Whitelisting Kernel Extensions

To improve security on the Mac, kernel extensions installed with or after the installation of macOS High Sierra require user consent in order to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they do not have administrator privileges.

See the following list for circumstances in which kernel extensions do not require authorization:

  • Kernel extensions were on the Mac before the upgrade to macOS High Sierra.

  • Kernel extensions are replacing previously approved extensions.

  • Kernel extensions are allowed to load without user consent by using the spctl command while booted to macOS Recovery.

  • Kernel extensions are installed on a Mac enrolled in Mobile Device Management (MDM).

  • Kernel extensions are allowed to load via MDM configuration. Starting with macOS High Sierra 10.13.2, you can use MDM to specify a list of kernel extensions which will load without user consent. This option requires a Mac running macOS High Sierra 10.13.2 which is either enrolled in MDM via Automated Device Enrollment (formerly DEP) or whose MDM enrollment is User Approved.

Whitelisting Kernel Extensions in Jamf School

  1. In Jamf School, go to Profiles and create a new macOS profile. Scope the profile to devices that are enrolled using User Approved Enrollment. For information on User Approved Enrollment, see User Approved MDM Enrollment for macOS.

  2. In the profile settings, click on Kernel Extension Loading and click Configure.

  3. Enter all Team IDs and/or Bundle IDs you want to whitelist. A kernel extension can be whitelisted by specifying one of the following:

  • The Team Identifier that signed the kernel extension. For example, EG7KH642X6

  • The Team Identifier and Bundle Identifier of a specific kernel extension, separated with a comma. For example, EG7KH642X6 and com.vmware.kext.vmnet,com.vmware.kext.vmci

  • Only the Bundle Identifier of a specific, un-signed kernel extension as shown in the screen shot below.

    images/docs.jamf.com/jamf-school/images/kext2.png

Finding the Team Identifier and Bundle Identifier

First, get a clean install of macOS High Sierra (not an upgrade) and install all the Kexts you need. Click OK at the prompt and navigate to System Preferences > Security and click on Allow.

Once all of your Kexts are loaded, start the Terminal and open up the database that actually stores all of this information by typing the following command:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

Next, type the following command:

SELECT * FROM kext_policy;

You will see the Team ID, the bundle ID for each individual extension, and the display name of the developer. Note the Team ID, the first item. You will need all the IDs for the extensions you wish to whitelist.

images/docs.jamf.com/jamf-school/images/kext-whitelist.png

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.