Endpoint Services, macOS User-Approved Kernel and System Extension Loading

Information on secure kernel and system extension loading with macOS 10.13.4 and up.

Systems

Workspace ONE Unified Endpoint Management (UEM)
Munki Mac Endpoint Management

Affected Customers

University of Illinois IT Pros managing macOS endpoints, with or without leveraging Technology Services Endpoint Service Workspace ONE UEM.

Actions

General Information

Beginning with macOS 10.13.4, Apple began prompting end users to enable kernel extensions ("kexts") for some common applications and device drivers, including Box Drive, Cisco AnyConnect, VirtualBox, VMWare Fusion, and newer HP printers. For example, when Box Drive is launched for the first time on macOS 10.14, the end user will receive the following prompt:

Box Kernel Extension prompt

The user, whether an admin or a standard user, can follow the directions to open System Preferences - Security & Privacy - General and click “Allow", enabling the Box Drive kernel extension to load for all users on the system:

Allow Box Extension

This action is required before the application will run. However, in some cases, the end user can’t enable the extension, and the software will fail to run. This could be because 1) the user delayed the "Allow" action by more than a half-hour, in which case the “Allow” button disappears; 2) the user is running third-party software emulation for input devices; 3) the user is using third-party creative tablets or pens; or 4) the Mac is being controlled via a screen sharing utility, including Apple Remote Desktop. In the case where the “Allow” button is no longer available, a restart *may* reinstate it (but doesn’t always); in the other cases, the “Allow” button is visible but not clickable until the interfering software/device/screen-sharing is removed.

In 2019, Apple announced that kernel extensions would be deprecated in favor of system extensions ("sysexts"), which still allow apps to extend macOS functionality but without kernel-level access. With the November 2020 release of Big Sur, kexts are fully deprecated.

As we continue to see an increasing number of macOS applications requiring sysext and kext approval, the EPS service attempts to anticipate stakeholder impact and offer practical solutions. Due to Apple restrictions, third-party tools such as Munki can’t be used to apply extension approval, but MDM/UEM systems such as Workspace ONE can.

Workspace ONE Kernel and System Extension Profiles

Workspace ONE supports Kernel and System Extension Policy profiles, which pre-approve kexts and sysexts for all users on a device without customer interaction. The EPS team currently creates global profiles for new extension policies as we become aware of them. While Unit Workspace ONE admins can create their own site profiles, they can also take advantage of the globally-managed profiles by asking EPS to assign their site to a global profile; by duplicating a global profile to their own site; or by opting in to "blanket" kext and sysext management.

"Blanket" Kext and Sysext Management via Workspace ONE

IT Pros in Workspace ONE stakeholder units can choose to to opt-in to global smart groups providing “blanket” extension management. 10.13.4+ Macs in the new smart groups automatically receive *all* global kext profiles, and 10.15+ Macs receive all sysext profiles, without any further action required by IT Pros or end users. Here’s how the blanket management option works:

  • A global assignment (“smart”) group in Workspace ONE has been created specifically for the purpose of handling kext profiles, with platform and OS criteria set to macOS 10.13.4 and up.
  • An additional global assignment group has been created for sysext profiles, with platform and OS criteria set to macOS 10.15.0 and up.
  • Unit IT Pros who wish to opt-in to blanket extension management may open a help request at go.illinois.edu/epshelp (selecting 'Workspace ONE' from the service dropdown and ‘Support’ from the request type dropdown), and specify which of their organization groups they’d like to be added to the groups. Only organization groups can be added, as Workspace ONE doesn’t support nested assignment groups.
  • When the EPS team creates a new kext or sysext profile, we will send an announcement to the mobile-device-management list with a release date.
  • On the release date, the global assignment group will be added to the new profile, resulting in the profile's release to all eligible Macs in the units which opted in.

This proactive, automatic approach to extension management has the benefit of the least amount of work for unit IT Pros. It does mean that profiles may be (harmlessly) applied where they are not needed — e.g. the kext.BoxDrive profile will be applied on Macs that don’t have Box Drive installed.



Contact the EPS team



KeywordsEPS MTM munki "multi tenant" multi-tenant mac macos endpoint TechS-EPS-MTM TechS-EPS-WS1 mdm airwatch workspace one "workspace one" uem kernel kext extension uakel sysext system   Doc ID90570
OwnerEPS Distribution ListGroupUniversity of Illinois Technology Services
Created2019-03-22 14:51:40Updated2022-08-15 11:09:14
SitesUniversity of Illinois Technology Services
Feedback  1   0