Kextpocalyse 2: The Remediation [Blog post by our own @franton)

@cdev, Are you using a custom MDM payload? I could not get a custom MDM payload to work with kext whitelisting, even though it would install correctly. It had to be a native payload for the kernel extension policy, which means you need a version of JAMF that supports it.

I know some people have said they got it to work, but I don't believe it personally.

If you decide to whitelist TeamID only (ten character vendor ID string), you shouldn't get any prompts once Wacom's TeamID is whitelisted.

But if use even one BundleID (com.vendor.application.etc.), that TeamID will require every BundleID to be included else prompts.

The configuration profile should have a Preference Domain of com.apple.syspolicy.kernel-extension-policy but pretty sure everyone knows that.

We created a TeamID whitelist that seems to work fine, not sure why anyone would want to add BundleIDs to the Custom Configuraiotn Profile (rabbithole).

KEXT inventory data

As I've found, a custom payload doesn't work for 10.13.4 onwards now. Annoying. However it did for 10.13.3 backwards.

My suggestion is to use my script or other methods to find the info, then create the profile within Jamf Pro.

Also Erik Gomez on the macadmins' slack posted this google drive link: Kext Google Docs

It's a user compiled list of all the "fun" kext info you could possibly want.

@franton I've built out the following based on the Kext info i gathered from using your script (Thank you!). I've ran this on 10.13.4 machines but the Kernals are still showing up as needing to be approved. I just want to make sure that I'm entering all of the information correctly. Does the config need to be deployed to User level or Computer level?

@LovelessinSEA I'm deploying at the computer level.

For some reason I can't get the extensions to approve. I tried using the whole .plist that was generated by the script and deploying it in a configuration profile. No change to the approvals. I tried using the Approved kernal Extensions payload and adding one approved Kernal Extension at a time and they still aren't being approved.

Is everyone else seeing that the extension approval button is going away after the config profile is pushed to the device?

For Example, I have a machine that needs to have Crowdstrike Approved. I created An Approved Kernal Extension Payload

It doesn't seem to do anything though.

Am i missing something?

Are the kernel extensions loaded? In my experience, the prefs pane would offer user-level approval even if the kext was MDM-whitelisted and loaded. kextstat can help you there.

same for me @LovelessinSEA

@LovelessinSEA and @jalcorn can contact support at CrowdStrike? We've seen some cases where the application of the MDM policy has caused the mdmclient process to crash leaving to an odd state. Having a sysdiagnose from your machines would be very helpful.

@mrbauer1 Thanks for the reply, yeah we reached out to them last week and they suggested creating a configuration profile with an approved white list. Also gave us the workaround if you get the dreaded Black screen with cursor. they had us remove the crowdstrike launch daemon in a safe mode boot.

Thanks again!

@mrbauer1 Im seeing it with ESET, i do not use crowedstrike

@LovelessinSEA Crowdstrike is kinda lost on this issue too. I am using these 4 without issues

(u'X9E956P446', u'com.crowdstrike.sensor', 1, u'CrowdStrike Inc.', 8)
(u'X9E956P446', u'com.crowdstrike.libreactos', 1, u'CrowdStrike Inc.', 8)
(u'X9E956P446', u'com.crowdstrike.platform', 1, u'CrowdStrike Inc.', 8)
(u'X9E956P446', u'com.crowdstrike.TDB', 1, u'CrowdStrike Inc.', 8)

@macbentosh thanks for these! Are you including all of the bundle ID's or are you just using the main Team ID of X9E956P446 in the Config profile?

per my interpretation of apple's docs. You need both. Almost like a Team ID and then a definition of what .kext the team id covers

In our testing we just used the Team ID and it looks like it's working... with a different AV vendor...

C

So I have this working "fine" by adding the team IDs to a configuration profile, but...

WHY WHY WHY Apple!!! Because the MDM profile applied via Jamf Pro has to be user approved, the config profile with the kext exceptions then fails to apply and just shows under the the management tab for a machine as failed. It seemingly then never installs until I manually click to remove the failed message.

Is this as expected? If this is how it's going to be then I'm making a serious consideration to never upgrade any of our existing machines to High Sierra as this is getting ridiculous.

Well depends on enrollment. Enrolling with DEP works and requires no action. Enrolling with Recon or /enroll will require you to accept an install. Upgrading to 10.13.4 with a machines enrolled will convert to a user authorized enrollment.

FUN!!!

@macbentosh Yes sadly none of those answers match our setup so we're screwed essentially.

I have the exact same issue.

Background :
JAMF Pro 10.2.2
OSX 10.13.4
Non DEP Deployed
MDM Profile HAS been approved.

I have gathered all the Data required.

TV3T7A76P4|com.cososys.driver.EPPDeviceController|0|CoSoSys|4
TV3T7A76P4|com.cososys.eppclient.eppkauth|0|CoSoSys|4
TV3T7A76P4|com.cososys.kext.EPPUsbHelper|0|CoSoSys|4
6HB5Y2QTA3|com.hp.kext.io.enabler.compound|1|HP Inc.|0
AH4XFXJ7DK|com.fortinet.fct.kext.avkern2|0|Fortinet, Inc|4
AH4XFXJ7DK|com.fortinet.kext.fctrouternke|0|Fortinet, Inc|4
AH4XFXJ7DK|com.fortinet.fct.kext.fctapnke|0|Fortinet, Inc|4

I have Created a Kernel Extension Profile and it has deployed successfully.

I STILL get prompted for these Extensions on the machine.

I have tried having the Profile use Just the ID, and also the bundles, neither option actually works.

Has anyone got any ideas ?

Odd discovery

In the output from the database, there are 2 numbers in each line, the first is a 0 and the second a 4 (Except the HP one) when deployed by the Profile.

If I respond to the prompt and manually approve the Extensions, both numbers change to a 1.

Not sure of the significance of the numbers, but this may well have something to do with it.

I'm having the exact same issue with sophos av.

I have come up with a solution that I think will work for us for the time being:

By following the guide at "https://derflounder.wordpress.com/2018/03/30/detecting-user-approved-mdm-using-the-profiles-command-line-tool-on-macos-10-13-4/#more-9616" to create a new extension attribute to recognise if a device has been user approved or not, I have come up with a way to at least make some of it simpler if you are still imaging the old fashioned way.

I have created a simple app that is distributed to the management account desktop during the imaging. Once a mac is imaged and obviousy enrolled in MDM, we can then just login, run the app and hey presto, MDM is approved and the kernel extension config profile is then applied.

What the app actually does is just open the System Preferences>Profiles pane which defaults to the MDM approval page, waits 30 seconds for a user to click approve and then forces a jamf inventory update. Within a second of this inventory update the kernel config profile is installed successfully.

It does mean that we'll still have a manual process but at present I don't see we have any choice. Maybe Apple will listen and give enterprise customers a way to do this automatically without using DEP. You never know....

Will give that a whirl, thanks

I have the Extension Attribute up and running, and my Kernel Extensions Whitelist Policy now only applies if the MDM Profile reports as approved.

However the Prompt still comes up on screen to Approve the Application.

If I look I still get....

TV3T7A76P4|com.cososys.kext.EPPUsbHelper|0|CoSoSys|4
Still none the wiser as to what these 2 numbers mean, all I know is right now they are a 0 and a 4, and if I approve the extensions through thr user interface they both change to a 1, and then the prompts go away.

Any ideas ?