Overview
As of macOS High Sierra (10.13.x), Apple introduced a requirement that all third-party kernel extensions (KEXTs) must be explicitly approved by the user. This approval can be performed locally on the Mac system or managed centrally via a Mobile Device Management (MDM) policy.
Starting with macOS Big Sur (11.x) and later, Apple has deprecated kernel extensions in favor of System Extensions, which offer improved security and stability. For these newer macOS versions, it's essential to ensure you're managing System Extensions appropriately.
Approving Kernel Extensions on macOS High Sierra (10.13.x)
Local Approval Process
If you're using macOS High Sierra, follow these steps to manually approve a kernel extension:
- Open System Preferences on your Mac.
- Navigate to Security & Privacy and select the General tab.
- Click the lock icon and authenticate as an administrator.
- Find the prompt stating, "System software from developer 'EDR Vendor' was prevented from loading" and click Allow.
- The installer will complete and the sensor will be loaded.
Approving Kernel Extensions via MDM
To streamline the approval process across multiple devices, you can specify the Apple Team ID for your EDR/EPP vendor in your MDM configuration profile. The following are common Apple Team IDs:
- Carbon Black Response/Defense/ThreatHunter:
7AGZNQ2S2T
- CrowdStrike Falcon:
X9E956P446
- Endgame:
4FVLCA237T
- Microsoft Defender ATP:
UBF8T346G9
This will allow the kernel extensions to be pre-approved during installation without requiring manual user intervention.
Approving System Extensions on macOS Big Sur (11.x) and Later
With macOS Big Sur and later, kernel extensions have been replaced by System Extensions. If you're running a newer version of macOS, follow these steps to approve System Extensions via MDM:
- Update Your MDM Profile: Ensure your MDM configuration profile includes the appropriate System Extension settings and Apple Team ID.
- Deploy to Devices: Push the updated profile to all relevant macOS devices.
- User Approval: Users may need to approve the System Extension by going to System Preferences > Security & Privacy and allowing the extension, similar to the kernel extension process.
Ensuring that your security tools are properly authorized to operate on macOS is critical to maintaining a secure environment. If you need further assistance, please contact support for more specific guidance.
Comments
0 comments
Please sign in to leave a comment.