Migrating to the Jamf Protect System Extension

On computers with macOS 10.15 or later, Jamf Protect runs as a macOS system extension. This improves the performance, stability, and integrity of Jamf Protect on computers while continuing to run in the user space.

Important:

Migrating computers to the system extension is not required but strongly recommended. Computers that do not meet the requirements to run the system extension will continue to run Jamf Protect as a launch daemon.

To ensure a successful migration, administrators are encouraged to complete the following steps:

  1. Upgrade computers to macOS 10.15 or later.

    macOS system extensions are not supported on macOS 10.14 or earlier, and Jamf Protect will continue to run as a launch daemon until upgraded to a later version. For instructions on managing macOS upgrades using Jamf Pro, see the Deploying macOS Upgrades and Updates with Jamf Pro technical paper.

  2. Safelist Jamf Protect by deploying the required System Extension and Privacy Preference Policy Control (PPPC) payloads in a configuration profile.

    Deploying this configuration profile ensures that the system extension will be enabled without being blocked or requiring user interaction. You can deploy a configuration profile with these payloads using any of the following methods:

    • (Recommended for Jamf Pro users) Computer Management - Security settings in Jamf Pro

      If you use Jamf Pro, the system extension payload can be globally deployed by navigating to Settings > Computer Management - Security and selecting the Automatically install a Privacy Preferences Policy Control profile checkbox for Jamf Protect.

      This method installs the required payloads as a separate configuration profile and ensures you don't need re-deploy existing plans to computers. This setting also deploys the profile to all computers in your organization that are enrolled in Jamf Pro.

      Note: The system extension payload is only included in this setting beginning with Jamf Pro 10.31.0. For more information see the Jamf Pro Release Notes.
    • (Recommended for existing tenants using another MDM solution) Separate download in Jamf Protect

      You can download a separate configuration profile for deployment that includes the system extension payload from the Jamf Protect web app by navigating to Administrative > Downloads and downloading the PPPC and System Extension Profile.

      This method allows you to install the required payloads without re-deploying existing plans and is recommended for environments that are not managed by Jamf Pro.

    • (Recommended for new tenants) Plan configuration profiles
      Plan configuration profiles downloaded from Jamf Protect after August 5, 2021 automatically include the required payloads. This includes any plans that are synced with Jamf Pro for the first time after August 5.
      Warning:

      Plans that were downloaded and deployed on or before August 5 do not have the required PPPC and system extension payloads. This includes any plans that were synced with Jamf Pro before August 5. To include the required payloads in your existing plans rather than deploying a separate profile, re-download the plans from the Jamf Protect web app and re-deploy them to target computers.

      This method is only recommended for deploying new plans and environments with Jamf Protect tenants created after August 5.
  3. Upgrade to Jamf Protect agent 2.0.0 or later.
    If the Enable AutoUpdate checkbox is enabled in a computer's plan settings, computers automatically install the latest version of the agent the next time they check in with Jamf Protect. This will automatically trigger the migration process.
    Note:

    If you do not want to immediately migrate to the system extension, you can either deselect the Enable AutoUpdate checkbox or delay installation of the PPPC and system extensions payloads until you are ready to migrate. This ensures Jamf Protect continues to run on comptuers as a launch daemon.

The Jamf Protect system extension is enabled the next time the sudo protectctl repair command is executed (automatically every 15 minutes).

To confirm that Jamf Protect is running as a system extension on computers, execute sudo protectctl info and ensure the InstallType is System Extension.

To learn more about macOS system extensions, see the following from Apple's Support web site: