Why Mac system extensions are the modern replacement to kernel extensions (KEXTs)

Apple has always strived to achieve the best in safety and security for their devices. So much so that when we’re talking about desktops, Macs are the go-to choice for businesses that require reliability and security. It is no wonder then that Apple decided to make the move from the legacy kernel extensions to the safer and more secure Mac system extensions. But what was the reason behind this move? Why were KEXTs considered as such a big security risk? And what exactly, are system extensions? Here is everything you need to know about Apple’s move away from the legacy KEXTs, and the coming of Mac system extensions.

What are Mac system extensions?

Mac system extensions are a category of software or specific application bundles, used to extend the functionality of a macOS device. System extensions work very similar to kernel extensions. But the difference is – unlike KEXTs (which runs in the kernel space), system extensions run in the user space outside the kernel, like other apps and software. To get to know more about Mac system extensions, I think a basic overview of the legacy KEXTs and how it works, is necessary. So here goes.

What are Mac kernel extensions?

Kernel extensions, sometimes referred to as KEXTs, are application bundles, or basically, pieces of code that are used to extend macOS functionality, by allowing software to load directly into the macOS kernel.

In the most basic terms, what a kernel extension does is – it enables the specified software and its components to load into the macOS kernel (the core of the operating system), and thereby, sets up the interaction between the software components and the kernel. Why is this advantageous? Well, this provides the software with the ability to address the macOS hardware directly, and enables access to low-level OS interactions, including access to peripheral hardware, memory management, task management, and disk management functionalities.

Configuring kernel extensions on a Mac 

For example, let’s say a third-party firewall requires access to your system memory and macOS hard drive data. By allowing the necessary kernel extensions to load on you Mac, you provide this firewall with access to modify the core OS components (the kernel), and enable the app to execute its functions correctly.

In addition to firewalls, many other Mac utilities, including antivirus software, VPN clients, USB drivers, DNS proxies, communication software, network connectivity tools, file syncing tools, and more, make use of kernel extensions to successfully perform their complex functions.

Why do kernel extensions pose a security threat to your macOS system?

By reading this blog so far, you might have realized it, but yes. Unfortunately, kernel extensions do pose a security threat to your macOS system. While KEXTs are a beautiful addition that gives developers the freedom to create apps with complex functionalities, it also presents the folks at Apple with quite a few security challenges.

You see, kernel extensions aren’t bound by your Mac’s security policies. When a KEXT is loaded into the macOS kernel, it gets access to all the hardware functionalities on the device. Hence, every app that uses kernel extensions must certainly have no room for error in its workflows. Even a minor vulnerability that may make the app crash or malfunction could put your entire system at risk. In worst cases, even brick it. What’s more, there have even been attempts (some successful) by hackers who took advantage of these vulnerabilities to breach your system.

Security threats on a Mac 

Considering these potential vulnerabilities, Apple was ready with an initial response. Starting from macOS 11, third-party kernel extensions require user approval and a complete macOS restart before loading the changes into the kernel. They also demanded that the secure boot be configured to ‘Reduced Security’ before loading kernel extensions.

However, even with these security measures, hackers have discovered approaches to bypass user approval and expose your macOS system through KEXTs. Hence today, citing risks to the integrity and reliability of your operating system, Apple no longer recommends using kernel extensions for macOS devices. Instead, they advise users to prefer solutions that don’t require extending the kernel. So, what are these solutions they’re talking about? Yep! You guessed it. Enter – Mac system extensions.

Why you should migrate to Mac system extensions

Mac system extensions are the modern-day replacements that Apple has suggested in place of kernel extensions for macOS devices. With system extensions, Apple provides new frameworks for developers to perform tasks (with KEXTs, developers were limited with just one framework). This includes eliminating restrictions on dynamic memory allocation, synchronization, and latency, the ability to use any framework in the macOS SDK, and the utilization of any programming language, including Swift (kernel extensions were limited to C and C++).

Now, in terms of function, macOS system extensions work very similarly to kernel extensions. So much that if you’re the end-user, you probably won’t notice the difference. However, unlike KEXTs, Mac system extensions don’t make use of the kernel space. That is, they are not loaded directly into the macOS kernel. Instead, they run in the user space, as other apps and software do, and are controlled and kept at bay by your Mac’s security rules.

What does this mean? If a system extension crashes, the rest of the macOS system and its apps remain unaffected and keep functioning. This factor makes system extensions the more reliable and secure option when compared to KEXTs.

The announcement at the Worldwide Developers Conference (WWDC) 2019, on the deprecation of kernel extensions and the replacement with Mac system extensions, was a sign that Apple had realized the potential risks posed by kernel extensions (KEXTs), and shifted their focus to better tech. Likewise, this is a call for the rest of the IT world to follow suit.

What are the three Mac system extension frameworks?

Okay, so let’s get to the big question. If system extensions function outside the kernel space, then how could they achieve functionalities on par with kernel extensions? Especially when system extensions are bound by Mac’s software rules and kernel extensions are not?

Easy. It’s because these system extensions are granted special privileges, with the help of frameworks (or special APIs) that provide apps with direct access to their associated hardware and internal kernel interfaces (without requiring them to load directly to the kernel).

Currently, three frameworks are used by Mac system extensions to replace the functions offered by legacy KEXTs.

Are Mac system extensions a complete replacement to KEXTs?

Although macOS system extensions provide functionalities similar to kernel extensions (that too in a more reliable and secure manner), for now, a complete transition to system extensions isn’t possible. This is because some kernel extensions still use KPIs that are not supported by the available three system extension frameworks. This includes KPIs for virtualization software such as VirtualBox and Parallels (which could enable you to run platforms such as Windows within a Mac). As a result, the kernel extensions for such software still operate outside the possible system extension frameworks. And in such cases, IT must continue to use KEXTs until Apple offers a suitable system extension replacement.

What users should know before approving extensions on their Mac

Here are a couple of things that users should know before approving system and kernel extensions on their Macs.

• Apple is currently in the process of phasing out kernel extensions and replacing them with system extensions. Hence, you may receive alerts when software on your Mac loads deprecated or unsupported KEXTs. In such cases, it is better to ask developers to transition to the system extension counterparts.
• Like kernel extensions, system extensions will require permission to access or modify the core OS components on your Mac. This permission can be granted manually by the end-user user or can be completely bypassed using a UEM solution.
• If you are confused about whether an extension that is requesting to be installed on your Mac is a KEXT or a system extension, you can verify this with the help of terminal commands.

We’ve provided detailed explanations in the upcoming sections on how to deal with each of these cases.

What does the ‘Legacy System Extension’ alert on macOS devices signify?

When loading deprecated or unsupported kernel extensions on macOS Catalina (10.15.4) devices and above, end-users will usually receive an alert stating, the software you are trying to load uses a deprecated KPI, asking you to contact the developer for alternatives.

Here, the ‘Legacy System Extension’ mentioned in the dialog boxes are in reality, kernel extensions that use a deprecated KPI. The function of this alert is to give you advance notice that the loaded extension will soon be unsupported for future versions of macOS.

Now if, as an IT admin, you do not want your end-users to receive such alerts, you can prevent them from popping up by pre-approving these KEXTs with the help of a UEM solution. First, identify the corresponding software and its kernel extensions that are causing these alerts. Next, locate the Team ID of the software, and if necessary, the Bundle ID of the KEXT (information on ‘how to locate Team ID and Bundle ID’ is provided in the next section), and enter these fields in the corresponding kernel extension configuration policy for your UEM. In the case of Hexnode UEM, the procedure for configuring kernel extensions is highlighted in the upcoming sections.

Bypass user approval for system extension loading 

However, it is essential to ensure that you contact the developers and advise them to transition to the use of system extensions for their software, as Apple will be phasing out kernel extensions in the future. (If the software is utilizing unsupported KPIs, the kernel extension will not load. In such cases, your only option is to contact your developer and ask them to transition to the system extension counterparts.)

System extension replacements for deprecated KPIs

The following are the system extension replacements for their corresponding deprecated or unsupported Kernel Programming Interfaces (KPIs).

Unsupported: The KPI is no longer supported. Any kernel extension using an unsupported KPI will not load.

Deprecated: The KPI is available but will become unsupported in the future.

Loading one of the following KPIs with a system extension replacement will trigger the ‘Legacy System Extension’ dialogue box.

How to identify system and kernel extensions on your Mac

Now, if you need to identify the kernel or system extensions on your Mac and find its Team ID and Bundle ID, you can use the following commands or scripts and input them into the terminal.

How users can allow extensions on their Macs

Since the introduction of macOS High Sierra 10.13, end-user approval is necessary before loading kernel extensions onto their Macs.

As an end-user, you can easily approve kernel extensions by following the below-mentioned steps.

• Attempt to load a system/kernel extension that does not have user approval.
• The system/kernel extension is denied access, and an alert box pops up that redirects the users to the Security and Privacy pane (in System Preferences) on their Mac.
• Once unlocking this page with the admin account credentials, the user is given the option to approve the system extension/KEXT to load on their Mac.
• If left unattended, this option disappears after 30 mins, following which you must attempt to load the system extension/KEXT again.

How to deploy Mac system and kernel extensions using Hexnode UEM

With the help of Hexnode UEM (on devices running macOS High Sierra 10.13.2 and higher) IT can specify a whitelist of system and kernel extensions that can be automatically loaded on the specified Macs, eliminating the need for user-approval prompts that ultimately disrupt the overall user experience.

For additional information on configuring system extensions and KEXTs using UEM, make sure to read Hexnode’s help documentation on configuring system extensions and kernel extensions for macOS devices.

The final note

With the introduction of macOS Catalina, system extensions have begun to steadily replace legacy kernel extensions for almost every purpose. However, there still exists some functionalities that are not covered by the three system extension frameworks (eg: KEXTs for virtualization software). In such cases, kernel extensions are still required for the proper functioning of the software.

That being said, it is crucial to point out that system extensions are a part of Apple’s commitment to gradually eliminate the use of kernel extensions and create a more reliable and secure setting for Macs. Hence, wherever possible, you must ensure to use system extensions in place of KEXTs. With the help of a UEM solution like Hexnode, IT can easily streamline the deployment of system extensions and KEXTs to their corporate Macs, and ensure a safe and secure environment for their business.