Desktops Employee Experience Technical Guides VMware Workspace ONE

[Deep Dive] User Approved Kernel Extension Loading in macOS High Sierra

Do you use hardware drivers or software for security, compliance, audio, video, or virtualization on macOS? If so, user approved kernel extension loading, a new feature in macOS High Sierra 10.13.2, might affect you.

Kernel-ExtensionStarting with High Sierra, macOS devices now require user approval to load third-party kernel extensions (KEXTs).

Today’s post explains the impact of this change and possible solutions.

User Approved Kernel Extension Loading

Starting with the OS X 10.9 (Mavericks) release, the controls around kernel extensions have slowly tightened. Now, in macOS 10.13.2, requests to load non-user approved KEXTs are denied.

Figure 1: Kernel Extension Blocked

This behavior might present a number of problems for users and administrators:

  • Incomplete Installs – Apps may appear to install, but the KEXTs get blocked.
  • Lack of Control – Non-administrative users can approve KEXTs.
  • Muddled User Experience – Errors generated by apps or installers may confuse end-users.
  • Network Exposure – Approval through the Security & Privacy preference panel allows all KEXT(s) signed by that Team Identifier, not just the single KEXT that attempted to load.

    Figure 2: Prompt for User Approval to Load KEXT

However, there are some caveats to this behavior:

  • Only New KEXTs Require Approval – Pre-existing KEXTs on machines upgraded to macOS 10.13.2 are automatically granted approval. This applies to replacements for previously allowed KEXTs.
  • Disabled on MDM-Enabled Devices – User-approved kernel extension loading remains disabled on machines that enrolled in MDM before upgrading to macOS 10.13.2.
    [box type=”info”] As of macOS 10.13.4, user-approved kernel extension loading on is no longer disabled on MDM-enrolled devices.[/box]
  • MDM Vendor Override – Bypass user consent on user-approved MDM-enrolled devices by whitelisting team and bundle identifiers specific KEXTs

Manage Third-Party KEXTs with VMware AirWatch

User-approved, MDM-enrolled devices can automatically approve whitelisted KEXTs. To create a whitelist with VMware AirWatch, list KEXT identifiers in a profile payload.

Retrieve Kernel Extension Identifiers

In order to whitelist a KEXT, you need its bundle and team identifier. With VMware AirWatch, administrators deploy a script to machines as a product to retrieve and populate this information in the AirWatch Console.

  1. Deploy the KEXT Custom Attributes via Products script, which searches three common locations for KEXTs.
  2. The script then writes the Team Identifier and Bundle Identifier directly to the Custom Attributes file on the macOS device.
  3. Next, the AirWatch Agent for macOS sends the list of custom attributes to the AirWatch Console.
  4. In the AirWatch Console, these attributes display at Devices > Staging & Provisioning > Custom Attributes > List View.

    Figure 3: List of KEXT Custom Attributes in the AirWatch Console

Find examples of scripts deployed as products in the VMware AirWatch Product Provisioning of Microsoft Office 2016 for macOS Best Practices guide.

Configure a Kernel Extension Policy Profile

Allow applications and installers that use kernel extensions to load on devices running macOS v10.13.2 and later. Configure the profile, available in AirWatch 9.2.2 and above, one of two ways:

  • Add a list of Team Identifiers – Whitelist all bundles (current and future) signed with the listed Team Identifier.
  • Add a list of Team Identifiers AND Bundle Identifiers – Control which bundle identifiers are allowed to load, and ensure the expected Team Identifier signs them.

    Figure 4: Kernel Extension Policy Profile Payload for macOS Devices

Additional Resources

The following links provide more detail on user-approved kernel extension loading and how to discover or approve KEXTs: