Legacy kexts vs system extensions

expand collapsive

Need some advice… so with the new apple silicon macs we have had several new security features such as system extensions, secure and bootstrap tokens etc… automating tasks remotely without user intervention is complicated now… apple needs to figure out how to streamline this process for their new lineups, you guys got any tips you could share that helped you with this???

All Replies

  • So, I have been trying to organize my policies with PPPC, system and kernel extensions and separate them into individual policies, some apps have all configured in an individual policy, some have them configured as separate and some applied over others. Will removing and reassigning them break everything???

  • Participant



    Kexts have deeper control over the core OS, making it vulnerable to exploits. While it helps with increased functionalities by addressing hardware directly at the kernel level, even a minor vulnerability could potentially brick the device. Apple’s first response was to enforce user approval for third-part kexts, and restart OS while loading the kernel. Unfortunately, hackers found a way to bypass this and hijack the OS. So, they rolled out system extensions with new framework support to get the same functionalities without jeopardizing security.

  • Hi there,

    Thank you for using Hexnode Connect!

    You have nothing to worry about when switching from kexts to system extensions. Reassigning extensions will not hinder performance but may require some extensive effort. Updating outdated kexts with a newer version or replacing it with system extensions may require restarting the app and rebooting the system.

    In macOS Big Sur and Monterey, apps notify users with dialogs that the app requires legacy system extensions (kexts). Mac computers with Apple silicon require special permission to run kexts: the security policy must be changed to Reduced Security before a user can install a kext. macOS Catalina will be the last macOS to support legacy system extensions fully. You may also search what kexts and system extensions run on your system with scripts.

    Depending on the requirements for each app, identify which software uses kexts and update them. Unsupported or deprecated KPI will fail and needs to be replaced. Such KPIs can be replaced with their respective alternatives suggested by Apple and deployed using system extensions. Some apps require kexts to run until system extensions efficiently replace their functionalities. Remove policies with outdated kexts and associate policies with system extensions. Use team ID and bundle ID to install these extensions silently without user interaction.

    Here is a quick guide on kernel and system extensions to seamlessly complete the transition from kexts to system extensions with Hexnode. Feel free to reach out for our assistance when needed.

    Ethan Miller
    Hexnode UEM