Endpoint Services, macOS User-Approved Kernel Extension Loading
Information on secure kernel extension loading with macOS 10.13.4 and up.
Workspace ONE Unified Endpoint Management (UEM)
Munki Mac Endpoint Management
University of Illinois IT Pros managing macOS endpoints, with or without leveraging Technology Services Endpoint Service Workspace ONE UEM.
- General Information
- Workspace ONE Kernel Extension (kext) Profiles
- "Blanket" Kext Management via Workspace ONE
- Additional Resources
Beginning with macOS 10.13.4, Apple began prompting end users to enable kernel extensions ("kexts") for some common applications and device drivers, including Box Drive, Cisco AnyConnect, VirtualBox, VMWare Fusion, and newer HP printers. For example, when Box Drive is launched for the first time on macOS 10.14, the end user will receive the following prompt:
The user, whether an admin or a standard user, can follow the directions to open System Preferences - Security & Privacy - General and click “Allow", enabling the Box Drive kernel extension to load for all users on the system:
This action is required before the application will run. However, in some cases, the end user can’t enable the extension, and the software will fail to run. This could be because 1) the user delayed the "Allow" action by more than a half-hour, in which case the “Allow” button disappears; 2) the user is running third-party software emulation for input devices; 3) the user is using third-party creative tablets or pens; or 4) the Mac is being controlled via a screen sharing utility, including Apple Remote Desktop. In the case where the “Allow” button is no longer available, a restart *may* reinstate it (but doesn’t always); in the other cases, the “Allow” button is visible but not clickable until the interfering software/device/screen-sharing is removed.
As we continue to see an increasing number of macOS applications requiring kext approval, the EPS service attempts to anticipate stakeholder impact and offer practical solutions. Due to Apple restrictions, third-party tools such as Munki can’t be used to apply kernel extension approval, but MDM/UEM systems such as Workspace ONE can.
Workspace ONE supports Kernel Extension Policy profiles, which pre-approve kexts for all users on a device without customer interaction. The EPS team currently creates global profiles for new kext policies as we become aware of them. While Unit Workspace ONE admins can create their own site profiles, they can also take advantage of the globally-managed profiles by asking EPS to assign their site to a global profile; by duplicating a global profile to their own site; or by opting in to "blanket" kext management.
IT Pros in Workspace ONE stakeholder units can choose to to opt-in to a global smart group providing “blanket” kext management. 10.13.4+ Macs in the new smart group automatically receive *all* global kext profiles without any further action required by IT Pros or end users. Here’s how the blanket management option works:
- A global assignment (“smart”) group in Workspace ONE has been created specifically for the purpose of handling kext profiles, with platform and OS criteria set to macOS 10.13.4 and up.
- Unit IT Pros who wish to opt-in to blanket kext management may open a help request at go.illinois.edu/epshelp (selecting 'Workspace ONE' from the service dropdown and ‘Support’ from the request type dropdown), and specify which of their organization groups they’d like to be added to the group. Only organization groups can be added, as Workspace ONE doesn’t support nested assignment groups.
- When the EPS team creates a new kext profile, we will send an announcement to the mobile-device-management list with a release date.
- On the release date, the global assignment group will be added to the new kext profile, resulting in the profile's release to all macOS 10.13.4+ devices in the units which opted in.
This proactive, automatic approach to kext management has the benefit of the least amount of work for unit IT Pros. It does mean that profiles may be (harmlessly) applied where they are not needed — e.g. the kext.BoxDrive profile will be applied on Macs that don’t have Box Drive installed.
- Prepare your institution for macOS High Sierra 10.13.4
- Prepare for changes to kernel extensions in macOS High Sierra