Category filter
How to configure Kernel Extension settings for Mac
Kernel extensions (KEXTs) allow users to install app extensions that can extend the natively available capabilities on the operating system. These extensions have access to different parts of operating systems that regular applications can’t access. They execute code at the kernel level and are able to modify the core OS components required to run an application.
Earlier, Kernel extensions could be loaded without user consent. But with macOS upgrade to High Sierra, these extensions require user authorization to load. Hence, for devices running macOS High Sierra 10.13.2 and higher, you can use Hexnode UEM to specify a whitelist of Kernel Extensions, which can be loaded without user approval. In addition, you can also allow users to override KEXTs and add team identifiers.
This feature is supported only on Ultimate and Ultra pricing plans.
Configure macOS Kernel Extensions settings
Follow the below steps to configure a KEXT policy via Hexnode:
- Navigate to the Policies tab on your MDM portal.
- Choose an existing policy or create a new policy by clicking on New Policy.
- Provide a suitable name for the policy if the New Policy option is chosen.
- Select Kernel Extensions from macOS > Configurations.
- Click on Configure and specify the KEXTs settings.
- Click Save.
You’ll have the following options to be configured.
| User Override | Enable this option to allow users to approve kernel extensions that have not been whitelisted in the policy. |
| Team Identifiers | Add Team IDs one by one. All kernel extensions signed by the listed Team IDs will be approved.
The Team ID must be alphanumeric with 10 characters. Example. A1B2CD3E45 |
| Kernel Extensions | Provide the Team ID and Bundle ID to allow specific kernel extensions for each app.
For un-signed legacy kernel extensions, provide only the Bundle Identifier field leaving the Team Identifier field blank. |
- On devices running on macOS 11 and above, installing a new or updated Kernel extension via policy requires the devices to be restarted for the changes to take effect.
- If your Kernel extension contains an unsupported or deprecated Kernel Programming Interfaces (KPI), it will fail to function as intended. Such KPIs can be replaced with their respective alternatives suggested by Apple and deployed using System extensions.
Find Team ID and Bundle ID on Mac
To retrieve the Team identifier and Bundle identifier, perform a clean install of High Sierra and install all the Kernel Extensions on a macOS device. Also, approve the Kernel Extensions on System Preferences > Security & Privacy. Now follow the steps:
- Open Terminal.
- Execute the command:
1sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy.
- Run the query:
1SELECT * FROM kext_policy;
The inclusion of semicolon in this above step is mandatory.
A list containing Team ID, Bundle ID, and display name of the developer of each kernel extension will be displayed.
|
1 |
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy |
|
1 |
SQLite version 3.19.3 2020-03-27 17:19:08 |
|
1 |
Enter ".help" for usage hints. |
|
1 |
sqlite> SELECT * FROM kext_policy; |
|
1 |
G7HH3F8CAK|com.getdropbox.dropbox.kext|0|Dropbox, Inc. |4 |
|
1 |
M683GB7CPW|com.box.filesystems.osxfuse|1|Box, Inc.|1 |
|
1 |
sqlite> |
The first item in the list will be the Team ID, followed by Bundle ID, which is required to configure the Kernel Extension settings for any third-party application with Hexnode UEM.
Kernel Extensions do not require user consent to be loaded on the device in the following cases:
- Kernel Extensions which were already present on the device before the update to macOS High Sierra.
- Any replacements to the already approved Kernel Extensions.
- Any Kernel Extensions loaded using the spctl command while the device is booted to macOS Recovery.
Associate KEXT settings with macOS devices
If you haven’t saved your policy,
- Navigate to Policy Targets.
- Click on +Add devices to add the devices with which you wish to associate the policy.
- Click Save.
If you have saved your policy,
- Navigate to Manage > Devices.
- Select the devices.
- Click on Actions > Associate Policy.
- Select the policy and click on Associate.
Or
- Navigate to Policies.
- Search and select the policy you wish to associate with the devices.
- Click Manage > Associate Targets.
- Select the devices you wish to associate the policy with. You can also associate the policy with device groups, users, user groups and even domains.
- Click on Associate.
How to change startup disk security policy on Mac with Apple silicon
The security level of the startup disc of a Mac with an Apple silicon chip is set to ‘Full Security’ by default, providing it the greatest level of security. However, the security level on Apple silicon Macs must be downgraded from ‘Full Security’ to ‘Reduced Security’ to facilitate remote management of kernel extensions via a UEM solution like Hexnode UEM. Management of kernel extensions via an MDM solution can be authorized automatically if the device is enrolled using Apple Business Manager or Apple School Manager.
To change the security settings of the startup disk of Apple silicon Macs, follow the steps below.
- Shut down the device.
- Press and hold the power button until the message “Loading startup options…” appears on the screen.
- Click on Options, and then Continue.
- If asked, choose an administrator account and enter the password.
- From the menu bar at the top of the screen, click on Utilities and choose Startup Security Utility.
- Select the startup disk for which to change the security policy.
- If the disk is encrypted, click Unlock, enter the password and then click Unlock.
- Click Security Policy.
- Select one from the below two options that appear on the screen:
- Full Security
- Reduced Security
If you chose Reduced Security, there’s an option to select from the options below, if required:
- Allow user management of kernel extensions from identified developers: Allows installation of software that uses legacy kernel extensions.
- Allow remote management of kernel extensions and automatic software updates: Authorizes remote management of legacy kernel extensions and software updates using mobile device management (MDM) solution.
- Choose the required option and click OK.
- Enter the administrator password, and click OK.
- Once the security policy is applied, restart the device for the changes to take effect.
