Kernel Extension Whitelists

Kernel Extensions provide developers the ability to load code dynamically into the macOS Kernel. This allows access to internal kernel interfaces allowing complex apps to function properly.

About this task

For more information on Kernel Extensions, see Kernel Extension Overview.

If the Kernel Extensions associated with specific applications are whitelisted via macOS MDM, those applications can be installed seamlessly without user intervention or approval.

You can create macOS MDM policies for Kernel Extension Whitelisting of specific applications. You must apply the created Kernel Extension Whitelisting policies before attempting to install those specific applications with kernel extensions.

To create a Kernel Extension Whitelisting policy:

  1. Open the MDM app.
  2. Click Create Policy.
  3. Select Kernel Extensions.
  4. Click Settings.

  5. Under Generic Settings, enter the details.
    • Name: Enter a name for the kernel extension whitelisting policy.
    • Description: Enter description for your policy.
    • Operating System: Cannot be changed as this is applicable only to macOS.
    • Assign Policy to Site: Select a site from the dropdown menu to assign the policy to the selected site. Non-master operators can see only those sites in the dropdown menu to which they have access.
  6. Policy Removal Settings is an optional setting. To automatically remove the policy on a specific date and time, select Allow Removal checkbox and in the Auto Removal Date (UTC) text box, enter a date and time.
  7. Under Kernel Extension, enter the Team ID and the Bundle ID.
    • Team ID: Team ID is unique to a specific development team. It is an alphanumeric string, which is the developer’s or vendor’s Developer ID for signing KEXTs certificate identifier.
    • Bundle IDs: Bundle ID is an alphanumeric string that uniquely identifies an application from a specific vendor. You can specify more than one Bundle ID separated by a comma for any given Team ID.
    To identify Team ID and Bundle IDs using sqlite3:
    1. Install the target product on a machine running a supported macOS version.
    2. Let the user manually approve installation of any extensions that are flagged.
    3. Check the SQLite database with the following commands to get Team ID and Bundle ID:
      sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
      SELECT * FROM kext_policy;

      This command will show all the kernel extensions in effect on the machine across all products. You need to locate the ones of interest for whitelisting and create a policy or policies that cover everything you wish to whitelist.

      The output might look similar to: EQHXZ8M8AV|com.google.dfsfuse.filesystems.dfsfuse|1|Google, Inc.|8"

      Where EQHXZ8M8AV is the Team ID and com.google.dfsfuse.filesystems.dfsfuse is the bundle ID.

    Note:
    • To whitelist the kernel extension of an application from a specific vendor, you must specify both the Team ID and the Bundle ID.
    • Do not add multiple entries with the same Team ID, as only the last one in the list will actually be used. If you have multiple apps to whitelist with the same Team ID, add all the Bundle IDs in one entry separated by commas. For example:
      Bundle IDs: BundleID1,BundleID2,BundleID3
  8. Add Extension: If you want to whitelist more than one product from different vendors within a single policy, click Add Extension to add additional Team ID and Bundle IDs to the same policy.
  9. Click Save.