Kernel Extension Policy MDM payload settings for Apple devices
You can configure kernel extension policies to manage security settings for users of a Mac enrolled in a mobile device management (MDM) solution. Use the Kernel Extension Policy payload to allow Mac users to add kernel extensions.
Important: Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating system and users should prefer solutions that don’t require extending the kernel.
The Kernel Extension Policy payload supports the following. For more information, see Payload information.
Supported approval method: Requires user approval.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.syspolicy.kernel-extension-policy
Supported operating systems and channels: macOS device.
Supported enrolment methods: Device Enrolment, Automated Device Enrolment.
Duplicates allowed: True — more than one Kernel Extension Policy payload can be delivered to a device.
You can use the settings in the table below with the Kernel Extension Policy payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Allow users to approve kernel extensions | Users can approve kernel extensions not explicitly allowed by configuration profiles. | Yes | |||||||||
Add team identifiers | Team identifiers define which validly signed kernel extensions are allowed to load. | Yes | |||||||||
Allowed kernel extensions | Kernel extensions that are always allowed to load on the Mac. | Yes | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how various Kernel Extension Policy settings are applied to your devices, consult your MDM vendor’s documentation.