Safelisting Kernel Extensions

To improve a computer's security, kernel extensions installed with or after the installation of macOS 10.13 or later require user consent to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they do not have administrator privileges.

Kernel extensions do not require authorization if they meet some of the following criteria:

  • Kernel extensions were on the computer before the upgrade to macOS 10.13 or later.

  • Kernel extensions are replacing previously approved extensions.

  • Kernel extensions are allowed to load without user consent by using the spctl command while booted to macOS Recovery.

  • Kernel extensions are installed on a computer enrolled in Mobile Device Management (MDM).

  • Kernel extensions are allowed to load via MDM configuration. Starting with macOS High Sierra 10.13.2, you can use MDM to specify a list of kernel extensions which will load without user consent. This option requires a computer running macOS 10.13.2 or later which is either enrolled in MDM via Automated Device Enrollment (formerly DEP) or whose MDM enrollment is User Approved.

Before you can safelist kernel extensions, you must find the team identifier and the bundle identifier for each kernel extension you want to safelist.

Finding the Team Identifier and Bundle Identifier

  1. Get a clean install of macOS 10.13 and install all the kernel extensions you need.

  2. When prompted, click OK.

  3. Navigate to System Preferences > Security & Privacy and click Allow.

  4. Once all of your kernel extensions load, open Terminal and execute the following command:

    sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

  5. Execute the following command:

    SELECT * FROM kext_policy;

You will see the Team ID and the bundle ID for each individual extension, and the display name of the developer. Note the Team ID is the first item listed. You will need all the IDs for the extensions you want to safelist.


Safelisting Kernel Extensions in Jamf School


To manage required legacy kernel extensions on computers with macOS 11 or later with Apple silicon, they must have a bootstrap token for target computers escrowed with Jamf School.


  1. In Jamf School, navigate to Profiles in the sidebar.

  2. Create a new macOS profile and scope the profile to devices that are enrolled using User Approved Enrollment.
    For information, see Device Profiles.

  3. Using the Kernel Extension Loading payload, click Configure.

  4. Enter all Team IDs and/or Bundle IDs you want to safelist. A kernel extension can be safelisted by specifying one of the following:

  • The Team Identifier that signed the kernel extension. For example: EG7KH642X6

  • The Team Identifier and Bundle Identifier of a specific kernel extension, separated with a comma. For example: EG7KH642X6 and com.vmware.kext.vmnet,com.vmware.kext.vmci

  • Only the Bundle Identifier of a specific, un-signed kernel extension as shown in the image below.


Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.