[Deep Dive] User Approved Kernel Extension Loading in macOS High Sierra
Do you use hardware drivers or software for security, compliance, audio, video, or virtualization on macOS? If so, user approved kernel extension loading, a new feature in macOS High Sierra 10.13.2, might affect you.
Starting with High Sierra, macOS devices now require user approval to load third-party kernel extensions (KEXTs).
Today’s post explains the impact of this change and possible solutions.
User Approved Kernel Extension Loading
Starting with the OS X 10.9 (Mavericks) release, the controls around kernel extensions have slowly tightened. Now, in macOS 10.13.2, requests to load non-user approved KEXTs are denied.
This behavior might present a number of problems for users and administrators:
- Incomplete Installs – Apps may appear to install, but the KEXTs get blocked.
- Lack of Control – Non-administrative users can approve KEXTs.
- Muddled User Experience – Errors generated by apps or installers may confuse end-users.
- Network Exposure – Approval through the Security & Privacy preference panel allows all KEXT(s) signed by that Team Identifier, not just the single KEXT that attempted to load.
However, there are some caveats to this behavior:
- Only New KEXTs Require Approval – Pre-existing KEXTs on machines upgraded to macOS 10.13.2 are automatically granted approval. This applies to replacements for previously allowed KEXTs.
- Disabled on MDM-Enabled Devices – User-approved kernel extension loading remains disabled on machines that enrolled in MDM before upgrading to macOS 10.13.2.
As of macOS 10.13.4, user-approved kernel extension loading on is no longer disabled on MDM-enrolled devices.
- MDM Vendor Override – Bypass user consent on user-approved MDM-enrolled devices by whitelisting team and bundle identifiers specific KEXTs
Manage Third-Party KEXTs with VMware AirWatch
User-approved, MDM-enrolled devices can automatically approve whitelisted KEXTs. To create a whitelist with VMware AirWatch, list KEXT identifiers in a profile payload.
Retrieve Kernel Extension Identifiers
In order to whitelist a KEXT, you need its bundle and team identifier. With VMware AirWatch, administrators deploy a script to machines as a product to retrieve and populate this information in the AirWatch Console.
- Deploy the KEXT Custom Attributes via Products script, which searches three common locations for KEXTs.
- The script then writes the Team Identifier and Bundle Identifier directly to the Custom Attributes file on the macOS device.
- Next, the AirWatch Agent for macOS sends the list of custom attributes to the AirWatch Console.
- In the AirWatch Console, these attributes display at Devices > Staging & Provisioning > Custom Attributes > List View.
Find examples of scripts deployed as products in the VMware AirWatch Product Provisioning of Microsoft Office 2016 for macOS Best Practices guide.
Configure a Kernel Extension Policy Profile
Allow applications and installers that use kernel extensions to load on devices running macOS v10.13.2 and later. Configure the profile, available in AirWatch 9.2.2 and above, one of two ways:
- Add a list of Team Identifiers – Whitelist all bundles (current and future) signed with the listed Team Identifier.
- Add a list of Team Identifiers AND Bundle Identifiers – Control which bundle identifiers are allowed to load, and ensure the expected Team Identifier signs them.
The following links provide more detail on user-approved kernel extension loading and how to discover or approve KEXTs: