Category Filter

How to configure System Extensions on macOS devices

The system extension policy for macOS devices allows applications and installers that use system extensions to load on your end users’ devices. Like kernel extensions, system extensions allow installing app extensions that can extend the native capabilities of the OS. Applying the Hexnode System Extension policy on a Mac with a system extension in the pending state ensures successful activation of the extension. Likewise, removing a system extension policy deactivates the extensions that were enabled through that policy.

What are System Extensions?

System extensions, a modern alternative for Kernel extensions, allow developers to create apps with enhanced functionalities without giving kernel-level access to the system. Prior to macOS Catalina, app developers were allowed to code directly into the macOS kernel to create apps. Even though it offers an opportunity to create apps with advanced functionalities, it has the potential to compromise the stability and security of the Mac. Since Kernel extension (KEXT) possesses Kernel-level control, any actions taken by the KEXT are prioritized over all other system functions. So, if the KEXT contains even a minor bug, this might lead to kernel panics or unpredicted behaviors. Nonetheless, Kernel extensions are not restrained by macOS security policies, so if it is vulnerable, not only the app but the whole system will be at risk.

Enabling kernel-level access for individual apps opens a portal to security and operation vulnerabilities as the kernel is in charge of everything on the system. On the contrary, System extensions are developed in the user space of the Mac instead of the kernel. They are therefore bound to obey the system security policies, thereby improving the stability of the system. So, if the extension has any security vulnerabilities, it only affects the app and not the system. Also, these extensions are granted high-level privileges and can perform tasks that were previously reserved for KEXTs. Additionally, with System Extensions, developers are free to write code in any programming language as opposed to C and C++. System Extensions render increased stability for the system without lacking power.

The system extensions can be driver extensions, network extensions and endpoint security extensions. These extensions are to be packed inside the app bundle and are installed on the system during runtime. You will have to remove the app to delete or disable the extension.

Notes:

  • Supported on devices running macOS 10.15 or later.
  • If you have applied this policy to devices with lower versions (below 10.15), the policy will be successfully pushed from the console and payload will be presented inside System Preferences > Profiles, but it will not be applied on the device.

Configure Mac System Extension Settings

  1. Navigate to the Policies tab on your Hexnode portal.
  2. Choose an existing policy or create a new policy by clicking on New Policy.
  3. Provide a suitable name for the policy if the ‘New Policy’ option is chosen.
  4. Select System Extensions from macOS > Configurations.
  5. Click on Configure and specify the System Extensions settings.
  6. Click Save.

You’ll have the following options to be configured.

Configuration Description
User Override Check this box if you want all users of the Mac to approve additional system extensions that are not specified in the policy. This enables the applications to be installed on the end-user’s devices without approval for a system extension.
Team Identifiers Enter the Team identifiers of validly signed system extensions that should be allowed to load on the Mac. The team identifier must be alphanumeric and should have 10 characters.
System Extensions List the specific System Extension that you want to approve for the Mac.

Add the Bundle identifier and Team identifier of a system extension to load. For unsigned system extensions, leave the field empty.

System Extension types This option will allow you to specify specific System Extension types you want to be installed for the team identifier. You can enable the following System Extensions for each team ID: Endpoint Security Extension, Driver Extension, and Network Extension.

Note that all extension types will be allowed by default if you haven’t specified the extension type for a given team ID.

Notes:


If the System Extension policy that was already associated with devices is updated, the devices may have to be restarted for the changes to take effect.


Associate target entities

If you haven’t saved your policy,

  1. Navigate to Policy Targets.
  2. Select the devices, devices groups, users, user groups or domains you wish to associate the policy with.
  3. Click Save.

If you have saved your policy,

  1. Navigate to Policies.
  2. Search and select the policy you wish to associate with the devices.
  3. Click Manage > Associate Targets.
  4. Select the devices, devices groups, users, user groups or domains you wish to associate the policy with.
  5. Click on Associate.

Identify system and kernel extensions

If you are unsure whether the software use system or kernel extension, either contact the software manufacturer to find out, or run a command in the terminal after installing the software.

systemextensionsctl list

If this renders the following output, the software leverages kernel extension (that is, no system extensions). Else the software details like the bundle ID and the team ID will be displayed.

systemextensionsctl list

0 extension(s)