Whitelist Kernel Extensions

To improve security on the Mac, kernel extensions installed with or after the installation of macOS High Sierra require user consent in order to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they don’t have administrator privileges.

Kernel extensions don't require authorization if they:

  • Were on the Mac before the upgrade to macOS High Sierra.
  • Are replacing previously approved extensions.
  • Are allowed to load without user consent by using the spctl command while booted to macOS Recovery.
  • Are installed on a Mac enrolled in Mobile Device Management (MDM). At this time, enrolling in MDM automatically disables User Approved Kernel Extension Loading. This behavior will change in spring 2018.
  • Are allowed to load via MDM configuration. Starting with macOS High Sierra 10.13.2, you can use MDM to specify a list of kernel extensions which will load without user consent. This option requires a Mac running macOS High Sierra 10.13.2 which is either enrolled in MDM via the Device Enrollment Program or whose MDM enrollment is User Approved.

How to whitelist Kernel Extensions in Jamf School?

  • In Jamf School go to Profiles and create a new macOS profile. Make sure you scope the profile to devices who are enrolled using User Approved Enrollment
  • In the profile settings, click on "Kernel Extension Loading" and click on "Configure"
  • Enter all Team IDs and/or Bundle IDs you want to whitelist. A kernel extension can be whitelisted one of three ways, by specifying:
    1. the Team Identifier that signed the kernel extension
      e.g. EG7KH642X6
    2. the Team Identifier and Bundle Identifier of a specific kernel extension, separated with a comma
      e.g. EG7KH642X6 and com.vmware.kext.vmnet,com.vmware.kext.vmci
    3. or only the Bundle Identifier of a specific un-signed kernel extension


Where  can I find the Team Identifier and/or Bundle Identifier?

The first thing you will want to do is to get a clean install of High Sierra (not an upgrade) and install all the Kexts you need. Click "OK" on the prompt and navigate to System Preferences -> Security and click on the Allow button.

Once all of your Kexts are loaded, start the Terminal and open up the database that actually stores all of this information by typing:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

Once done, type:

SELECT * FROM kext_policy;

You will see the Team ID, the bundle ID for each individual extension and the display name of the developer. Note down the Team ID (the first item) - you will need all the IDs for the extensions you wish to whitelist.




Have more questions? Submit a request


Article is closed for comments.