Prepare for changes to kernel extensions in macOS High Sierra

If you’re a system administrator, use this information to prepare for changes to kernel extensions when upgrading your institution to macOS High Sierra.

To improve security on Mac, kernel extensions installed with or after the installation of macOS High Sierra require user consent to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they don’t have administrator privileges.

These kernel extensions don't require approval:

  • Extensions that were installed before upgrading to macOS High Sierra
  • Extensions that are replacing previously approved extensions
  • Extensions that are allowed to load without user consent by using the spctl command while started up from macOS Recovery
  • Extensions that are allowed to load via the Kernel Extension Policy

Starting with macOS 10.13.4, enrolling in MDM no longer disables User Approved Kernel Extension Loading, and extensions previously allowed to load for that reason now require approval. However, you can use MDM to specify kernel extensions that load without approval. This requires a Mac that is using macOS 10.13.2 or later and is either enrolled in MDM via DEP, or whose MDM enrollment is User Approved.

User Approved MDM enrollment

macOS High Sierra 10.13.2 introduced the concept of "User Approved" MDM enrollment. This enrollment type is required only if you want to manage certain security-sensitive settings on a Mac whose MDM enrollment is not done through DEP.

You can already manage security-sensitive settings on devices whose MDM enrollment is performed via DEP, so User Approved enrollment is unnecessary for these devices.

You can still manage settings that are not security sensitive for devices that are enrolled in MDM without the User Approved option.

Enrollment
type
Can manage
security-sensitive settings?
Can manage
non-sensitive settings?

Enrolled in MDM via DEP

Yes

Yes

User Approved MDM

Yes Yes

Non-User Approved MDM

No

Yes

How to enroll a Mac in User Approved MDM:

  • If a Mac is enrolled in DEP, its enrollment is equivalent to User Approved when it enrolls in MDM.
  • If a Mac was enrolled in non-User Approved MDM before updating to macOS 10.13.4, its enrollment is converted to User Approved when installing macOS 10.13.4.
  • You can also download or email yourself an enrollment profile. Double-click the profile, then follow the prompts in System Preferences to enroll in MDM.

Using automation or attempting to enroll a device remotely via screen sharing will not result in User Approved enrollment.

If your Mac was enrolled in MDM without user consent in macOS 10.13.4, its enrollment won't be User Approved. To manage security-sensitive settings, you can approve your enrollment:

  1. Choose Apple menu > System Preferences, then click Profiles.
  2. Select your enrollment profile that has a badge:  .
  3. Click the Approve button on the right, then follow the onscreen instructions.

User Approved Kernel Extension Loading with MDM

Starting with macOS 10.13.4, User Approved Kernel Extension Loading is enabled on all devices, including those enrolled in MDM. Use the Kernel Extension Policy payload to:

  • Specify which kernel extensions should load without user consent.
  • Optionally prevent users from approving additional kernel extensions.

User Approved Kernel Extension Loading without MDM

If you want to manage User Approved Kernel Extension Loading outside of MDM, start up from macOS Recovery and use the spctl command. Run the command by itself to get more information about how to use it.

If you're managing User Approved Kernel Extension Loading using the spctl command and you reset NVRAM, your Mac reverts to its default state with User Approved Kernel Extension Loading enabled. You can set a firmware password on your Mac to prevent unauthorized changes to NVRAM.

Published Date: