Prepare for changes to kernel extensions in macOS High Sierra

If you’re a system administrator, use this information to prepare for changes to kernel extensions when you upgrade your business or education institution to macOS High Sierra.

To improve security on the Mac, kernel extensions installed with or after the installation of macOS High Sierra require user consent in order to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they don’t have administrator privileges.

Kernel extensions don't require authorization if they:

  • Were on the Mac before the upgrade to macOS High Sierra.
  • Are replacing previously approved extensions.
  • Are allowed to load without user consent by using the spctl command while booted to macOS Recovery.
  • Are installed on a Mac enrolled in Mobile Device Management (MDM). At this time, enrolling in MDM automatically disables User Approved Kernel Extension Loading. This behavior will change in spring 2018.
  • Are allowed to load via MDM configuration. Starting with macOS High Sierra 10.13.2, you can use MDM to specify a list of kernel extensions which will load without user consent. This option requires a Mac running macOS High Sierra 10.13.2 which is either enrolled in MDM via the Device Enrollment Program (DEP) or whose MDM enrollment is User Approved.

User Approved MDM enrollment

macOS High Sierra 10.13.2 introduces the concept of "User Approved" MDM enrollment. This new enrollment type is only required if you want to manage certain security-sensitive settings on a Mac whose MDM enrollment is not done through DEP.

Since you can already manage security-sensitive settings on devices whose MDM enrollment is performed via DEP, User Approved enrollment is unnecessary for these devices.

Currently, the only payload which requires either User Approved or DEP-initiated MDM enrollment is the Kernel Extension Policy. However, as new configuration payloads are introduced in future versions of macOS, they might also require User Approved or DEP-initiated enrollment.

You can still manage settings which are not security-sensitive on devices that are enrolled in MDM without the User Approved option.

    Can manage security-sensitive settings Can manage non-sensitive settings

Enrolled in MDM via DEP

Yes

Yes

User Approved MDM

Yes Yes

Non-User Approved MDM

No

Yes

You can enroll a Mac in User Approved MDM with these methods:

  • If a Mac is enrolled in DEP, its enrollment is equivalent to User Approved when it enrolls in MDM.
  • If a Mac was enrolled in (non-User Approved) MDM prior to upgrading to macOS High Sierra 10.13.2, its enrollment is converted to User Approved when it's upgraded.
  • Download or email yourself the enrollment profile and double click it. Then follow the prompts in System Preferences to enroll in MDM.

Using automation or even attempting to enroll a device remotely via screen sharing will not result in User Approved enrollment.

If your Mac was enrolled in MDM without the User Approved option, you can approve your existing enrollment to manage security-sensitive settings. Open System Preferences > Profiles and locate your enrollment profile that has a badge: 

Select your enrollment profile, click the Approve button on the right, and follow the prompts.

Manage user-approved kernel extension loading with MDM

If your Mac is running macOS High Sierra and is enrolled in MDM, User Approved Kernel Extension Loading is currently disabled. All kernel extensions will load without requiring user consent. Use the Kernel Extension Policy payload to specify which kernel extensions should load without user consent, and to optionally prevent users from approving additional kernel extensions.

In spring 2018, an update to macOS will cause User Approved Kernel Extension Loading to be enabled even on devices enrolled in MDM. You will still be able to use the Kernel Extension Policy to manage User Approved Kernel Extension Loading after this change.

Manage user-approved kernel extension loading without MDM

If you want to manage User Approved Kernel Extension Loading outside of MDM, boot into macOS Recovery and use the spctl command. Run the command by itself to get more information about how to use it.

If you're managing User Approved Kernel Extension Loading using the spctl command and you reset NVRAM, your Mac reverts to its default state with User Approved Kernel Extension Loading enabled. You can set a firmware password on your Mac to prevent unauthorized changes to NVRAM.

Дата публикации: