Explained: macOS Kernel and System Extensions

Last updated August 12, 2021

macOS and OS X versions have traditionally allowed the use of Kernel Extensions in order to enable applications to access OS-level functionalities on devices. This includes resources like memory, disk access, and other hardware. While Kernel Extensions provide a great deal of functionality, they can also expose security vulnerabilities.

In macOS 10.15, Apple introduced System Extensions, which intend to replace Kernel Extensions. System Extensions provide third-party developers with access to certain system functionalities without exposing the level of vulnerabilities that kernel extensions do. Since their introduction, Apple is encouraging developers to move toward this more modern approach.

For macOS devices running macOS 10.13 and later, Kernel Extensions must be approved by a local system administrator and/or must be whitelisted via an MDM service before they are enabled. With the release of devices with the Apple Silicon (M1) hardware, this process also now requires users to boot into recovery mode and manually reduce the security level before the apps can be run. Apple’s documentation explains this topic in more detail: https://support.apple.com/en-us/HT211860

Implementing Kernel Extensions and System Extensions with MDM

SimpleMDM supports the ability to whitelist Kernel Extensions and System Extensions. Per Apple’s design, the Team Identifier, Bundle Identifier, or both must be specified within the definition in order to pre-approve both Kernel Extensions and System Extensions. Here are example screenshots of both profiles for the Google Drive application:

Obtaining an App’s Bundle Identifier

One method of manually obtaining the Bundle Identifier for an application requires you to have physical access to a macOS device where the application is installed. Once installed, run the following command in terminal:

osascript -e 'id of app "[NAME OF APP]"'

For Google Drive, the command would look like this:

osascript -e 'id of app "Google Drive.app"'

To obtain the Team Identifiers for Kernel Extensions, the Mac must also have the app installed. Run the following command in terminal:

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;

This will output a list of team IDs and bundle IDs for any installed apps using them.

Activating the Settings

To allow an app using Kernel Extensions to run in macOS Big Sur on a device managed with SimpleMDM, you’ll need to perform one of the following to complete the process:

  • Have the user manually approve the extension within System Preferences > Security & Privacy. This requires admin credentials by default. If the Kernel Extensions has been whitelisted via a profile deployed via SimpleMDM, this isn’t necessary. If you have deployed Kernel Extension Policy profile via SimpleMDM but the app is not listed in the profile, you can set the “Other extension approval” option within the profile settings to “Any User” to allow standard users to be able to approve extensions manually without admin authentication (this is only available on macOS Big Sur and higher).
  • Send the “Restart” command to the device via SimpleMDM and set the “Rebuild Kernel Cache” option to “Yes” when sending the command.

System Extensions Policy profiles require similar information – you will need to include either the Team Identifier or the Bundle Identifier (or both) for any apps that you want to permit. On macOS Big Sur, unlike Kernel Extensions, System Extensions only require a profile to permit them – additional steps like a restart, etc. are not necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now