Any luck at getting Google Drive for Desktop to install on Intel machines without the ""System Extension Blocked" and "Open Security & Privacy Settings" to approve" window?
I have added the appropriate lines to the System Extensions profile as outlined in this thread and have Google Drive installing without user prompt on M1 machines. I just can't get around the admin user prompt on Intel Machines (running Big Sur).
Negative, we're deploying the latest version of Google Drive (50.0.something) and on Intel machines running Big Sur it ignores the above and requires you to manually approve. Whatever they did for the M1s it doesn't seem to require this at all anymore and "just works", its just our Intel machines.
Guess we just have to hope Google backports whatever they did for the M1s to the Intel version of the app sometime before we end up replacing them all lol. Their engineers were totally dumbfounded when I originally reported this issue when Big Sur launched so I'm not holding my breath.
Any luck at getting Google Drive for Desktop to install on Intel machines without the ""System Extension Blocked" and "Open Security & Privacy Settings" to approve" window?
I have added the appropriate lines to the System Extensions profile as outlined in this thread and have Google Drive installing without user prompt on M1 machines. I just can't get around the admin user prompt on Intel Machines (running Big Sur).
If you're getting a prompt, it's probably a Kernel Extension and not a System Extension (assuming you properly configured the System Extension Config Profile).
If Google Drive is actually using a KEXT on Big Sir, you cannot completely pre-approve the KEXT on Big Sur as you could on Catalina and older versions. This is an APPLE limitation. You can only approve it so that the user can then themselves approve it (and then reboot to rebuild the kernel cache). The KEXT pre-approve Config Profile does do something, it just does not provide the same function like it did in Catalina and older OS versions.
I assume then, that the ARM version does not utilize a KEXT, if you are not seeing the same behavior. (Or the KEXT isn't complied for ARM and thus it's not supported period, no matter what -- I haven't tested this behavior to see if it prompts anything or not.)
Any luck at getting Google Drive for Desktop to install on Intel machines without the ""System Extension Blocked" and "Open Security & Privacy Settings" to approve" window?
I have added the appropriate lines to the System Extensions profile as outlined in this thread and have Google Drive installing without user prompt on M1 machines. I just can't get around the admin user prompt on Intel Machines (running Big Sur).
I got it to work - mostly! I was able to get Google Drive to install on Intel machines with some interaction from a standard user. One of my main issues was that Google Drive requires a Kernel extension on Intel machines. Admin approval through System Preferences is needed for this. However, our users are only standard (non-admin) users. I was able, through a profile, to allow non-admin users to approve kernel extensions.
The key is the AllowNonAdminUserApprovals key in the Kernel Extension profile. While Jamf Pro exposes this setting as a checkbox titled, "Allow standard users to approve legacy kernel extensions", Jamf School does not have this setting. I did put a ticket in requesting that this setting be added. In the meantime, I created my own custom profile using the free tool iMazing Profile Editor and it worked!
Users still have to go to System Preferences to approve the kernel extension, but at least now they are able to do so without being an admin user.
Can someone confirm that AllowNonAdminUserApprovals only takes affect on the defined Kernelextensions?
Or does it give the user the rights to approve any Kernelextensions?
Can someone confirm that AllowNonAdminUserApprovals only takes affect on the defined Kernelextensions?
Or does it give the user the rights to approve any Kernelextensions?
It's a "top level" setting. It's not tied to the/an individual KEXT that it may appear tied to via the GUI representation of Jamf Pro's Configuration Profiles.
We split the config into 2 different ones; intel and M1 Mac's (based on smart groups). Intel has the Google Drive pppc and kernel approved. The M1's got the system extension approved. This has worked so far.
We split the config into 2 different ones; intel and M1 Mac's (based on smart groups). Intel has the Google Drive pppc and kernel approved. The M1's got the system extension approved. This has worked so far.
The Intels are on big sur? If so the Kernel Extension actually worked?
The Intels are on big sur? If so the Kernel Extension actually worked?
Yes, they are all on Big Sur.
So what's a bit messy is that Google Drive seems to have both kexts and system extensions and it uses either depending on the architecture. So our config for G Drive on Intel and Big Sur has got a PPPC, Kernel and system extension. The M1 config only has the system extension approved.
Yes, they are all on Big Sur.
So what's a bit messy is that Google Drive seems to have both kexts and system extensions and it uses either depending on the architecture. So our config for G Drive on Intel and Big Sur has got a PPPC, Kernel and system extension. The M1 config only has the system extension approved.
Oh wow, thats crazy! Would love if you could kindly post some screen shots of what you have so we can all be on the same page 🙂 Thanks for this!
Oh wow, thats crazy! Would love if you could kindly post some screen shots of what you have so we can all be on the same page 🙂 Thanks for this!
Not sure if the system extension needs to be in there but this is the config I created for the intel Mac's.
Scope: smart group; Operating system; 11. , architecture type is not arm64
@tjhall why did you add 'approved kernel extensions' section for Big Sur? I only have the PPPC and Sys Extension sections and it worked on intel running Big Sur. Going to test it on M1
@tjhall why did you add 'approved kernel extensions' section for Big Sur? I only have the PPPC and Sys Extension sections and it worked on intel running Big Sur. Going to test it on M1
For our M1's I use a smart group scoped to arm architecture and then just a config with the approved system extension. Works fine so far.
actually my Google drive for desktop system ext config profile doesn't work. The installation of google drive for desktop went fine, i did not see any popups, but when google drive for desktop gets accessed by the user that's when the popups starting appearing. That's when i realized the system extension profile doesn't work.
@tjhall why do you have Approved Kernel Extension section in your config profile? doesn't Big Sur not use them?
@tcandela That's how I understood it too but it looks like Google Drive uses it on intel Mac's. On the flip side, using a kernel profile on a M1 Mac kicks up an message to approve it but since it doesn't allow kernel extensions that message will came back again after restart.
I just downloaded Google Drive for Desktop on a 13" MBPro M1 and ran the .pkg and it never asked me to approve any system extensions. I logged into my google drive so the drive would mount and I did not get any system extension prompt to allow anything.
I restarted the laptop and nothing, no prompts. The version reads Google Drive version 51.0.14.0 (Apple Silicon)
I run the 'sysemextensionsctl list' and it says 0
when you download google drive does it know whether to download the M1 version of Intel version? Is there 2 separate versions?
I just downloaded Google Drive for Desktop on a 13" MBPro M1 and ran the .pkg and it never asked me to approve any system extensions. I logged into my google drive so the drive would mount and I did not get any system extension prompt to allow anything.
I restarted the laptop and nothing, no prompts. The version reads Google Drive version 51.0.14.0 (Apple Silicon)
I run the 'sysemextensionsctl list' and it says 0
when you download google drive does it know whether to download the M1 version of Intel version? Is there 2 separate versions?
That's correct, the Apple Silicon version no longer requires any sort of System Extension or Kernel Extension.
It's a "universal" app package, so both the Intel and M1 version of the app are rolled together into one pkg and it automatically detects which version should be installed based on the system architecture.
As of this time the Intel version still requires a System/Kernel extension. On Catalina (and lower) installs we can pre-approve this via configuration payload, but that no longer works for Big Sur. So for Intel machines running Big Sur the current behavior is that direct user action is required to approve the extension the first time you run Drive File Stream, and that user must have admin rights.
@quip_MDavison what do you have for your intel Catalina/Big Sur extension. config profile?
@quip_MDavison what do you have for your intel Catalina/Big Sur extension. config profile?
Here's what we use for our Catalina Intels and it still works. This issue actually stopped us from rolling out Big Sur entirely until we could make the jump to start deploying M1 Macs, there's no way to do it by config profile or policy on a Big Sur Intel machine and Google has no interest in going back to resolve it. There were lots of back and forth support calls with Google about it... It took Google nearly a year to re-engineer the app not to require a system extension anymore. Should be fun in a few months when Monterey manages to jack it all up again 😛
@quip_MDavison yep I have the same Catalina KEXT config profile setup as you. Just tried it to verify with Google drive v 51.0.14.0 and not prompt to allow after logging into the google drive account.
I thought Kernel Extensions were for Catalina, System Extensions were for Big Sur or have I missed something? That profile above shows a Kernel Extension applying successfully for Big Sur?
https://developer.apple.com/support/kernel-extensions/
@Greg That's what confused me too. I was under the impression that Big Sur only used system extensions but kernel extensions are still used for Intel Mac's but not on M1's. Hence the confusion with config profiles and having to split them depending on architecture.
I thought Kernel Extensions were for Catalina, System Extensions were for Big Sur or have I missed something? That profile above shows a Kernel Extension applying successfully for Big Sur?
https://developer.apple.com/support/kernel-extensions/
You are correct. We have the policy above scoped explicitly to apply to Catalina machines, not Big Sur.
Catalina Intel: The above payload works for pre-approving the GDFS kernel extension
Big Sur Intel: The above payload does not work, in fact it gives an error when trying to apply if you look at the logs. Using a system extension payload does not work either, and even trying to get the values to put in the system extension payload off a GDFS install on these systems is a challenge. Per Apple's security changes there is no way to pre-approve a system extension via MDM controls on Intel Macs running Big Sur. Direct user action with admin rights is required to approve the legacy extension when prompted on first run.
Big Sur M1: The Apple Silicon binary for GDFS was re-engineered (as of a recent version, around June/July 2021 IIRC) to no longer require a system or kernel extension, just deploy the pkg and it works. Yay. Before that update it was in the same boat as the Big Sur Intels where you could not preapprove the system extension via MDM and the old kernel extension no longer worked. They did not go back and do the same for the Intel binary, and from my talks with Google engineering support they don't have any plans to do so.
You are correct. We have the policy above scoped explicitly to apply to Catalina machines, not Big Sur.
Catalina Intel: The above payload works for pre-approving the GDFS kernel extension
Big Sur Intel: The above payload does not work, in fact it gives an error when trying to apply if you look at the logs. Using a system extension payload does not work either, and even trying to get the values to put in the system extension payload off a GDFS install on these systems is a challenge. Per Apple's security changes there is no way to pre-approve a system extension via MDM controls on Intel Macs running Big Sur. Direct user action with admin rights is required to approve the legacy extension when prompted on first run.
Big Sur M1: The Apple Silicon binary for GDFS was re-engineered (as of a recent version, around June/July 2021 IIRC) to no longer require a system or kernel extension, just deploy the pkg and it works. Yay. Before that update it was in the same boat as the Big Sur Intels where you could not preapprove the system extension via MDM and the old kernel extension no longer worked. They did not go back and do the same for the Intel binary, and from my talks with Google engineering support they don't have any plans to do so.
If you create a PPPC profile for Drive, you can make it so that a standard user can authorise the system/kernel extension, rather than an Admin. I have it running on the Big Sur Macs both Intel and M1, and the students can approve the extensions themselves when it asks.
If you create a PPPC profile for Drive, you can make it so that a standard user can authorise the system/kernel extension, rather than an Admin. I have it running on the Big Sur Macs both Intel and M1, and the students can approve the extensions themselves when it asks.
You can, but it's kind of a kludgy workaround where the user still has to go through the prompts and allow it. It also raises some security concerns we weren't comfortable with in our environment 😛
Please see my previous replies:
KEXTs are available on Catalina and Big Sur on both Intel and ARM devices. For them to work on ARM they HAVE to be recompiled. Rosetta will not translate them.
SysExts are available on Catalina and Big Sur on both Intel and ARM devices.
The "warning dialog" that is thrown up IS NOT ACCURATE. It will say a System Extension is blocked, even when it is a Kernel Extension. The warnings for each are actually different, but both still say "System Extension."
