Endpoint Services, Jamf Pro, macOS System Extension Management

Information on managing and approving system extensions for macOS.

Systems

Jamf Pro

Affected Customers

University of Illinois IT Pros leveraging Technology Services Endpoint Services Jamf Pro

Actions

General Information

With macOS 10.15, Apple introduced system extensions ("sysexts"), which allow approved software to access extended macOS functionality, such as security monitoring, network filtering, and storage integration, without kernel-level access. As of macOS 11, kernel extensions, the legacy predecessor to system extensions, are fully deprecated and unsupported by default. Software developers have been encouraged to leverage system extensions since.

When an application that uses a system extension is launched for the first time, macOS may prompt the user to approve the system extension in the System Settings app. However, for Macs enrolled in Jamf Pro, these extensions may be pre-approved through a configuration profile so that users never receive the prompt.

Jamf Pro System Extension Profiles

Jamf Pro supports system extension profiles, which pre-approve trusted system extensions to load silently without requiring user interaction. The Endpoint Services (EPS) team maintains and automatically manages system extensions for all Macs enrolled in Jamf Pro for common applications, including CrowdStrike Falcon, Cisco Secure Client (VPN), Box Drive, and Google Drive for Desktop.

IT professionals may request the creation of additional global system extension profiles for additional applications by opening a support request with the Endpoint Services team.

Manual System Extension Approval by Users

If a Mac is not yet fully managed by Jamf Pro or a user installs software before a corresponding system extension profile is applied, macOS may display a prompt that a system extension was blocked.

For macOS 15 and later, users can manually approve a system extension by following these steps:

  1. Open the System Settings app
  2. Navigate to General → Login Items & Extensions
  3. Locate the Extensions section.
  4. Click the ⓘ next to the appropriate application or extension category (Network Extensions, Endpoint Security Extension, etc.).
  5. Enable the toggle next to the application name, entering an administrator's password when prompted.
    Image showing network extensions with the cisco secure client - socket filter option being selected

For macOS 14 and earlier, users can manually approve a system extension by following these steps:

  1. Open the System Settings app (or the System Preferences app in macOS 12 and earlier).
  2. Navigate to General → Privacy & Security
  3. Scroll down through the main pane and look for the message stating that software from the identified developer was blocked.
  4. Click the Allow button to approve the system extension.
  5. Restart the Mac if prompted.

Note: The “Allow” option is only available for 30 minutes after the initial block. If the button is no longer visible, re-launch the app or reboot the Mac to re-trigger the approval dialog.

Contact the EPS team


Keywords:
endpoint EPS mdm jamf pro "jamf pro" mac macOS TechS-EPS-Jamf kernel kext sysext system extension 
Doc ID:
156863
Owned by:
EPS Distribution List G. in University of Illinois Technology Services
Created:
2025-11-20
Updated:
2025-12-09
Sites:
University of Illinois Technology Services