Kernel Extension Whitelists

Kernel Extensions provide developers the ability to load code dynamically into the macOS Kernel. This allows access to internal kernel interfaces allowing complex apps to function properly.

About this task

For more information on Kernel Extensions, see Kernel Extension Overview.

If the Kernel Extensions associated with specific applications are whitelisted via macOS MDM, those applications can be installed seamlessly without user intervention or approval.

You can create macOS MDM policies for Kernel Extension Whitelisting of specific applications. You must apply the created Kernel Extension Whitelisting policies before attempting to install those specific applications with kernel extensions.

To create a Kernel Extension Whitelisting policy:

  1. Open the MDM app.
  2. Click Create Policy.
  3. From the list of policy types, select Kernel Extension Whitelists. The following page appears.
  4. Under Generic Settings, enter the following details.
    • Policy Name: Enter a name for the kernel extension whitelisting policy.
    • Description: Enter a description for your policy.
    • Operating System: Cannot be changed as this is applicable only to macOS.
    • Assign Policy to Site: Select a site from the dropdown menu to assign the policy to the selected site. Non-master operators can see only those sites in the dropdown menu to which they have access.
  5. Under Define Kernel Extension Whitelists, enter the Team ID and the Bundle ID.
    • Team ID: Team ID is unique to a specific development team. It is an alphanumeric string, which is the developer’s or vendor’s Developer ID for signing KEXTs certificate identifier.
    • Bundle IDs: Bundle ID is an alphanumeric string that uniquely identifies an application from a specific vendor. You can specify more than one Bundle ID separated by a comma for any given Team ID.
    To identify Team ID and Bundle IDs using sqlite3:
    1. Install the target product on a machine running a supported macOS version.
    2. Let the user manually approve installation of any extensions that are flagged.
    3. Check the SQLite database with the following commands to get Team ID and Bundle ID:
      sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;

      This command will show all the kernel extensions in effect on the machine across all products. You need to locate the ones of interest for whitelisting and create a policy or policies that cover everything you wish to whitelist.

      The output might look similar to: EQHXZ8M8AV|com.google.dfsfuse.filesystems.dfsfuse|1|Google, Inc.|8"

      Where EQHXZ8M8AV is the Team ID and com.google.dfsfuse.filesystems.dfsfuse is the bundle ID.

    Note:
    • To whitelist the kernel extension of an application from a specific vendor, you must specify both the Team ID and the Bundle ID.
    • Do not add multiple entries with the same Team ID, as only the last one in the list will actually be used. If you have multiple apps to whitelist with the same Team ID, add all the Bundle IDs in one entry separated by commas. For example:
      Bundle IDs: BundleID1,BundleID2,BundleID3
  6. Add Kernel Extension: If you want to whitelist more than one product from different vendors within a single policy, click Add Extension to add additional Team ID and Bundle IDs to the same policy.
  7. Click Save. The kernel extension whitelisting is created.