With the release of macOS Big Sur (11.0), Apple has moved further down the road of deprecating kernel extensions (kext) within macOS. Kernel extensions are now referred to as legacy system extensions and require additional configuration to continue working. Apple has posted this support article with additional details about legacy system extensions.


If apps allow for use of the system extensions MDM configuration, we strongly recommend that administrators start moving to the new MDM configuration as legacy system extensions (kext) have limited time left in macOS. 


For administrators that have software that requires the legacy system extensions, this document will go over the updated process and what end users can expect on Big Sur. For this example, we will be using Google Drive File Stream (44.0) on macOS Big Sur (11.2). Changes to Google Drive File Stream and/or Big Sur may require updates to this workflow document in the future.


Experience without Kernel Extensions Policy MDM Configuration

When Google Drive File Stream is first deployed to the device without the kernel extensions MDM Configuration, the end user will get a prompt similar to the image below.


Depending on the user's permission levels on the device, they may be unable to unlock the Security and Privacy pane in System Preferences and allow the "legacy" system extension (kext) to run on the device. The lock preference pane can been seen in the image below.

How to Allow Legacy System Extensions to Run

This section will cover the three methods on how to confirm a legacy system extension on Big Sur. 

Not all workflows will work as they depend on settings on the device and the user's account permissions. Please review requirements prior to recommending a workflow to an enduser.

Manually Confirm with Administrator Account

Requirements:

  • macOS Big Sur
  • If Apple Silicon, ensure the MDM profile has rights to control kernel extensions
  • Local Administrator Account

Workflow:

  • Deploy software to device
  • Open System Preferences >> Security & Privacy
  • Unlock pane with administrator credentials
  • Click Allow as seen in the image above
  • Restart Mac to load the software extension

Deploy Kernel Extensions MDM Configuration and Allow Standard Users to Accept

Requirements:

  • macOS Big Sur
  • If Apple silicon, ensure the MDM profile has rights to control kernel extensions
  • MDM Configuration for kernel extensions with Allow User Overrides

Workflow:

  • Deploy software to device
  • Deploy MDM configuration with the Allow User Overrides checked
  • Open System Preferences >> Security & Privacy
  • Click Allow as seen in the image above
  • Restart Mac to load the software extension

Deploy Kernel Extensions MDM Configuration and Force Kernel Cache Rebuild

Requirements:

  • macOS Big Sur
  • If Apple silicon, ensure the MDM profile has rights to control kernel extensions
  • MDM Configuration for kernel extensions with Team Identifiers or Kernel Extensions configured

Workflow:

  • Deploy software to device
  • Deploy MDM configuration that as configured ether the Team Identifier allowing all software from that vendor to be allowed or configure the specific kernel extension to be allowed
  • Navigate to Devices page and click on the device name or GoLive
  • Under the drop down Device Status" select Restart. This will automatically rebuild the kext cache and allow the software to run. Please note that this will reboot the computer as soon as the command is confirmed with the device

Apple Silicon (M1) Additional Requirements

Note: as of writing this document, Google Drive File Stream does not work on Apple Silicon and is expected to release with version 47.0 in April 2021


For Apple silicon (M1) devices, administrators must ensure that the device can load the kernel extensions MDM configuration. More information about Apple silicon requirements can be found on 

Kernel Extensions and Software Updates Warning on Apple Silicon


If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.