With the release of macOS Big Sur (11.0), Apple has moved further down the road of deprecating kernel extensions (kext) within macOS. Kernel extensions are now referred to as legacy system extensions and require additional configuration to continue working. Apple has posted this support article with additional details about legacy system extensions.
Note: If apps allow for use of the system extensions MDM configuration, we strongly recommend that administrators start moving to this new MDM configuration as legacy system extensions (kext) have limited time left in macOS.
For administrators that have software that requires the legacy system extensions, this document will go over the updated process and what end users can expect on Big Sur. For this example, we will be using Google Drive File Stream (44.0) on macOS Big Sur (11.2). Changes to Google Drive File Stream and/or Big Sur may require updates to this workflow document in the future.
Experience without Kernel Extensions Policy MDM Configuration
When Google Drive File Stream is first deployed to the device without the kernel extensions MDM Configuration, the end user will get a prompt similar to the image below.
Depending on the user's permission levels on the device, they may be unable to unlock the Security and Privacy pane in System Preferences and allow the "legacy" system extension (kext) to run on the device. The lock preference pane can been seen in the image below.
How to Allow Legacy System Extensions to Run
This section will cover the three methods on how to confirm a legacy system extension on Big Sur.
Not all workflows will work as they depend on settings on the device and the user's account permissions. Please review requirements prior to recommending a workflow to an enduser.
Manually Confirm with the Administrator Account
Requirements:
- macOS Big Sur
- If Apple Silicon, ensure the MDM profile has rights to control kernel extensions
- Local Administrator Account
Workflow:
- Deploy software to device
- Open System Preferences >> Security & Privacy
- Unlock pane with administrator credentials
- Click Allow as seen in the image above
- Restart Mac to load the software extension
Deploy Kernel Extensions MDM Configuration and Allow Standard Users to Accept
Requirements:
- macOS Big Sur
- If Apple silicon, ensure the MDM profile has rights to control kernel extensions
- MDM Configuration for kernel extensions with Allow User Overrides
Workflow:
- Deploy software to device
- Deploy MDM configuration with the Allow User Overrides checked
- Open System Preferences >> Security & Privacy
- Click Allow as seen in the image above
- Restart Mac to load the software extension
Deploy Kernel Extensions MDM Configuration and Force Kernel Cache Rebuild
Requirements:
- macOS Big Sur
- If Apple silicon, ensure the MDM profile has rights to control kernel extensions
- MDM Configuration for kernel extensions with Team Identifiers or Kernel Extensions configured
Workflow:
- Deploy software to device
- Deploy MDM configuration that as configured ether the Team Identifier allowing all software from that vendor to be allowed or configure the specific kernel extension to be allowed
- Navigate to Devices page and click on the device name or GoLive
- Under the drop down Device Status" select Restart. This will automatically rebuild the kext cache and allow the software to run. Please note that this will reboot the computer as soon as the command is confirmed with the device
Apple Silicon (M1) Additional Requirements
For Apple silicon (M1) devices, administrators must ensure that the device can load the kernel extensions MDM configuration. More information about Apple silicon requirements can be found on
Kernel Extensions and Software Updates Warning on Apple Silicon