Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

macOS High Sierra 10.13 introduces a new feature that requires user approval before loading newly-installed third-party kernel extensions.

My apologies, this is likely covered by NDA...moving to BETA forum.

Jamf: any way to mask subject to avoid wrath of Apple? :D:D:D

Like Comment
Order by:
SOLVED Posted: 7/26/17 at 12:51 PM by nwiseman

I just sent in feedback to Apple and contacted our Apple TAM about this.

I'd say we all need to do the same. Relying on users to "Allow" something we as Admins are trying to install on their systems is a huge concern. If this is the direction Apple wants to go, that's fine, but there needs to be some way for us to continue doing our jobs.

I may not like SEP, but it has to be on my systems. This new feature is going to make that a much bigger problem than it already is.

SOLVED Posted: 7/26/17 at 2:30 PM by jhbush1973

@donmontalvo I don't think you are breaking NDA based on the location of this. Technical Note TN2459
Secure Kernel Extension Loading

SOLVED Posted: 8/2/17 at 3:44 PM by donmontalvo

Lots of folks are not happy about this...


SOLVED Posted: 8/21/17 at 1:29 PM by donmontalvo

Hot off the press:

Prepare for changes to kernel extensions in macOS High Sierra

SOLVED Posted: 8/21/17 at 2:32 PM by dgreening

So it sounds like if we have our devices already enrolled in MDM we are good to go? Or are we limited somehow to MDM based distribution?

SOLVED Posted: 8/21/17 at 2:45 PM by emily
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.

The implication here is that if macOS sees MDM present, it disables SKEL. In a future version, it will be something that MDM can turn on/off/manage and allow whitelisting. I guess we complained loudly enough about it that Apple made some changes.

SOLVED Posted: 9/12/17 at 3:28 PM by bazcurtis

Sorry if this is a silly question. When you say "sees MDM present" does that mean just having the Casper agent installed or the Mac has to be DEP enrolled?

SOLVED Posted: 9/12/17 at 3:34 PM by bpavlov

I think it's relying on the MDM profile.

SOLVED Posted: 9/14/17 at 2:48 AM by bazcurtis

OK, is there a way in Casper to add these blocked Kernel Extensions via policy or script?

SOLVED Posted: 9/14/17 at 8:14 AM by Kaltsas


Clients enrolled with an MDM solution revert to 10.12 behavior, there won't be any blocked kexts in 10.13. 10.13 looks at the Mobile Device Management payload for this determination. Currently there is no management per se, other than disabling the functionality by enrolling with MDM. It is expected there will be more functionality added to the MDM framework in the future.

See TN2459 linked above for more information,

SOLVED Posted: 11/3/17 at 9:51 AM by donmontalvo


SOLVED Posted: 11/3/17 at 11:49 AM by alexjdale

This is absolutely infuriating. We can't be expected to rely on users to take these actions in order to secure our systems with apps that use kernel extensions. I'm mad enough about MDM being forced down our throats, now it has to be MDM installed by the user?

SOLVED Posted: 11/6/17 at 10:57 AM by gachowski


Don't think this is going to be easy for Mac Admins.


Hopefully this will get some more dialogue going and people to reach out to Apple : )

SOLVED Posted: 11/13/17 at 12:54 PM by dmatth01

My apologies if the next question is stupid but after enrolling a Mac I see the JSS MDM profile in Profiles but installing McAfee ENS via policy still pops up the message that McAfee must be approved in Settings. Is there anything I have to do in JSS to disable SKEL or do I need to deploy Mcafee via MDM and not via JSS computer policy. If so, any hints on how to deploy a pkg via MDM?


SOLVED Posted: 11/13/17 at 1:00 PM by emily

So long as the MDM is put in place prior to the installer running there should be no prompt… assuming you are on 10.13.1 or .0. There are changes to this behavior in 10.13.2. If you're unfamiliar I recommend reaching out to your local Apple SE and requesting access to the AppleSeed for IT program.

SOLVED Posted: 11/13/17 at 1:33 PM by alexjdale

It's kind of ridiculous they would have a workflow that provides a better result when you upgrade the OS after preparing the system. This entire thing reeks of poor planning and a lack of concern for Enterprise customers.

If I were implementing this, I would have a "first boot only" option where the OS could ingest a config profile file from a specific location and only during the first boot of the OS (so we could use programmatically built DMGs). This profile could disable SKEL (now called UAKEL, apparently) in the same manner as MDM while being secure, since I can only assume they are trying to prevent malware with root access from disabling SKEL silently through an MDM enrollment. Hence the user acceptance requirement.

SOLVED Posted: 11/13/17 at 2:02 PM by dgreening

I definitely reached out to our SE on this one. We aren't in a position (huge global company) where DEP is feasible at this point. We also can't have users essentially "opt out" of security settings distributed via Config Profiles. Please raise hell with your SE if you can! Poor planning indeed!

SOLVED Posted: 11/13/17 at 2:24 PM by dmatth01

Well, I don't have an Apple SE but I do have about 50 Macs and 5000 Windows computers. If the solution is to wait for 10.13.2 I'm fine with that and will just wait. The low number of Macs doesn't justify a fancy deployment process, so we are just wiping them and reinstall from USB in the field or a NetRestore in my case because it is so much faster. After a fresh OS install they enroll in JSS and get the standard software installed as part of the enrollment. The JSS MDM profile should be part of the enrollment but if a restart is required between installing the MDM and disabling SKEL then that would explain why McAfee still fails to install properly.

I will take McAfee out of the enrollment process and see what happens after the first restart. Is there a shell script that would tell if SKEL is enabled?

SOLVED Posted: 11/13/17 at 3:44 PM by alexjdale

I am not aware of a way to check the status of SKEL, but it is a topic I asked about last week:

What I did was create an extension attribute to use kextstat to check on our SEP kexts. If SEP is installed with the process running but the kexts are not loaded, I know there is a problem and it's almost certainly SKEL.

SOLVED Posted: 11/13/17 at 4:42 PM by jzeles

It appears that regular MDM is not going to work to disable SKEL, it must be DEP-initiated SKEL. In fact, MDM itself does not appear to be trusted or functional until the user approves it (unless, again, it was enabled by DEP). I have no idea how this will be supportable in an enterprise environment. Any MDM that is deployed by ANY method other than DEP appears to require user approval.

SOLVED Posted: 11/15/17 at 4:47 PM by howie_isaacks

This may sound stupid, but I keep reading and hearing about contacting my Apple SE. I have no Apple SE, so how do we get one? I was just told this by Jamf support, and the rep I spoke to was unable to elaborate. I am a managed service provider, not a member of an IT department of a specific company. My clients purchase their Apple products directly from Apple, and sometimes from resellers. Currently, none of them are using DEP, even though I have been trying to convince the larger clients to get on DEP.

SOLVED Posted: 1/3/18 at 7:35 PM by beatlemike

Yeah, this is a bit ridiculous, and clearly a power grab to try and make sure enterprise is only buying NIB machines, because Apple refurbs can not get DEP, and more than likely purchasing from Apple directly now.

I love DEP, but we have tons of machines already in use from before we began purchased with it and as a large university, I can't control where our departments purchase from, nor can I blame them for saving money on refurbished items. But now we have to handhold the setup of every non DEP machine beyond just convincing the unenlightened user to just install this "quickadd" thing without asking questions.

Fun stuff.

SOLVED Posted: 1/3/18 at 8:54 PM by gachowski


I don't think it's about money at all... I bet in a year or so you will be able to add macs to DEP just like you can do now with iPhones... I think it's about security ... yes it's a pain but in a year or two the MacOS will be significantly more secure.


SOLVED Posted: 1/4/18 at 10:37 AM by beatlemike

@gachowski and in the meantime... we are left with this. This isn't a year or two in the future this is now. And just because I may be able to add Macs to DEP, won't change the fact that to do so to a deployed machine will mean I will have to wipe it, and even to attempt so means prying it from the cold dead hands of faculty and staff who already have them in the wild.

More secure, sure, assuming no more processor flaws or 0day kernel flaws rear their ugly head at that time lol.

You have far more trust in the intentions of corporate America than I, clearly, but this is an issue in the here and now, not the future. My Apple SE is great, but even he said there is nothing to really be done, that's just the state of security on the Mac now.

SOLVED Posted: 1/4/18 at 10:46 AM by howie_isaacks

Since I and my coworkers personally touch each Mac as it's being enrolled using a quickadd package, this has not been as horrible as I thought it would be. The only annoyance has been that I scope a configuration profile that blocks the Profiles preference pane from being opened, so we have to wait to deploy the configuration profile after we have approved the MDM profile.

I asked earlier in this thread how someone goes about getting an Apple SE. I would really appreciate it if someone could answer that question. People keep telling me to talk to my Apple SE and I don't have one!

SOLVED Posted: 1/4/18 at 10:55 AM by beatlemike

@howie_isaacks We do the same with the preference pane blocking, and I had to change how it is deployed as well. With machines were my team sets them up, this is not an issue, however we could never get to all our older machines if that was the only way to enroll them.

Being an education institution we just have always had an SE. That's all I've worked for since I left Apple. I couldn't tell you were to start to get one, wouldn't hurt to call Apple yourself.