What are Kernel Extensions?
Addigy Mobile Device Management (MDM) capabilities offer Kernel Extension (Kext) Whitelisting functionality. If you are unsure as to what Kernel Extension Approvals are in macOS, feel free to review Apple's documentation on Kexts from the following articles:
In order to use this functionality, the device must be managed by Addigy MDM and have checked into the Addigy MDM Server properly. For help setting up Addigy MDM, see our article Addigy Mobile Device Management (MDM) Integration. Also, Kext Whitelisting payloads will fail to deploy unless the Addigy MDM Profile has been Approved on the device. To make sure your MDM Profiles are approved, follow our article Approved MDM Profiles.
Configuring the Kernel Extension Policy
For building a Kext Whitelisting payload, first, let's navigate to Policies -> Catalog -> MDM Configurations.
Once you are in the MDM Configurations section in the Catalog, select New.
Select the Device type macOS for which the Kernel Extensions apply.
Load the appropriate Team ID or Identifiers for the corresponding software, each software would be unique and require its unique identifiers.
Obtaining Kext Identifiers
Find the software and team identifies for your software may prove challenging. The MacAdmins community shares an open-source community-maintained spreadsheet which has many identifiers provided by community members. Addigy cannot guarantee the accuracy or completeness of the community list, but it has proved itself to be a great resource for many Addigy partners.
If your software identifiers are not listed in that sheet, then you will need to to find them manually. Here are some good resources for finding the necessary software identifiers:
- ErikNG's Python script to find identifiers
- Alan Siu's article with Bash commands for finding identifiers
Deploying the Payload
You can allow either only Team Identifiers or the full Bundle Identifier and Team Identifier (You do not need both).
|Note: If you would like the device to still allow approval of other KEXTs manually, ensure the Allow User Overrides setting is checked.|
Once the identifiers are set, press Create Configuration to complete the process. Additionally if you your software has multiple Bundle Identifiers, you can add multiple by using a comma (,) to separate them, example below:
After the MDM Configuration is created, assign it to the Policy which requires the Kernel Extension Approvals.
Then confirm the changes in the Deploy Changes section by clicking Confirm All.