Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

How To Kernel Extension in High Sierra

How To Kernel Extension in High Sierra

Couldn't find an All in One Place regarding Kernel Extension information so here we go. Creating this thread so everyone can Chip In Best Practices. - Link to a thread like this if im wrong about not having a thread like this so we arent redundant

Kernel Extension List - https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=811130646

via gui you can do the following

I believe 10.13 & up you can locate them at /Library/StagedExtensions/Library/Extensions

You can then find the BundleID by right clicking the kernel extension you want & select show package contents, then in contents directory you can open the .plist and view

for Team ID I only know this way - https://technology.siprep.org/getting-the-team-id-of-kernel-extensions-in-macos-10-13-and-higher/

In terminal run

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

then once in db run following command

SELECT * FROM kext_policy;

it will produce the Team ID & associated KEXTS

What are methods / best practices you use?

Like Comment
Order by:
SOLVED Posted: by cyepiz

I've used this before, but lately when I run the commands above the sqlite results come back blank, any ideas? This happens on multiple machines, whereas a couple of weeks ago it wasn't a problem..

Like
SOLVED Posted: by rkelegha

I was looking into this earlier in the year! JSS version 10.6 allows you to deploy a config profile for Kernel extensions. Once you create it and scope if a new Kernel Extention is needed just update already deployed one and it will update all your endpoint.

I'm using this CP for deploying KEXT for SEP 14.2 , Pulse Secure 9.0.2 and NextGen AV

hope this helps

RK

Like
SOLVED Posted: by bountyman

@rkelegha We are on 10.7.1 and have been trying to deploy a couple of KEXT to 10.13.6 machines. The profile gets installed but the extension is never allowed. I entered the right TEAM ID but it just doesn't do what it's supposed to. Do you have any special trick ?

Like
SOLVED Posted: by Hugonaut

@cyepiz thats very strange, could you share some screenshots of your results, are these kexts deployed via JAMF?

if you install a kernel extension locally to a machine, does it show then?

Like
SOLVED Posted: by rkelegha

Please see the attached image ...

Open JSS
Click on Computers
Click on Config profiles
Click "new"
Very last config profile is Allowed Kernel extension

Leave it up to you to play around :)

Like
SOLVED Posted: by rkelegha

Like
SOLVED Posted: by JoshRouthier


@rkelegha Try adding the Bundle ID's listed in the Google Sheet to your Symantec KEXT. Attached is a screenshot of our Approved KEXT's Profile.

Like
SOLVED Posted: by rkelegha

Remove the bundle ID's they are not needed.. just the TEAM ID should do..

rk

Like
SOLVED Posted: by nahrens

You can also run this command to get the team ID of an application. I've had to use it for GlobalProtect VPN.

codesign -dv --verbose=4 /Applications/YourApp.app
Like
SOLVED Posted: by kcsantos

@rkelegha & @JoshRouthier -- Any reason why or why not to leave out the Bundled ID's?

Like
SOLVED Posted: by rkelegha
  1. There a not needed as the TEAM ID will cover all bundles for KEXT 2 . I didnt and it worked for me :)

rk

Like
SOLVED Posted: by trlatimer

Has anyone encountered an issue where they unchecked the "Allow users to approve kernel extensions" and now the option to "Allow" in Security & Privacy no longer appears. I have rechecked the box and pushed it back out but even after restarting I am unable to get the "Allow" to show.

The only fix I have found so far, is to touch every machine and reboot into recovery, go to terminal, and enter "spctl kext-consent disable"

Background: I was trying to make it to where Sophos didn't require the user to click "Allow" after installation. Added the team ID alone didn't fix at first, I disabled the "Allow users to approve kernel extensions" and it stopped appearing. I then ran into the issue on other machines a day or so later where the "Allow" option wouldn't appear at all for software that we didn't already have approved extensions established for.

Any assistance would be great.

Like
SOLVED Posted: by szultzie

So has anybody seen teh Kernel extentions not working after an in place upgrade from 10.13.3 to 10.14.3?

The Config Profile says Completed before I start the upgrade.
I was also thinking maybe because 10.13.3 doesn't know about Kernel Extensions, so then how do you make the timing work?

ANy ideas?

Like
SOLVED Posted: by sshort

@szultzie The kext profile was live in 10.13.4, so that makes sense that you're seeing that issue if the profile is being installed while the user is still on 10.13.3.

If you're using the Jamf-supplied PPPC profile that automatically installs after a user logs into Mojave for the first time post-upgrade, just make a smart group and scope your Kext profile to the presence of the PPPC profile. That should make sure the profile gets there quickly.

Like
SOLVED Posted: by wildfrog

@szultzie Profiles generally only apply their magic once. 10.13.3 didn't know anything about UAKELs so when you pushed the profile to those machines it ignored it. As such, the profile won't magically wake up when you update/upgrade to 10.13.4+. Same with PPPC in 10.14.0+

What we do is scope UAKEL whitelist profiles only to machines ≥10.13.4. PPPC profiles scoped only to ≥10.14.0. The idea is you don't want to push a profile to a machine that doesn't know what to do with it.

Like
SOLVED Posted: by achristoforatos

When trying to send kernel extension payload I get this as the error, any suggestions?

"The profile's payload did not validate properly."

Currently running 10.14.3

Like
SOLVED Posted: by Hugonaut

@achristoforatos "The profile's payload did not validate properly."

have you manually verified the bundle id & team id for the specific application of the kernel extension ?

Like
SOLVED Posted: by achristoforatos

@Hugonaut Thanks for the response. Turns out I had a lower case J. That was the issue. Case sensitive. Thanks for the help.

Like

Jamf would like feedback on User Enrollment and General Settings within your Pro instance!