Kernel extensions in macOS
Starting with macOS 11, if third-party kernel extensions (kexts) are enabled, they can’t be loaded into the kernel on demand. Instead, they’re merged into an Auxiliary Kernel Collection (AuxKC), which is loaded during the boot process. For a Mac with Apple silicon, the measurement of the AuxKC is signed into the LocalPolicy (for previous hardware, the AuxKC resided on the data volume). Rebuilding the AuxKC requires the user’s approval and restarting of the macOS to load the changes into the kernel, and it requires that the secure boot be configured to Reduced Security.
Important: Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating system, and users should prefer solutions that don’t require extending the kernel.
Adding kexts on a Mac with Apple silicon
MDM enrollment type | Approval method | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Not enrolled | Kext management by the user requires a restart to recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press will the Secure Enclave accept the change of policy. The user must then select the checkbox Reduced Security and the option “Allow user management of kernel extensions from identified developers” and restart the Mac. | ||||||||||
User Enrollment | The user must restart into recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press will the Secure Enclave accept the change of policy. The user must then select Reduced Security, check “Allow user management of kernel extensions from identified developers,” and restart the Mac. | ||||||||||
Device Enrollment | The MDM solution should notify the user they must restart into recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press will the Secure Enclave accept the change of policy. The user must then select Reduced Security, check “Allow remote management of kernel extensions and automatic software updates,” and restart the Mac. Contact your MDM vendor to see if they support this feature. | ||||||||||
Automated Device Enrollment (Serial number appears in Apple School Manager or Apple Business Manager and the Mac is automatically enrolled in MDM) | MDM solutions can manage this automatically. Contact your MDM vendor to see if they support this feature. | ||||||||||
Adding kexts on an Intel-based Mac with macOS 11
MDM enrollment type | Approval method | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Not enrolled User Enrollment | When a new kext is installed and there’s an attempt to load it, a restart must be initiated by the user from the warning dialog in the Security & Privacy pane of System Preferences. This restart initiates the rebuild of the AuxKC before to the kernel booting. | ||||||||||
Device Enrollment Automated Device Enrollment | Every time a new kext is installed and there’s an attempt to load it, a reboot needs to be initiated by either:
Note: A kext allow list profile must first be installed by the MDM specifying the kext. | ||||||||||
Kernel extensions with System Integrity Protection
If System Integrity Protection (SIP) is enabled, the signature of each kext is verified before being included in the AuxKC.
If SIP is disabled, the kext signature isn’t enforced.
This approach allows Permissive Security flows for developers or users who aren’t part of the Apple Developer Program to test kexts before they are signed.
Alternatives to kexts (macOS 10.15 or later)
macOS 10.15 enables developers to extend the capabilities of macOS by installing and managing system extensions that run in user space rather than at the kernel level. By running in user space, system extensions increase the stability and security of macOS. Even though kexts inherently have full access to the entire operating system, extensions running in user space are granted only the privileges necessary to perform their specified function.
Developers can use frameworks, including DriverKit, EndpointSecurity, and NetworkExtension, to write USB and human interface drivers, endpoint security tools (like data loss prevention or other endpoint agents), and VPN and network tools, all without needing to write kexts. Third-party security agents should be used only if they take advantage of these APIs or have a robust road map to transition to them and away from kernel extensions.
You’re enrolled in MDM through Apple School Manager or Apple Business Manager.
Your MDM enrollment is User-Approved.
The following payloads must meet one of the above requirements: