Category Filter

How to configure Kernel Extension settings for Mac

Kernel extensions allow users to install app extensions. These extensions have access to different parts of operating systems and are able to modify the core operating system components required to run an application. Earlier, Kernel extensions could be loaded without user consent. But with macOS upgrade to High Sierra, these extensions require user authorization to load. Hence, for devices running macOS High Sierra 10.13.2 and higher, you can use Hexnode MDM to specify a whitelist of Kernel Extensions, which can be loaded without user approval.

To configure macOS Kernel Extensions settings

    1. Navigate to the Policies tab on your Hexnode portal.
    2. Choose an existing policy or create a new policy by clicking on New Policy.
    3. Provide a suitable name for the policy if New Policy option is chosen.
    4. Select Kernel Extensions from macOS > Configurations.
    5. Click on Configure and specify the Kernel Extensions settings.
    6. Click Save.

You’ll have the following options to be configured.

User Override Enable this option to allow users to approve kernel extensions that have not been whitelisted in the policy.
Team Identifiers Add Team IDs one by one. All kernel extensions signed by the listed Team IDs will be approved.

The Team ID must be alphanumeric with 10 characters. Example. A1B2CD3E45

Kernel Extensions Provide the Team ID and Bundle ID to allow specific kernel extensions for each app.

For un-signed legacy kernel extensions, provide only the Bundle Identifier field leaving the Team Identifier field blank.

To find Team ID and Bundle ID

To retrieve Team identifier and Bundle identifier, perform a clean install of High Sierra and install all the Kernel Extensions on a macOS device. Also, approve the Kernel Extensions on System Preferences > Security & Privacy. Now follow the steps.

  1. Open Terminal.
  2. Execute the command:
    sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy. 
  3. Run the query:
    SELECT * FROM kext_policy;  

    The inclusion of semicolon in this above step is mandatory.

A list containing Team ID, Bundle ID, and display name of developer of each kernel extension will be displayed.

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SQLite version 3.19.3 2020-03-27 17:19:08 
Enter ".help" for usage hints. 
sqlite> SELECT * FROM kext_policy; 
G7HH3F8CAK|com.getdropbox.dropbox.kext|0|Dropbox, Inc. |4 
M683GB7CPW|com.box.filesystems.osxfuse|1|Box, Inc.|1 
sqlite> 

The first item in the list will be the Team ID, followed by Bundle ID, which is required to configure the Kernel Extension settings for any third-party application with Hexnode MDM.

Exception:


Kernel Extensions do not require user consent to be loaded on device in the following cases:

  1. Kernel Extensions which were already present on the device before the update to macOS High Sierra.
  2. Any replacements to the already approved Kernel Extensions.
  3. Any Kernel Extensions loaded using the spctl command while the device is booted to macOS Recovery.

Associate target devices

If you haven’t saved your policy,

  1. Navigate to Policy Targets.
  2. Click on +Add devices to add the devices you wish to associate the policy.
  3. Click Save.

If you have saved your policy,

  1. Navigate to Manage > Devices.
  2. Select the devices.
  3. Click on Actions > Associate Policy.
  4. Select the policy and click on Associate.

OR

  1. Navigate to Policies.
  2. Search and select the policy you wish to associate with the devices.
  3. Click Manage > Associate Targets.
  4. Select the devices you wish to associate the policy with. You can also associate the policy with devices groups, users, user groups and even domains.
  5. Click on Associate.