System Extensions allow software such as network extensions and endpoint security tools to extend macOS functionality without requiring kernel-level access. Deploying a System Extensions Device Setting through Addigy silently approves these extensions on managed devices, preventing users from being prompted to allow them manually.
Note: System Extensions are the modern replacement for Kernel Extensions (KEXTs), which have been deprecated since macOS Catalina (10.15). If you are managing devices on macOS Catalina or later, use this profile instead of the KEXT Whitelisting profile.
Prerequisites
- The Team ID and/or Bundle ID(s) for the software you want to approve. See How to Get the Team ID, Bundle ID, and Code Requirement if you need help finding these.
How to Create the Device Setting
- Navigate to Catalog > Device Settings and click New.
- Search for and select System Extensions.
- Enter a Payload Name to identify the Device Setting.
- Choose one of the three approval methods below and enter the appropriate identifiers (you only need to fill out one section).
- Click Create Profile, then assign it to the appropriate policy.
Best practice: Create a separate System Extensions Device Setting for each unique software application rather than combining multiple apps into one. This makes it easier to manage and troubleshoot approvals individually.
Approval Methods
The System Extensions Device Setting offers three ways to approve extensions. You only need to use one.
Allowed System Extensions
Approves specific extensions by Team ID and Bundle ID. Use this for the most granular control — only the exact Bundle IDs you list will be approved.
Enter the Team ID and a comma-separated list of Bundle IDs. For example:
com.bitdefender.FileProtect, com.bitdefender.SelfProtect, com.bitdefender.TMProtection, com.bitdefender.atc, com.bitdefender.mdredr, com.bitdefender.mdrnet, com.bitdefender.mdrfp, com.bitdefender.devmac, com.bitdefender.EndpointSecurityforMac, BDLDaemon
Allowed System Extension Types
Approves all extensions of a specific type (e.g., network extensions, endpoint security extensions) for a given Team ID. Use this when you want to approve a category of extensions from a trusted developer rather than listing individual Bundle IDs.
Allowed Team Identifiers
Approves all System Extensions signed by the specified Team ID, regardless of Bundle ID or extension type. Use this when you fully trust the developer and want to approve everything they publish.
Note: Approving by Team ID alone will allow every Bundle ID associated with that Team ID. For example, if a developer has six Bundle IDs all tied to Team ID
AADH234, adding that Team ID will approve all six automatically.
Troubleshooting
If the System Extension is still not being approved after deploying the Device Setting, see FAQ: Issues Allowing App Permissions via Device Settings (PPPC, System Extensions, etc.) for common causes and fixes.