Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.
CCA Badge CCE Badge CMA Badge CUG Badge

macOS High Sierra 10.13 introduces a new feature that requires user approval before loading newly-installed third-party kernel extensions.

My apologies, this is likely covered by NDA...moving to BETA forum.

Jamf: any way to mask subject to avoid wrath of Apple? :D:D:D

https://www.jamf.com/jamf-nation/discussions/24744/macos-high-sierra-10-13-introduces-a-new-feature-that-requires-user-approval-before-loading-newly-installed-third-party-kernel-extensions

Like Comment
CCA Badge CJA Badge CSE Badge
SOLVED Posted: 7/26/17 at 12:51 PM by nwiseman

http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/

I just sent in feedback to Apple and contacted our Apple TAM about this.

I'd say we all need to do the same. Relying on users to "Allow" something we as Admins are trying to install on their systems is a huge concern. If this is the direction Apple wants to go, that's fine, but there needs to be some way for us to continue doing our jobs.

I may not like SEP, but it has to be on my systems. This new feature is going to make that a much bigger problem than it already is.

Like
CCA Badge CCE Badge CJA Badge CMA Badge
SOLVED Posted: 7/26/17 at 2:30 PM by jhbush1973

@donmontalvo I don't think you are breaking NDA based on the location of this. Technical Note TN2459
Secure Kernel Extension Loading

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 8/2/17 at 3:44 PM by donmontalvo

Lots of folks are not happy about this...

Done...

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 8/21/17 at 1:29 PM by donmontalvo

Hot off the press:

Prepare for changes to kernel extensions in macOS High Sierra
https://support.apple.com/en-us/HT208019

Like
CCA Badge CMA Badge
SOLVED Posted: 8/21/17 at 2:32 PM by dgreening

So it sounds like if we have our devices already enrolled in MDM we are good to go? Or are we limited somehow to MDM based distribution?

Like
CCA Badge
SOLVED Posted: 8/21/17 at 2:45 PM by emily
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.

The implication here is that if macOS sees MDM present, it disables SKEL. In a future version, it will be something that MDM can turn on/off/manage and allow whitelisting. I guess we complained loudly enough about it that Apple made some changes.

Like
SOLVED Posted: 9/12/17 at 3:28 PM by bazcurtis

Sorry if this is a silly question. When you say "sees MDM present" does that mean just having the Casper agent installed or the Mac has to be DEP enrolled?

Like
SOLVED Posted: 9/12/17 at 3:34 PM by bpavlov

I think it's relying on the MDM profile.

Like
SOLVED Posted: 9/14/17 at 2:48 AM by bazcurtis

OK, is there a way in Casper to add these blocked Kernel Extensions via policy or script?

Like
SOLVED Posted: 9/14/17 at 8:14 AM by Kaltsas

@bazcurtis

Clients enrolled with an MDM solution revert to 10.12 behavior, there won't be any blocked kexts in 10.13. 10.13 looks at the Mobile Device Management payload for this determination. Currently there is no management per se, other than disabling the functionality by enrolling with MDM. It is expected there will be more functionality added to the MDM framework in the future.

See TN2459 linked above for more information, https://www.jamf.com/jamf-nation/discussions/24743/macos-high-sierra-10-13-introduces-a-new-feature-that-requires-user-approval-before-loading-newly-installed-third-party-kernel-extensions#responseChild150100

Like