System extensions in macOS
A Mac with macOS 10.15 or later enables developers to extend the capabilities of macOS by installing and managing system extensions that run in user space rather than at the kernel level. By running in user space, system extensions increase the stability and security of macOS. Even though kexts inherently have full access to the entire operating system, extensions running in user space are granted only the privileges necessary to perform their specified function.
System extensions support robust management using MDM, including the ability to allow all extensions from a specific developer or of a specific type (like network extensions) to load without user interaction. Optionally, MDM can disallow users from approving their own system extensions from loading.
For a Mac with macOS 12.0.1 or later, a dictionary in the System Extensions payload—called RemovableSystemExtensions
—allows an MDM administrator to specify which apps should be able to remove their own system extensions. No local administrator authentication is required to remove the system extensions. This is especially useful for vendors that may provide automated uninstallers for their apps.
For a Mac with macOS 11.3 through macOS 11.6.4, making changes to a system extension profile directly affects the state of an extension. For example, if an extension is pending approval and a configuration profile is pushed that allows the extension, the extension is allowed to load. Conversely, if an approval is revoked, the system extension is unloaded and marked for removal on the next restart of the Mac. If a system extension tries to unload itself, an interactive authentication dialog appears that requires administrator credentials to authorize the unloading.
Kernel extensions
For a Mac with macOS 11 or later, if third-party kernel extensions (kexts) are enabled, they can’t be loaded into the kernel on demand. They require the user’s approval and restarting of the macOS to load the changes into the kernel, and they also require that the secure boot be configured to Reduced Security on a Mac with Apple silicon.
Developers can use frameworks such as DriverKit and NetworkExtension to write USB and human interface drivers, endpoint security tools (like data loss prevention or other endpoint agents), and VPN and network tools, all without needing to write kexts. Third-party security agents should be used only if they take advantage of these APIs or have a robust road map to transition to them and away from kernel extensions.
Important: Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating system. Users should prefer solutions that don’t require extending the kernel and use system extensions instead.
Adding kexts on an Intel-based or Apple silicon Mac with macOS 11 or later
If you must use kernel extensions, review the approval methods based on enrollment method.
MDM enrollment method | Approval method | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Not enrolled User Enrollment | When a new kext is installed and there’s an attempt to load it, a restart must be initiated by the user from the warning dialog in:
This restart initiates the rebuild of the AuxKC before to the kernel booting. | ||||||||||
Device Enrollment Automated Device Enrollment | Every time a new kext is installed and there’s an attempt to load it, a restart needs to be initiated by either:
Note: A kext allow list profile must first be installed by the MDM solution specifying the kext. A Mac with macOS 11.3 or later optionally allows MDM to notify the user to complete the restart at their convenience. |
Additional steps for adding kexts on a Mac with Apple silicon
If you’re adding kernel extensions on a Mac with Apple silicon, you must take additional steps.
MDM enrollment method | Approval method | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Not enrolled | Kext management by the user requires a restart to recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press does the Secure Enclave accept the change of policy. The user must then select the checkbox Reduced Security and the option “Allow user management of kernel extensions from identified developers” and restart the Mac. | ||||||||||
User Enrollment | The user must restart into recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as a local administrator. Only when recoveryOS is entered using the power button press does the Secure Enclave accept the change of policy. The user must then select Reduced Security, check “Allow user management of kernel extensions from identified developers,” and restart the Mac. | ||||||||||
Device Enrollment | The MDM solution should notify the user they must restart into recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press does the Secure Enclave accept the change of policy. The user must then select Reduced Security, check “Allow remote management of kernel extensions and automatic software updates,” and restart the Mac. To learn if this feature is supported for your devices, consult your MDM vendor’s documentation. | ||||||||||
Automated Device Enrollment (The Mac serial number must appear in Apple School Manager or Apple Business Manager, and the Mac must be enrolled in an MDM solution linked to the service.) | MDM solutions can manage this automatically. To learn if this feature is supported for your devices, consult your MDM vendor’s documentation. |
Kernel extensions with System Integrity Protection
If System Integrity Protection (SIP) is enabled, the signature of each kext is verified before being included in the AuxKC.
If SIP is disabled, the kext signature isn’t enforced.
This approach allows Permissive Security flows for developers or users who aren’t part of the Apple Developer Program to test kexts before they’re signed.