"System extension blocked" message in High Sierra when installing Kaspersky Endpoint Security

Jesper
New Contributor III

When I install Kaspersky Endpoint Security on High Sierra, I get the "System extension blocked" message.

I know I can go in and allow the kernel extension under System Preferences -> Security & Privacy.
That just keeps me from automating this for the enduser...

Have any of you gone about this new security feature in High Sierra in any clever way, so I don't need to either do it myself on every device, or disable checking kernel extension entirely (which I don't want to do)

Any feedback is highly appreciated.

Thanks.19736fcde8464c3f9c1229098c788c33

1 ACCEPTED SOLUTION

daz_wallace
Contributor III

Hi @Jesper Erik's blog is awesome but was before Apple 'Fixed' the behaviour.

To answer your question, DEP is used to enrol a device in an MDM solution. That's pretty much its purpose, so you should be fine as long as your devices are enrolling correctly with your MDM (I'm guessing Jamf Pro as you're here).

View solution in original post

10 REPLIES 10

bentoms
Release Candidate Programs Tester

@Jesper Please see: this

Jesper
New Contributor III

@bentoms Thanks. I also read this: Link

Do you know if this means I am out of luck (kext wise) if I am about to setup Jamf Pro together with DEP?

Thanks in advance.

daz_wallace
Contributor III

Hi @Jesper

From Ben's link:

For workflows that leverage mobile device management (MDM), all systems with a valid MDM profile installed will not require user approval to load any properly-signed kernel extension.

Jesper
New Contributor III

Hi @daz_wallace

I saw that, thank you.

I was just thrown off by these lines in Erik Gomez' blog post:

WHAT IF I USE DEP AND MDM? As currently architected, enterprise customers using DEP do not have the ability to automatically approve Team IDs or completely disable this feature.

So I am in doubt if it means that it will not work if I use DEP only, or if it also does not work if I use DEP and MDM.

daz_wallace
Contributor III

Hi @Jesper Erik's blog is awesome but was before Apple 'Fixed' the behaviour.

To answer your question, DEP is used to enrol a device in an MDM solution. That's pretty much its purpose, so you should be fine as long as your devices are enrolling correctly with your MDM (I'm guessing Jamf Pro as you're here).

Jesper
New Contributor III

Hi @daz_wallace ,

Thanks a lot for confirming this. It makes sense.
I understand the purpose of DEP, but just wanted to be sure, as I am in the design fase about our Jamf Pro/Mac/DEP setup.
Havent setup our Jamf instance yet, so had only non-MDM Macs to test our software on.

Being new to this community, I must say it lives up to its reputation of being awesome :-)

Ill mark your reply as the answer.

Thanks again.

daz_wallace
Contributor III

@Jesper No worries, Glad we could help.

Might be worth joining the (free) Mac Admins Slack instance if you'd prefer / also like a more 'chat-based' collaboration - http://macadmins.org

KyleEricson
Valued Contributor II

Looks like Sophos Av is blocked. I was already enrolled in MDM before 10.13.4 and now I get this with Sophos AV.
83669ab7e2d948c18f121db9aa01f32c

Read My Blog: https://www.ericsontech.com

alexjdale
Valued Contributor III

Yep, Apple only delayed this issue when they had earlier versions of High Sierra automatically disable UAKEL when MDM was enrolled/approved. UAKEL is re-enabled in 10.13.4 for all systems regardless of MDM status and you have to push a kernel policy whitelist profile.

David_Li
New Contributor

On OSMojave I have Sophos Whitelisted in Approved Kexts but Security and Privacy still says blocked... Did i miss something in JAMF?