Whitelisting Kernel Extensions

To improve a computer's security, kernel extensions installed with or after the installation of macOS 10.13 or later require user consent to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they do not have administrator privileges.

Kernel extensions do not require authorization if they meet some of the following criteria:

  • Kernel extensions were on the computer before the upgrade to macOS 10.13 or later.

  • Kernel extensions are replacing previously approved extensions.

  • Kernel extensions are allowed to load without user consent by using the spctl command while booted to macOS Recovery.

  • Kernel extensions are installed on a computer enrolled in Mobile Device Management (MDM).

  • Kernel extensions are allowed to load via MDM configuration. Starting with macOS High Sierra 10.13.2, you can use MDM to specify a list of kernel extensions which will load without user consent. This option requires a computer running macOS 10.13.2 or later which is either enrolled in MDM via Automated Device Enrollment (formerly DEP) or whose MDM enrollment is User Approved.

Whitelisting Kernel Extensions in Jamf School

  1. In Jamf School, navigate to Profiles in the sidebar.

  2. Create a new macOS profile and scope the profile to devices that are enrolled using User Approved Enrollment.
    For information, see Creating and Distributing Profiles.

  3. Using the Kernel Extension Loading payload, click Configure.

  4. Enter all Team IDs and/or Bundle IDs you want to whitelist. A kernel extension can be whitelisted by specifying one of the following:

  • The Team Identifier that signed the kernel extension. For example: EG7KH642X6

  • The Team Identifier and Bundle Identifier of a specific kernel extension, separated with a comma. For example: EG7KH642X6 and com.vmware.kext.vmnet,com.vmware.kext.vmci

  • Only the Bundle Identifier of a specific, un-signed kernel extension as shown in the screen shot below.

    images/docs.jamf.com/jamf-school/images/kext2.png

Finding the Team Identifier and Bundle Identifier

  1. Get a clean install of macOS 10.13 and install all the kernel extensions you need.

  2. When prompted, click OK.

  3. Navigate to System Preferences > Security and click Allow.

  4. Once all of your kernel extensions load, open Terminal and execute the following command:

    sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

  5. Execute the following command command:

    SELECT * FROM kext_policy;

You will see the Team ID and the bundle ID for each individual extension, and the display name of the developer. Note the Team ID is the first item listed. You will need all the IDs for the extensions you wish to whitelist.

images/docs.jamf.com/jamf-school/images/kext-whitelist.png

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.