Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

How To Kernel Extension in High Sierra

How To Kernel Extension in High Sierra

Couldn't find an All in One Place regarding Kernel Extension information so here we go. Creating this thread so everyone can Chip In Best Practices. - Link to a thread like this if im wrong about not having a thread like this so we arent redundant

Kernel Extension List - https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=811130646

via gui you can do the following

I believe 10.13 & up you can locate them at /Library/StagedExtensions/Library/Extensions

You can then find the BundleID by right clicking the kernel extension you want & select show package contents, then in contents directory you can open the .plist and view

for Team ID I only know this way - https://technology.siprep.org/getting-the-team-id-of-kernel-extensions-in-macos-10-13-and-higher/

In terminal run

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

then once in db run following command

SELECT * FROM kext_policy;

it will produce the Team ID & associated KEXTS

What are methods / best practices you use?

Like Comment
Order by:
SOLVED Posted: by cyepiz

I've used this before, but lately when I run the commands above the sqlite results come back blank, any ideas? This happens on multiple machines, whereas a couple of weeks ago it wasn't a problem..

Like
SOLVED Posted: by rkelegha

I was looking into this earlier in the year! JSS version 10.6 allows you to deploy a config profile for Kernel extensions. Once you create it and scope if a new Kernel Extention is needed just update already deployed one and it will update all your endpoint.

I'm using this CP for deploying KEXT for SEP 14.2 , Pulse Secure 9.0.2 and NextGen AV

hope this helps

RK

Like
SOLVED Posted: by bountyman

@rkelegha We are on 10.7.1 and have been trying to deploy a couple of KEXT to 10.13.6 machines. The profile gets installed but the extension is never allowed. I entered the right TEAM ID but it just doesn't do what it's supposed to. Do you have any special trick ?

Like
SOLVED Posted: by Hugonaut

@cyepiz thats very strange, could you share some screenshots of your results, are these kexts deployed via JAMF?

if you install a kernel extension locally to a machine, does it show then?

Like
SOLVED Posted: by rkelegha

Please see the attached image ...

Open JSS
Click on Computers
Click on Config profiles
Click "new"
Very last config profile is Allowed Kernel extension

Leave it up to you to play around :)

Like
SOLVED Posted: by rkelegha

Like
SOLVED Posted: by JoshRouthier


@rkelegha Try adding the Bundle ID's listed in the Google Sheet to your Symantec KEXT. Attached is a screenshot of our Approved KEXT's Profile.

Like
SOLVED Posted: by rkelegha

Remove the bundle ID's they are not needed.. just the TEAM ID should do..

rk

Like
SOLVED Posted: by nahrens

You can also run this command to get the team ID of an application. I've had to use it for GlobalProtect VPN.

codesign -dv --verbose=4 /Applications/YourApp.app
Like
SOLVED Posted: by kcsantos

@rkelegha & @JoshRouthier -- Any reason why or why not to leave out the Bundled ID's?

Like
SOLVED Posted: by rkelegha
  1. There a not needed as the TEAM ID will cover all bundles for KEXT 2 . I didnt and it worked for me :)

rk

Like
SOLVED Posted: by trlatimer

Has anyone encountered an issue where they unchecked the "Allow users to approve kernel extensions" and now the option to "Allow" in Security & Privacy no longer appears. I have rechecked the box and pushed it back out but even after restarting I am unable to get the "Allow" to show.

The only fix I have found so far, is to touch every machine and reboot into recovery, go to terminal, and enter "spctl kext-consent disable"

Background: I was trying to make it to where Sophos didn't require the user to click "Allow" after installation. Added the team ID alone didn't fix at first, I disabled the "Allow users to approve kernel extensions" and it stopped appearing. I then ran into the issue on other machines a day or so later where the "Allow" option wouldn't appear at all for software that we didn't already have approved extensions established for.

Any assistance would be great.

Like