System Extensions

Overview

Certain antivirus/network security applications require access to the hard disk and memory of devices, in order to function properly. For this purpose, you might need to Allowlist certain extensions on these devices. As a part of macOS 10.13, Apple introduced User Approved Kernel Extension Loading (UAKEL) which gave users full control to approve or deny Kernel extensions during software installation.

However, Mac machines in which you remotely approve these extensions using an MDM solution must hold a User Approved MDM (UAMDM) status. Mobile Device Manager Plus MSP' enrollment methods automatically grant the UAMDM status to managed Mac machines. As a result of this, you can Allowlist both Kernel Extensions and System Extensions which include Network, Driver, as well as Security extensions.

Prerequisite(s)

OS requirement:

macOS 10.13 or later - To approve Kernel Extensions
macOS 10.14 or later - To approve System Extensions

User Approved MDM (UAMDM) status is required on managed Macs.

Profile Settings

PROFILE SPECIFICATION	DESCRIPTION
Allow users to approve kernel/system extensions manually	Enabling this allows users to manually approve or block the extensions which are not specified in this policy.
Team identifier	To approve extensions developed by a vendor, provide their Team identifier.
Allowed Extension Categories	Select at least one category of extensions you want to Allowlist.
Extension bundle identifier(s)	To approve specific extensions developed by a vendor which belongs to particular categories, specify their unique bundle identifier(s). If this is left unspecified, all the extensions with the same Team identifier will be approved.

To Allowlist the complete set of extensions developed by a vendor, across all categories:

Specify the Team identifier of the vendor and ensure all the Allowed Extension Categories are selected before saving the policy.

To Allowlist a specific set of extensions developed by a vendor, which belongs to one or more categories:

Specify the Team identifier of the vendor and ensure you select at least one or more Allowed Extension Categories before saving the policy.

To Allowlist a particular extension developed by a vendor, which belongs to a specific category:

Specify the Team identifier of the vendor, the particular Extension bundle identifier, and select the extension's category as well. You can also add multiple Extension bundle identifiers if need be.

How to obtain Team identifier and Extension bundle identifier(s)

On a fresh installation of macOS 10.14 or later, install all the extensions your users require.
When a request to load a third-party extension is made to the OS, you will be prompted to provide your consent.
Now, go to System Preferences -> Security & Privacy, and click on Allow for all the required extensions.

NOTE: This approval is available for only 30 minutes. For it to reappear, the Mac machine must be restarted to load the extension once again.

Once you approve all required extensions, open Terminal and run the following command:
sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT * FROM kext_policy"
The output will look like this. The first segment is the Team identifier; the second segment is the Extension bundle identifier; followed by the vendor's display name.

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT * FROM kext_policy"
2Y8XE5CQ94|com.kaspersky.kext.klif|1|Kaspersky Lab UK Limited|1
2Y8XE5CQ94|com.kaspersky.kext.kimul|1|Kaspersky Lab UK Limited|1
2Y8XE5CQ94|com.kaspersky.kext.mark.1.0.6|1|Kaspersky Lab UK Limited|1
2Y8XE5CQ94|com.kaspersky.nke|1|Kaspersky Lab UK Limited|1
AH4XFXJ7DK|com.fortinet.fct.kext.ipsec|1|Fortinet, Inc|1
AH4XFXJ7DK|com.fortinet.kext.fctrouternke|1|Fortinet, Inc|1
VB5E2TV963|org.virtualbox.kext.VBoxDrv|1|Oracle America, Inc.|1
VB5E2TV963|org.virtualbox.kext.VBoxUSB|1|Oracle America, Inc.|1
VB5E2TV963|org.virtualbox.kext.VBoxNetFlt|1|Oracle America, Inc.|1
VB5E2TV963|org.virtualbox.kext.VBoxNetAdp|1|Oracle America, Inc.|1
Z3L495V9L4|com.intel.kext.intelhaxm|1|Intel Corporation Apps|1
QX5T8D6EDU|com.bluestacks.kext.Hypervisor|1|BlueStack Systems, Inc.|1

ManageEngine