Category Filter

How to configure Kernel Extension settings for Mac

Kernel extensions (KEXTs) allow users to install app extensions that can extend the natively available capabilities on the operating system. These extensions have access to different parts of operating systems that regular applications can’t access. They execute code at the kernel level and are able to modify the core OS components required to run an application.

Earlier, Kernel extensions could be loaded without user consent. But with macOS upgrade to High Sierra, these extensions require user authorization to load. Hence, for devices running macOS High Sierra 10.13.2 and higher, you can use Hexnode UEM to specify a whitelist of Kernel Extensions, which can be loaded without user approval. In addition, you can also allow users to override KEXTs and add team identifiers.

Configure macOS Kernel Extensions settings

Follow the below steps to configure a KEXT policy via Hexnode:

  1. Navigate to the Policies tab on your MDM portal.
  2. Choose an existing policy or create a new policy by clicking on New Policy.
  3. Provide a suitable name for the policy if the New Policy option is chosen.
  4. Select Kernel Extensions from macOS > Configurations.
  5. Click on Configure and specify the KEXTs settings.
  6. Click Save.

You’ll have the following options to be configured.

User Override Enable this option to allow users to approve kernel extensions that have not been whitelisted in the policy.
Team Identifiers Add Team IDs one by one. All kernel extensions signed by the listed Team IDs will be approved.

The Team ID must be alphanumeric with 10 characters. Example. A1B2CD3E45

Kernel Extensions Provide the Team ID and Bundle ID to allow specific kernel extensions for each app.

For un-signed legacy kernel extensions, provide only the Bundle Identifier field leaving the Team Identifier field blank.

Find Team ID and Bundle ID on Mac

To retrieve the Team identifier and Bundle identifier, perform a clean install of High Sierra and install all the Kernel Extensions on a macOS device. Also, approve the Kernel Extensions on System Preferences > Security & Privacy. Now follow the steps:

  1. Open Terminal.
  2. Execute the command:
    sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy. 
  3. Run the query:
    SELECT * FROM kext_policy;  

    The inclusion of semicolon in this above step is mandatory.

A list containing Team ID, Bundle ID, and display name of the developer of each kernel extension will be displayed.

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SQLite version 3.19.3 2020-03-27 17:19:08 
Enter ".help" for usage hints. 
sqlite> SELECT * FROM kext_policy; 
G7HH3F8CAK|com.getdropbox.dropbox.kext|0|Dropbox, Inc. |4 
M683GB7CPW|com.box.filesystems.osxfuse|1|Box, Inc.|1 
sqlite> 

The first item in the list will be the Team ID, followed by Bundle ID, which is required to configure the Kernel Extension settings for any third-party application with Hexnode UEM.

Exception:


Kernel Extensions do not require user consent to be loaded on the device in the following cases:

  1. Kernel Extensions which were already present on the device before the update to macOS High Sierra.
  2. Any replacements to the already approved Kernel Extensions.
  3. Any Kernel Extensions loaded using the spctl command while the device is booted to macOS Recovery.

Associate KEXT settings with macOS devices

If you haven’t saved your policy,

  1. Navigate to Policy Targets.
  2. Click on +Add devices to add the devices with which you wish to associate the policy.
  3. Click Save.

If you have saved your policy,

  1. Navigate to Manage > Devices.
  2. Select the devices.
  3. Click on Actions > Associate Policy.
  4. Select the policy and click on Associate.

Or

  1. Navigate to Policies.
  2. Search and select the policy you wish to associate with the devices.
  3. Click Manage > Associate Targets.
  4. Select the devices you wish to associate the policy with. You can also associate the policy with device groups, users, user groups and even domains.
  5. Click on Associate.