[dylan21 Participant 9 March 2022 dylan21 Participant]

This! It would be so helpful if we could share our processes to help make management easier…

[lars Participant 9 March 2022 lars Participant]

So, I have been trying to organize my policies with PPPC, system and kernel extensions and separate them into individual policies, some apps have all configured in an individual policy, some have them configured as separate and some applied over others. Will removing and reassigning them break everything???

[dylan21 Participant 9 March 2022 dylan21 Participant]

I guess for each app, deploying separate policies for PPPC and extensions is the way to go. It saves you a lot of trouble and is easier to sort…

[Jarvis Participant 9 March 2022 Jarvis Participant]

I heard they are phasing out kernel extensions for newer macOS versions, when is it the right time to apply system extensions instead of kexts??

[hoLdyn Participant 9 March 2022 hoLdyn Participant]

Apple support says it is already out, they consider kexts as legacy system extensions https://support.apple.com/en-us/HT211860 . They have a guide on how to manage kexts with unsupported KPIs and how system extensions will be the norm from macos Monterey onwards…

[lars Participant 9 March 2022 lars Participant]

Thanks for that, I need to be on top of this for future deployments…

[hoLdyn Participant 9 March 2022 hoLdyn Participant]

Sure, it’s already updated here in Help https://www.hexnode.com/mobile-device-management/help/how-to-configure-kernel-extension-settings-for-mac-with-hexnode-mdm/

[Jarvis Participant 9 March 2022 Jarvis Participant]

Why shift from kexts to system extensions? seems like a swift move…

[dylan21 Participant 9 March 2022 dylan21 Participant]

Kexts have deeper control over the core OS, making it vulnerable to exploits. While it helps with increased functionalities by addressing hardware directly at the kernel level, even a minor vulnerability could potentially brick the device. Apple’s first response was to enforce user approval for third-part kexts, and restart OS while loading the kernel. Unfortunately, hackers found a way to bypass this and hijack the OS. So, they rolled out system extensions with new framework support to get the same functionalities without jeopardizing security.

[hoLdyn Participant 9 March 2022 hoLdyn Participant]

If a sys extension crashes, the rest of the system won’t be affected as it exists in the user space instead of the kernel space. There is an extensive blog on how sys extensions will effectively replace kexts:
https://www.hexnode.com/blogs/why-mac-system-extensions-are-the-modern-replacement-to-kernel-extensions-kexts/

[Ethan Hexnode 9 March 2022 Ethan Moderator]

Hi there,

Thank you for using Hexnode Connect!

You have nothing to worry about when switching from kexts to system extensions. Reassigning extensions will not hinder performance but may require some extensive effort. Updating outdated kexts with a newer version or replacing it with system extensions may require restarting the app and rebooting the system.

In macOS Big Sur and Monterey, apps notify users with dialogs that the app requires legacy system extensions (kexts). Mac computers with Apple silicon require special permission to run kexts: the security policy must be changed to Reduced Security before a user can install a kext. macOS Catalina will be the last macOS to support legacy system extensions fully. You may also search what kexts and system extensions run on your system with scripts.

Depending on the requirements for each app, identify which software uses kexts and update them. Unsupported or deprecated KPI will fail and needs to be replaced. Such KPIs can be replaced with their respective alternatives suggested by Apple and deployed using system extensions. Some apps require kexts to run until system extensions efficiently replace their functionalities. Remove policies with outdated kexts and associate policies with system extensions. Use team ID and bundle ID to install these extensions silently without user interaction.

Here is a quick guide on kernel and system extensions to seamlessly complete the transition from kexts to system extensions with Hexnode. Feel free to reach out for our assistance when needed.

Regards,
Ethan Miller
Hexnode UEM

• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.
• This reply was modified 2 years, 1 month ago by  Ethan Miller.