Enterprise management of legacy system extensions in macOS Big Sur
Find out how system administrators can manage the installation of legacy system or kernel extensions (kexts) in macOS Big Sur.
This article is intended for system administrators at businesses and educational organisations.
About system extensions in macOS
System extensions on macOS Catalina 10.15 and later allow software, such as network extensions and endpoint security solutions, to extend the functionality of macOS without requiring kernel-level access. Find out how to install and manage system extensions in user space instead of the kernel.
Legacy system extensions, also known as kernel extensions or kexts, execute in a highly privileged mode of the system. Starting with macOS High Sierra 10.13, a kernel extension must be approved by an administrator account or a Mobile Device Management (MDM) profile before it can load.
macOS Big Sur 11.0 and later allows management of legacy system extensions for both Intel-based Mac computers and Mac computers with Apple silicon.
How to manage legacy system extensions
Kernel extensions that use previously deprecated and unsupported KPIs no longer load by default. You can use MDM to modify default policies to not show dialogues periodically and to allow the kernel extensions to load. For Mac computers with Apple silicon, you must change the security policy first.
To install a new or updated kernel extension in macOS Big Sur, you can do either one of the following:
Instruct the user to follow the prompts within Security & Privacy preferences to allow the extension, then restart their Mac. You can permit users who are not administrators to allow the extension using the
AllowNonAdminUserApprovals
key in the Kernel Extension Policy MDM payload.Send the
RestartDevice
MDM command and set theRebuildKernelCachekey
to True.
Whenever the set of approved kernel extensions changes, either after initial approval or if the version is updated, a restart is required.
Additional requirements for Mac computers with Apple silicon
Before you can install a kernel extension on a Mac computer with Apple silicon, the security policy must be changed in one of the following ways:
If you have devices enrolled in MDM with Automated Device Enrolment, you can authorise remote management of kernel extensions automatically and change the security policy.*
If you have devices enrolled into MDM with Device Enrolment, a local administrator can change the security policy manually in macOS Recovery and authorise remote management of kernel extensions and software updates. Additionally, an MDM administrator can advise the local administrator to make this change by setting
PromptUserToAllowBootstrapTokenForAuthentication
in MDMOptions or by setting the same key in the MDM profile.*If you have non-MDM devices or devices enrolled into MDM with User Enrolment, a local administrator can change the security policy manually in macOS Recovery and authorise user management of kernel extensions and software updates.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.