NetworkExtension macOS Big Sur 11.0  macOS Catalina 10.15 
Socket  NetworkExtension   macOS Catalina 10.15 
IOHID family  HIDDriverKit macOS Big Sur 11.0  macOS Catalina 10.15 
IOUSB family  USBDriverKit macOS Big Sur 11.0  OS X El Captain 10.11 
USB networking  USBDriverKit
NetworkingDriverKit
macOS Big Sur 11.0  macOS Catalina 10.15 
USB serial  USBDriverKit
SerialDriverKit
USBSerialDriverKit
macOS Big Sur 11.0  macOS Catalina 10.15 
USB vendor-specific IPC  USBDriverKit
IOUSBHost
DriverKit
macOS Big Sur 11.0  macOS Catalina 10.15 
PCI networking  PCIDriverKit
NetworkingDriverKit
macOS Big Sur 11.0  macOS Catalina 10.15 

How to identify system and kernel extensions on your Mac

Now, if you need to identify the kernel or system extensions on your Mac and find its Team ID and Bundle ID, you can use the following commands or scripts and input them into the terminal.

Identify system extensions on a Mac
Identify system extensions on a Mac
 
How to identify system extensions on your Mac

In case of system extensions, most of them can be found by accessing the /Library/SystemExtensions folder. However, you can also use the terminal command – systemextensionsctl list – to obtain the information on all system extensions on your Mac. Just input the above-mentioned command in the terminal and press ‘Enter’. The number of system extensions, along with the software details of each, including the Team ID and Bundle ID will be displayed.

How to identify kernel extensions on your Mac

To identify kernel extensions on your Mac, open the terminal and enter the following command – sudo sqlite3/var/db/SystemPolicyConfiguration/KextPolicy. Next, enter the following query – SELECT * FROM kext_policy; A list containing the Team ID, Bundle ID, and display name of the developer of each kernel extension will be displayed (The first item in the list will be the Team ID, followed by Bundle ID).

How users can allow extensions on their Macs

Since the introduction of macOS High Sierra 10.13, end-user approval is necessary before loading kernel extensions onto their Macs.

IT admins can bypass user approval for loading system extensions and KEXTs, by implementing a Unified Endpoint Management solution to configure system and kernel extension policies on macOS.

As an end-user, you can easily approve kernel extensions by following the below-mentioned steps.

  • Attempt to load a system/kernel extension that does not have user approval.
  • The system/kernel extension is denied access, and an alert box pops up that redirects the users to the Security and Privacy pane (in System Preferences) on their Mac.
  • Once unlocking this page with the admin account credentials, the user is given the option to approve the system extension/KEXT to load on their Mac.
  • If left unattended, this option disappears after 30 mins, following which you must attempt to load the system extension/KEXT again.

How to deploy Mac system and kernel extensions using Hexnode UEM

With the help of Hexnode UEM (on devices running macOS High Sierra 10.13.2 and higher) IT can specify a whitelist of system and kernel extensions that can be automatically loaded on the specified Macs, eliminating the need for user-approval prompts that ultimately disrupt the overall user experience.

Configure Mac system and kernel extensions using Hexnode UEM
To achieve this, first, you must identify the Team ID and Bundle ID for the system and kernel extensions to be approved (the method to find these is mentioned in the before-mentioned sections). Next, follow the steps below.
Deploy kernel extensions using Hexnode UEM

There are three ways to deploy kernel extensions using Hexnode.

Method 1

Specify the Team ID of the signed kernel extensions. This will automatically approve all kernel extensions that possess the whitelisted Team IDs, regardless of their bundle IDs.

Method 2

Specify the Team ID and Bundle ID of the signed kernel extensions. This method will approve only the specified kernel extensions with the correct Team ID and Bundle ID to load on a Mac.

Method 3

For the case of unsigned kernel extensions, specify only the Bundle ID and leave the Team ID blank.

Deploy system extensions using Hexnode UEM

There are four ways to deploy system extensions using Hexnode.

Method 1

Specify the Team ID of the signed system extensions. This will automatically approve all extensions that possess the whitelisted Team IDs, regardless of their bundle IDs.

Method 2

Specify the Team ID and Bundle ID of the signed system extensions. This method will approve only the specified extensions with the correct Team ID and Bundle ID to load on a Mac.

Method 3

For the case of unsigned system extensions, specify only the Bundle ID and leave the Team ID blank.

Method 4

You can also approve system extensions on your Mac based on the system extension types. Here, any system extension that belongs to the allowed types (Endpoint Security Extension, Driver Extension, and Network Extension,) and possesses a whitelisted Team ID, will be allowed to load on a Mac.

Note:

IT admins can also restrict users from approving additional system extensions or KEXTs that are not whitelisted using the configured UEM policy. You can do this by unchecking the ‘User Override’ box in the Hexnode policy portal. However, if checked, users are allowed to approve additional extensions to load on their Macs.

For additional information on configuring system extensions and KEXTs using UEM, make sure to read Hexnode’s help documentation on configuring system extensions and kernel extensions for macOS devices.

The final note

With the introduction of macOS Catalina, system extensions have begun to steadily replace legacy kernel extensions for almost every purpose. However, there still exists some functionalities that are not covered by the three system extension frameworks (eg: KEXTs for virtualization software). In such cases, kernel extensions are still required for the proper functioning of the software.

That being said, it is crucial to point out that system extensions are a part of Apple’s commitment to gradually eliminate the use of kernel extensions and create a more reliable and secure setting for Macs. Hence, wherever possible, you must ensure to use system extensions in place of KEXTs. With the help of a UEM solution like Hexnode, IT can easily streamline the deployment of system extensions and KEXTs to their corporate Macs, and ensure a safe and secure environment for their business.

Share
  •  
  •  
  •  
  •  
  •  
Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts