Note: KEXTs have been deprecated as of macOS Big Sur. Apple recommends the use of System Extensions for Big Sur and higher.
Prerequisites
In order to use this functionality, the device must be managed by Addigy MDM and have checked into the Addigy MDM Server properly. For help setting up Addigy MDM, see our article Addigy Mobile Device Management (MDM) Integration. Also, Kext Whitelisting payloads will fail to deploy unless the Addigy MDM Profile has been Approved on the device. To make sure your MDM Profiles are approved, follow our article Approved MDM Profiles.
Configuring the Kernel Extension Payload
- For building a Kext Whitelisting payload, first, let's navigate to Catalog -> MDM Profiles.
- Once you are in the MDM Profiles section in the Catalog, select New.
- Select the "Kernel Extension" MDM Profile in the list that shows.
Obtaining Kext Identifiers
Some software vendors make Bundle IDs and Team IDs available in their documentation. If you don't know the Bundle ID or Team ID for the software you're creating the configuration for, we have a KB article on how to find these manually: How To Get The Team ID, Bundle ID, and Code Requirement
Completing the Payload
If you would like the device to allow approval of other KEXTs manually, ensure the Allow User Overrides setting is checked. If you'd like users who aren't administrators to be able to approve KEXTs manually, ensure the Allow Non Admin User Approvals setting is checked.
Kernel Extensions can whitelisted via Allowed Team Identifiers or by Allowed Kernel Extensions (You do not need to complete both sections):
Note: If using Allowed Kernel Extensions and your software has multiple Bundle Identifiers, you can add multiple by using a comma (",") to separate them, as shown below:
com.bitdefender.FileProtect, com.bitdefender.SelfProtect, com.bitdefender.TMProtection, com.bitdefender.atc, com.bitdefender.mdredr, com.bitdefender.mdrnet, com.bitdefender.mdrfp, com.bitdefender.devmac, com.bitdefender.EndpointSecurityforMac, BDLDaemon
Once the identifiers are set, select Create Profile to complete the process.
Deploying the MDM Configuration
MDM Configurations can be added to a policy for deployment: Adding and Removing items from a Policy
They can also be deployed to individual devices via GoLive >> Profiles >> MDM Configurations.