This article will focus on how to enable both kernel extensions (KEXT) and system extensions using Jamf Pro with a close analysis on programatic approaches. This article is targeted towards third party macOS application developers who currently leverage KEXT or system extensions and would like to streamline the deployment and configuration process of their applications using Jamf Pro.
Apple's implementation of extensions and their requirements are fairly complex. If you are not already familiar with Apple's progressions from KEXT to system extensions over the various macOS versions, please familiarize yourself with the concepts described in the articles below, before proceeding.
The process for managing KEXTs has evolved with the various macOS releases. Jamf continues to support these older OS versions, so we'll begin by reviewing the process for working with older macOS versions. Without user approval or configuration via MDM, users may be prompted with messages similar to the following when initially launching applications that require the use of KEXT.
Beginning in macOS High Sierra (10.13), Apple began requiring user approval for the loading of KEXTs. KEXTs installed on devices managed by an MDM solution during the upgrade process to 10.13 are considered pre-approved and required no additional user approval after the OS upgrade to 10.13.
Devices with User Approved MDM, running macOS 10.13.2 or later can utilize configuration profiles with the KEXT payload to bypass the user approval process, allowing for streamlined enterprise deployment of applications. Navigate to Computers >> Configuration Profiles and select the Approved Kernel Extensions payload, as seen below.
Beginning with macOS 11, additional steps are needed to load and use legacy kernel extensions. It's important to note that computers with Apple silicon hardware require additional steps. For complete instructions, please reference Manage Legacy Kernel Extensions in macOS 11.
Apple introduced system extensions in macOS Catalina (10.15) which iterates on the functionality provided by KEXT without needing to give a third party access to the macOS kernel. Simultaneously, Apple announced that macOS 10.15 would be the last release to fully support KEXT without compromise. For more information on building support for system extensions within your app, check out Apple's developer documentation.
A configuration profile with the System Extensions payload can be installed on a device enrolled via user approved MDM devices running macOS 10.15 or later. There are three different approval modes available via Jamf Pro.
There are currently known issues related to the export of configuration profiles that include the Approved Kernel Extensions or System Extension payloads which are more likely to be noticed by third party developers.
The issues relate to Jamf Pros inability to accurately export a configuration profile via API or UI download options. Exported profiles lack required information to successful import into other systems, including other Jamf Pro environments.
Workarounds include the ability to build profiles in other tools or to export the payload contents directly from the Jamf Pro database. Jamf Cloud hosted environments can open a ticket with Jamf Support referencing product issue numbers PI-008695 (for KEXT) or PI-008562 (for System Extensions). Environments hosted outside of Jamf Cloud can execute a command similar to the following to obtain a complete export of the configuration profile contents.
select setting from os_x_configuration_profiles where os_x_configuration_profile_id=X;
For more information on uploading and importing configuration profiles via the Classic API, please view the API Reference documentation.
Updated 8 months ago