This article is intended for system administrators at businesses and educational organisations.
About system extensions in macOS
System extensions on macOS Catalina 10.15 and later allow software, such as network extensions and endpoint security solutions, to extend the functionality of macOS without requiring kernel-level access. Find out how to install and manage system extensions in user space instead of the kernel.
Legacy system extensions, also known as kernel extensions or kexts, execute in a highly privileged mode of the system. Starting with macOS High Sierra 10.13, a kernel extension must be approved by an administrator account or a Mobile Device Management (MDM) profile before it can load.
macOS Big Sur 11.0 and later allows management of legacy system extensions for both Intel-based Mac computers and Mac computers with Apple silicon.
How to manage legacy system extensions
Kernel extensions that use previously deprecated and unsupported KPIs no longer load by default. You can use MDM to modify default policies to not show dialogues periodically and to allow the kernel extensions to load. For Mac computers with Apple silicon, you must change the security policy first.
To install a new or updated kernel extension in macOS Big Sur, you can do either one of the following:
- Instruct the user to follow the prompts within Security & Privacy preferences to allow the extension, then restart their Mac. You can permit users who are not administrators to allow the extension using the
AllowNonAdminUserApprovalskey in the Kernel Extension Policy MDM payload.
- Send the
RestartDeviceMDM command and set the
Whenever the set of approved kernel extensions changes, either after initial approval or if the version is updated, a restart is required.
Additional requirements for Mac computers with Apple silicon
Mac computers with Apple silicon require kernel extensions to be compiled with an arm64e slice.
Before you can install a kernel extension on a Mac computer with Apple silicon, the security policy must be changed in one of the following ways:
- If you have devices enrolled in MDM with Automated Device Enrolment, you can authorise remote management of kernel extensions automatically and change the security policy.*
- If you have devices enrolled into MDM with Device Enrolment, a local administrator can change the security policy manually in macOS Recovery and authorise remote management of kernel extensions and software updates. Additionally, an MDM administrator can advise the local administrator to make this change by setting
PromptUserToAllowBootstrapTokenForAuthenticationin MDMOptions or by setting the same key in the MDM profile.*
- If you have non-MDM devices or devices enrolled into MDM with User Enrolment, a local administrator can change the security policy manually in macOS Recovery and authorise user management of kernel extensions and software updates.
* The MDM also must be able to support a bootstrap token. Additionally, the client must send the bootstrap token to the MDM server before the MDM has tried to perform an operation that requires the bootstrap token.