What are System Extensions?

Addigy Mobile Device Management (MDM) capabilities offer System Extensions Whitelisting functionality. As Kexts are being deprecated for newer macOS systems (Catalina and above) System Extensions allow software (network extensions and endpoint security) to extend functionality without requesting kernel-level access. 


Prerequisites

In order to use this functionality, the device must be managed by Addigy MDM and have checked into the Addigy MDM Server properly. For help setting up Addigy MDM, see our article Addigy Mobile Device Management (MDM) Integration. Also, System Extensions Whitelisting payloads will fail to deploy unless the Addigy MDM Profile has been Approved on the device. To make sure your MDM Profiles are approved, follow our article Approved MDM Profiles.


Configuring the System Extensions Policy

For building a System Extensions Whitelisting payload, first, let's navigate to Policies > Catalog > MDM Configurations.



Once you are in the MDM Configurations section in the Catalog, select Add Configuration.



Select the Device type for which the System Extensions apply.



Scroll down towards the System Extensions option and select it.



Load the appropriate Team ID or Identifiers for the corresponding software, each software would be unique and require its unique identifiers. (If you already have the Team ID or Identifiers, skip the next step and go to Deploying the Payload) 


Obtaining System Extensions Identifiers

Finding the correct Identifiers is much easier than you might expect. We’ve written a KB article for you to follow before heading over to the next step.


Creating and Deploying a PPPC Payload


Through the steps above you will be able to obtain the Identifiers as well as Code Requirement for the specified application.


Deploying the Payload

You can allow Allowed System Extensions, Allowed System Extensions Types, or Allowed Team Identifiers (Only fill out one of them).


Once the identifiers are set, select Create Configuration to complete the process.


Additionally, if your software has multiple Bundle Identifiers, you can add multiple by using a comma (,) to separate them, see the example below:

 

 

After the MDM Configuration is created, assign it to the Policy which requires the Kernel Extension Approvals.

 


Then confirm the changes in the Deploy Changes section by clicking Confirm All.


Lastly, you will hit Deploy Now and a pop-up window will appear where you will hit Deploy once more.







If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.