Kernel and System Extensions

Learn how about the different extension types for macOS and how to deploy and configure them for use with applications

Overview

This article will focus on how to enable both kernel extensions (KEXT) and system extensions using Jamf Pro with a close analysis on programatic approaches. This article is targeted towards third party macOS application developers who currently leverage KEXT or system extensions and would like to streamline the deployment and configuration process of their applications using Jamf Pro.

Apple's implementation of extensions and their requirements are fairly complex. If you are not already familiar with Apple's progressions from KEXT to system extensions over the various macOS versions, please familiarize yourself with the concepts described in the articles below, before proceeding.

Developer Resources

Kernel extensions in macOS
Deprecated Kernel Extensions and System Extension Alternatives
About system extensions and macOS

Kernel Extensions

The process for managing KEXTs has evolved with the various macOS releases. Jamf continues to support these older OS versions, so we'll begin by reviewing the process for working with older macOS versions. Without user approval or configuration via MDM, users may be prompted with messages similar to the following when initially launching applications that require the use of KEXT.

418

User prompt for approval of an extension.

Beginning in macOS High Sierra (10.13), Apple began requiring user approval for the loading of KEXTs. KEXTs installed on devices managed by an MDM solution during the upgrade process to 10.13 are considered pre-approved and required no additional user approval after the OS upgrade to 10.13.

Devices with User Approved MDM, running macOS 10.13.2 or later can utilize configuration profiles with the KEXT payload to bypass the user approval process, allowing for streamlined enterprise deployment of applications. Navigate to Computers >> Configuration Profiles and select the Approved Kernel Extensions payload, as seen below.

2364

Approved KEXT payload for macOS.

Beginning with macOS 11, additional steps are needed to load and use legacy kernel extensions. It's important to note that computers with Apple silicon hardware require additional steps. For complete instructions, please reference Manage Legacy Kernel Extensions in macOS 11.

System Extensions

Apple introduced system extensions in macOS Catalina (10.15) which iterates on the functionality provided by KEXT without needing to give a third party access to the macOS kernel. Simultaneously, Apple announced that macOS 10.15 would be the last release to fully support KEXT without compromise. For more information on building support for system extensions within your app, check out Apple's developer documentation.

A configuration profile with the System Extensions payload can be installed on a device enrolled via user approved MDM devices running macOS 10.15 or later. There are three different approval modes available via Jamf Pro.

1756

Allow all System Extensions from the same Team Identifier.

1840

Allow explicit System Extensions by defining each one by Bundle Identifier.

1842

Allow System Extensions by specific extension types, with option to limit by Team ID.

For more information on uploading and importing configuration profiles via the Classic API, please view the API Reference documentation.