System extension changes in macOS Sequoia
With the release of macOS Sequoia, admins will see changes to system extensions on managed devices. Find out what this means for your device fleet.
When Apple releases a new Mac operating system, admins need to make sure any new MDM-supported features fit into their workflows. In macOS 15 — which Apple announced will ship on September 16 — Apple has introduced a number of new features that admins should be made aware. This blog discusses important changes to system extensions in macOS 15 and how Jamf can help. Note: All feature support discussed in this blog are based on testing with the latest Apple beta releases.
Changes to system extensions in macOS Sequoia
In macOS 14 and earlier, system extensions were hidden from users. When installed via MDM, these extensions were difficult for users to remove. However, in macOS Sequoia, this is no longer the case — administrator users can remove or disable system extensions from System Settings or Finder, even if a profile restricting this for previous macOS versions is on the device.
Apple announced two new keys for the existing System Extensions configuration profile payload type during the macOS 15 beta cycle:
NonRemovableFromUISystemExtensions
NonRemovableSystemExtensions
These keys, when deployed to macOS 15 and later, can prevent users from disabling a specific system extension in System Settings.
Why this change matters
There are a number of system extensions — such as endpoint security extensions like Jamf Protect — that need to remain on devices for them to be managed and secured successfully; in other words, it’s crucial that end users cannot remove them.
How this affects your fleet will depend on what OS they are running.
macOS 14 and lower
Your current implementation should work. Note that end users may be able to remove system extensions through Finder, unless they have Jamf Protect’s Tamper Prevention enabled.
macOS Sequoia
Once devices are updated to macOS Sequoia (and not before), the new non-removable keys should be scoped to these devices. This applies for any security tool or application with a system extension.
Deploying the new system extension keys with Jamf Pro
With the release of Jamf Pro 11.9.1, IT administrators can create and deploy additional configuration profiles to make specific system extensions non-removable in macOS 15 Sequoia*; this includes the ability to set the Jamf Protect endpoint security extension as non-removable in the UI of the System Settings app.
Since earlier versions of macOS will not recognize the new profile keys, Jamf recommends a layered approach to profile installation to enforce an extension to be non-removable:
- Keep existing system extension configuration profiles deployed and scoped to all computers that are compatible with the extension. (This applies to profiles managing both Jamf Protect or for another endpoint security extension from a different vendor.)
- Create and install a new system extension configuration profile that only contains the “non-removable” keys required for the extension. This profile, or multiple profiles if managing multiple extensions, should be targeted and scoped to a Smart Computer Group that only includes computers running macOS 15 or later.
While a Smart Computer Group can use multiple criteria to define membership, your group should include the criteria of Operating System Version
with an operator of greater than or equal
to the value 15
, as shown in the screenshot below:
Create and deploy a new system extensions configuration profile to computers running macOS 15 or later with Jamf Pro 11.9.1
To learn about Jamf Pro upgrade availability, check out the upgrade schedule in Jamf Nation.
Now that a target Smart Computer Group has been created, a configuration profile can be created using the system extensions payload.
In this example, Jamf Protect will be configured to be non-removable in macOS 15 or later. If configuring non-removable settings for another endpoint security product, the instructions may be different; please contact your software vendor for more guidance and information.
- Navigate to Computers > Configuration Profiles and create a New profile.
- Name the profile in the General category of the profile with a descriptive title.
- Select the System Extensions payload and click Configure to continue.
- (Optional) Enter a Display Name to identify the profile to other Jamf Pro administrators.
- To disallow users from disabling an extension from the System Settings app, choose the Non-removable system extensions from UI option from the System Extension Types menu.
- Enter the Team Identifier for the extension. For Jamf Protect, enter
483DWKW443
in this field. - Click the +Add button to enter the name of the extension. For Jamf Protect, enter
com.jamf.protect.security-extension
in this field, then click the Save button to the right of the text field.
When configured with these values, the profile payload should look similar to the screenshot below:
- Choose your targets for this new profile by navigating to the Scope tab, and select the Smart Computer Group that was previously created for computers with macOS 15 or later.
- Save the profile.
Devices managed with Jamf Pro use the Declarative Device Management (DDM) status channel to autonomously send their updated operating system version to Jamf Pro as soon as an update is complete. This means that one can expect the following process to occur to immediately install the new profiles as soon as they are compatible with the computer:
- Computers will report the new macOS version immediately after upgrading to macOS 15.
- Jamf Pro will calculate Smart Computer Group membership without a scheduled “full” inventory update, and the computer will report as running macOS 15 or later.
- New profiles for non-removable System Extensions will be queued to install.
*Feature support is based on testing with the latest Apple beta releases.
If you use Jamf protect, see documentation on how to make Jamf Protect a non-removable system extension.
Troubleshooting
System Extension profile reminders
- If you’re installing multiple System Extension profiles that contain conflicting values for the same setting, such as “Allow users to approve system extensions,” the most restrictive setting will apply.
- Profile installation will fail if system extension profiles for a specific extension contain both “Non-removable system extensions” and “Removable system extensions” settings defined for the same extension.
- Profiles configured with “Non-removable system extensions from the UI” settings for an extension can successfully be installed when also configured with “Removable system extensions” settings.
- When using a non-Jamf extension, please consult the vendor of the System Extension for additional profile guidance for macOS 15 support.
Can these new profile keys be deployed using a version of Jamf Pro earlier than 11.9.1?
Yes. The same profile deployment guidance can apply to earlier versions of Jamf Pro by uploading a signed configuration profile and deploying it as a “read-only” profile to preserve the new non-removable settings for deployment.
OR
For additional information on creating a signing certificate using the Jamf Pro built-in CA, check out our documentation.
How do I get a device back in a compliant state if an end user upgraded to macOS Sequoia before the new profile was available?
If Jamf Protect’s Tamper Prevention feature is enabled, the agent/system extension will automatically restart when the application’s scheduled repair runs (every 15 minutes).
For organizations not using this feature, Jamf Protect’s functionality can be restored by running the Jamf Protect uninstall package and then redeploying the install package.
How do I identify computers that may have a disabled extension?
A Jamf Pro extension attribute can be used to collect the status of a system extension. Using the ‘systemextensionsctl list’ command via the command line or in the Terminal app will indicate if a system extension is activated/disabled or activated/enabled.
Stay on top of updates with Jamf
For Apple admins, software updates are time-sensitive and can introduce changes to device management and security. Providing same-day support means customers can reap the benefits of Apple’s latest innovations, while knowing critical management and security workflows will remain intact. Jamf designs its offerings to enable easy adoption of the latest MDM features that are critical for Jamf’s customer base.
Learn more about why same-day support matters.