The Jamf Pro API Developer Hub

Welcome to the Jamf Pro API developer hub. You'll find comprehensive guides and documentation to help you start working with Jamf Pro API as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Kernel and System Extensions

Learn how about the different extension types for macOS and how to deploy and configure them for use with applications

Overview

This article will focus on how to enable both kernel extensions (KEXT) and system extensions using Jamf Pro with a close analysis on programatic approaches. This article is targeted towards third party macOS application developers who currently leverage KEXT or system extensions and would like to streamline the deployment and configuration process of their applications using Jamf Pro.

Apple's implementation of extensions and their requirements are fairly complex. If you are not already familiar with Apple's progressions from KEXT to system extensions over the various macOS versions, please familiarize yourself with the concepts described in the articles below, before proceeding.

Developer Resources

Kernel extensions in macOS
Deprecated Kernel Extensions and System Extension Alternatives
About system extensions and macOS

Kernel Extensions

The process for managing KEXTs has evolved with the various macOS releases. Jamf continues to support these older OS versions, so we'll begin by reviewing the process for working with older macOS versions. Without user approval or configuration via MDM, users may be prompted with messages similar to the following when initially launching applications that require the use of KEXT.

User prompt for approval of an extension.User prompt for approval of an extension.

User prompt for approval of an extension.

Beginning in macOS High Sierra (10.13), Apple began requiring user approval for the loading of KEXTs. KEXTs installed on devices managed by an MDM solution during the upgrade process to 10.13 are considered pre-approved and required no additional user approval after the OS upgrade to 10.13.

Devices with User Approved MDM, running macOS 10.13.2 or later can utilize configuration profiles with the KEXT payload to bypass the user approval process, allowing for streamlined enterprise deployment of applications. Navigate to Computers >> Configuration Profiles and select the Approved Kernel Extensions payload, as seen below.

Approved KEXT payload for macOS.Approved KEXT payload for macOS.

Approved KEXT payload for macOS.

Beginning with macOS 11, additional steps are needed to load and use legacy kernel extensions. It's important to note that computers with Apple silicon hardware require additional steps. For complete instructions, please reference Manage Legacy Kernel Extensions in macOS 11.

System Extensions

Apple introduced system extensions in macOS Catalina (10.15) which iterates on the functionality provided by KEXT without needing to give a third party access to the macOS kernel. Simultaneously, Apple announced that macOS 10.15 would be the last release to fully support KEXT without compromise. For more information on building support for system extensions within your app, check out Apple's developer documentation.

A configuration profile with the System Extensions payload can be installed on a device enrolled via user approved MDM devices running macOS 10.15 or later. There are three different approval modes available via Jamf Pro.

Allow all System Extensions from the same Team Identifier.Allow all System Extensions from the same Team Identifier.

Allow all System Extensions from the same Team Identifier.

Allow explicit System Extensions by defining each one by Bundle Identifier.Allow explicit System Extensions by defining each one by Bundle Identifier.

Allow explicit System Extensions by defining each one by Bundle Identifier.

Allow System Extensions by specific extension types, with option to limit by Team ID.Allow System Extensions by specific extension types, with option to limit by Team ID.

Allow System Extensions by specific extension types, with option to limit by Team ID.

Known Issues

There are currently known issues related to the export of configuration profiles that include the Approved Kernel Extensions or System Extension payloads which are more likely to be noticed by third party developers.

The issues relate to Jamf Pros inability to accurately export a configuration profile via API or UI download options. Exported profiles lack required information to successful import into other systems, including other Jamf Pro environments.

Workarounds include the ability to build profiles in other tools or to export the payload contents directly from the Jamf Pro database. Jamf Cloud hosted environments can open a ticket with Jamf Support referencing product issue numbers PI-008695 (for KEXT) or PI-008562 (for System Extensions). Environments hosted outside of Jamf Cloud can execute a command similar to the following to obtain a complete export of the configuration profile contents.

select setting from os_x_configuration_profiles where os_x_configuration_profile_id=X;

For more information on uploading and importing configuration profiles via the Classic API, please view the API Reference documentation.

Updated 2 months ago

Kernel and System Extensions


Learn how about the different extension types for macOS and how to deploy and configure them for use with applications

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.