Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

macOS High Sierra 10.13 introduces a new feature that requires user approval before loading newly-installed third-party kernel extensions.

My apologies, this is likely covered by NDA...moving to BETA forum.

Jamf: any way to mask subject to avoid wrath of Apple? :D:D:D

https://www.jamf.com/jamf-nation/discussions/24744/macos-high-sierra-10-13-introduces-a-new-feature-that-requires-user-approval-before-loading-newly-installed-third-party-kernel-extensions

Like Comment
SOLVED Posted: 7/26/17 at 12:51 PM by nwiseman

http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/

I just sent in feedback to Apple and contacted our Apple TAM about this.

I'd say we all need to do the same. Relying on users to "Allow" something we as Admins are trying to install on their systems is a huge concern. If this is the direction Apple wants to go, that's fine, but there needs to be some way for us to continue doing our jobs.

I may not like SEP, but it has to be on my systems. This new feature is going to make that a much bigger problem than it already is.

Like
SOLVED Posted: 7/26/17 at 2:30 PM by jhbush1973

@donmontalvo I don't think you are breaking NDA based on the location of this. Technical Note TN2459
Secure Kernel Extension Loading

Like
SOLVED Posted: 8/2/17 at 3:44 PM by donmontalvo

Lots of folks are not happy about this...

Done...

Like
SOLVED Posted: 8/21/17 at 1:29 PM by donmontalvo

Hot off the press:

Prepare for changes to kernel extensions in macOS High Sierra
https://support.apple.com/en-us/HT208019

Like
SOLVED Posted: 8/21/17 at 2:32 PM by dgreening

So it sounds like if we have our devices already enrolled in MDM we are good to go? Or are we limited somehow to MDM based distribution?

Like
SOLVED Posted: 8/21/17 at 2:45 PM by emily
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.

The implication here is that if macOS sees MDM present, it disables SKEL. In a future version, it will be something that MDM can turn on/off/manage and allow whitelisting. I guess we complained loudly enough about it that Apple made some changes.

Like
SOLVED Posted: 9/12/17 at 3:28 PM by bazcurtis

Sorry if this is a silly question. When you say "sees MDM present" does that mean just having the Casper agent installed or the Mac has to be DEP enrolled?

Like
SOLVED Posted: 9/12/17 at 3:34 PM by bpavlov

I think it's relying on the MDM profile.

Like
SOLVED Posted: 9/14/17 at 2:48 AM by bazcurtis

OK, is there a way in Casper to add these blocked Kernel Extensions via policy or script?

Like
SOLVED Posted: 9/14/17 at 8:14 AM by Kaltsas

@bazcurtis

Clients enrolled with an MDM solution revert to 10.12 behavior, there won't be any blocked kexts in 10.13. 10.13 looks at the Mobile Device Management payload for this determination. Currently there is no management per se, other than disabling the functionality by enrolling with MDM. It is expected there will be more functionality added to the MDM framework in the future.

See TN2459 linked above for more information, https://www.jamf.com/jamf-nation/discussions/24743/macos-high-sierra-10-13-introduces-a-new-feature-that-requires-user-approval-before-loading-newly-installed-third-party-kernel-extensions#responseChild150100

Like
SOLVED Posted: 11/3/17 at 9:51 AM by donmontalvo

(duplicate)

Like
SOLVED Posted: 11/3/17 at 11:49 AM by alexjdale

This is absolutely infuriating. We can't be expected to rely on users to take these actions in order to secure our systems with apps that use kernel extensions. I'm mad enough about MDM being forced down our throats, now it has to be MDM installed by the user?

Like
SOLVED Posted: 11/6/17 at 10:57 AM by gachowski

Yep,

Don't think this is going to be easy for Mac Admins.

http://www.openradar.me/35307623

C

Hopefully this will get some more dialogue going and people to reach out to Apple : )

Like
SOLVED Posted: 11/13/17 at 12:54 PM by dmatth01

My apologies if the next question is stupid but after enrolling a Mac I see the JSS MDM profile in Profiles but installing McAfee ENS via policy still pops up the message that McAfee must be approved in Settings. Is there anything I have to do in JSS to disable SKEL or do I need to deploy Mcafee via MDM and not via JSS computer policy. If so, any hints on how to deploy a pkg via MDM?

Thanks,
Dirk

Like
SOLVED Posted: 11/13/17 at 1:00 PM by emily

So long as the MDM is put in place prior to the installer running there should be no prompt… assuming you are on 10.13.1 or .0. There are changes to this behavior in 10.13.2. If you're unfamiliar I recommend reaching out to your local Apple SE and requesting access to the AppleSeed for IT program.

Like
SOLVED Posted: 11/13/17 at 1:33 PM by alexjdale

It's kind of ridiculous they would have a workflow that provides a better result when you upgrade the OS after preparing the system. This entire thing reeks of poor planning and a lack of concern for Enterprise customers.

If I were implementing this, I would have a "first boot only" option where the OS could ingest a config profile file from a specific location and only during the first boot of the OS (so we could use programmatically built DMGs). This profile could disable SKEL (now called UAKEL, apparently) in the same manner as MDM while being secure, since I can only assume they are trying to prevent malware with root access from disabling SKEL silently through an MDM enrollment. Hence the user acceptance requirement.

Like
SOLVED Posted: 11/13/17 at 2:02 PM by dgreening

I definitely reached out to our SE on this one. We aren't in a position (huge global company) where DEP is feasible at this point. We also can't have users essentially "opt out" of security settings distributed via Config Profiles. Please raise hell with your SE if you can! Poor planning indeed!

Like
SOLVED Posted: 11/13/17 at 2:24 PM by dmatth01

Well, I don't have an Apple SE but I do have about 50 Macs and 5000 Windows computers. If the solution is to wait for 10.13.2 I'm fine with that and will just wait. The low number of Macs doesn't justify a fancy deployment process, so we are just wiping them and reinstall from USB in the field or a NetRestore in my case because it is so much faster. After a fresh OS install they enroll in JSS and get the standard software installed as part of the enrollment. The JSS MDM profile should be part of the enrollment but if a restart is required between installing the MDM and disabling SKEL then that would explain why McAfee still fails to install properly.

I will take McAfee out of the enrollment process and see what happens after the first restart. Is there a shell script that would tell if SKEL is enabled?

Like
SOLVED Posted: 11/13/17 at 3:44 PM by alexjdale

I am not aware of a way to check the status of SKEL, but it is a topic I asked about last week: https://www.jamf.com/jamf-nation/discussions/26006/skel-monitoring-reporting-extension-attribute

What I did was create an extension attribute to use kextstat to check on our SEP kexts. If SEP is installed with the process running but the kexts are not loaded, I know there is a problem and it's almost certainly SKEL.

Like
SOLVED Posted: 11/13/17 at 4:42 PM by jzeles

It appears that regular MDM is not going to work to disable SKEL, it must be DEP-initiated SKEL. In fact, MDM itself does not appear to be trusted or functional until the user approves it (unless, again, it was enabled by DEP). I have no idea how this will be supportable in an enterprise environment. Any MDM that is deployed by ANY method other than DEP appears to require user approval.

Like
SOLVED Posted: 11/15/17 at 4:47 PM by howie_isaacks

This may sound stupid, but I keep reading and hearing about contacting my Apple SE. I have no Apple SE, so how do we get one? I was just told this by Jamf support, and the rep I spoke to was unable to elaborate. I am a managed service provider, not a member of an IT department of a specific company. My clients purchase their Apple products directly from Apple, and sometimes from resellers. Currently, none of them are using DEP, even though I have been trying to convince the larger clients to get on DEP.

Like