@franton how on earth will we ever repay you?! Apple and Jamf should shower you with Bitcoins.
Kextpocalyse 2: The Remediation
What a way to quickly/easily inventory KEXTs on a computer...whether an OOB (baseline) or one with a bunch of stuff installed (to grow list of TeamID/BundleIDs).
Hello as far as SEP in concerned, my expereince is the profile to whitelist kexts has to be distributed BEFORE installing it.
Hope it helps
Csrlo
thanks @carlo.anselmi . I'll try that and let you know how it goes. Maybe I'll try it on a fresh build just to verify.
So, I installed a second time after fulling wiping SEP, and it didn't prompt me on the same machine. The allow button was still there, but it didn't throw any fits about needing to click it. I'll have to test a little more to make sure. However, it appears fine so far.
We are having the Kernel Extension issue (10.13.6) with the latest Sophos Endpoint software installer. Their remedy is to boot every device in Recovery Mode and run something in terminal. Not acceptable remedy and impossible.
Trying the Configuration Profile route to approve the sophos kext
Awaiting the bundle IDs......
Awesome script! Little bug for me though, one of the apps I approved in my system prefs doesn't appear in the Kext script output?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowUserOverrides</key>
<false/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>268CCUR4WN</string>
<string>34JN824YNC</string>
<string>6HB5Y2QTA3</string>
<string>8R7PS6VYW7</string>
<string>DX6G69M9N2</string>
<string>EG7KH642X6</string>
<string>FC94733TZD</string>
<string>K3TDMD9Y6B</string>
<string>KBVSJ83SS9</string>
<string>NDGSU3WA4Y</string>
</array>
<key>AllowedKernelExtensions</key>
<dict>
<key>268CCUR4WN</key>
<array>
<string>com.promise.driver.stex</string>
</array>
<key>34JN824YNC</key>
<array>
<string>com.Areca.ArcMSR</string>
</array>
<key>6HB5Y2QTA3</key>
<array>
<string>com.hp.kext.hp-fax-io</string>
<string>com.hp.hpio.hp-io-printerclassdriver-enabler</string>
</array>
<key>8R7PS6VYW7</key>
<array>
<string>com.CalDigit.driver.HDPro</string>
</array>
<key>DX6G69M9N2</key>
<array>
<string>com.highpoint-tech.kext.HighPointIOP</string>
<string>com.highpoint-tech.kext.HighPointRR</string>
</array>
<key>EG7KH642X6</key>
<array>
<string>com.vmware.kext.vmioplug.17.3.0</string>
<string>com.vmware.kext.vmnet</string>
<string>com.vmware.kext.vmci</string>
<string>com.vmware.kext.vmx86</string>
<string>com.vmware.kext.vmioplug.17.1.5</string>
</array>
<key>FC94733TZD</key>
<array>
<string>com.ATTO.driver.ATTOExpressSASHBA2</string>
<string>com.ATTO.driver.ATTOCelerityFC8</string>
<string>com.ATTO.driver.ATTOExpressSASRAID2</string>
</array>
<key>K3TDMD9Y6B</key>
<array>
<string>com.Accusys.driver.Acxxx</string>
</array>
<key>KBVSJ83SS9</key>
<array>
<string>com.citrix.kext.gusb</string>
</array>
<key>NDGSU3WA4Y</key>
<array>
<string>com.softraid.driver.SoftRAID</string>
</array>
</dict>
</dict>
</plist>We are attempting to push out the Sophos AV, I have added the KEXT's needed for this to run, but it still is failing Services, even though I can see the KEXT's loaded. I have run the script in the top of this post, I have some KEXT's that have nothing to do with SOPHOS, but wondering if they may have something to do with basic operations of I/O connectors.
Below I have the output of the script, all the Sophos Bundle ID's are added, but there are more listed in this result than in the "SELECT * FROM kext_policy;" command.
Will that make a difference?
When Launched Sophos says to approve the items in 'Privacy and Security', which is restricted. Short of disabling the security and Privacy I Am at my knowledge base. Please train me....
Thoughts or ideas are more than welcome. Why can Apple not just bring back the "Allow from Anywhere" radio button?
@rhooper I have a thread about installing Sophos here - Approved Kernel Extensions still asking to be allowed
.
I have it working, but the Allow button is still visible, but the Endpoint is healthy and Green
Thank you!
@clegger06 You need to put sudo in front of the command. That is why you are getting the sqlite error.
Johnny
Love this... BUT...
Has anyone found a way to remotely re-enable a KEXT that a user may have not approved prior to pushing out a MDM config?
ie...
Device is enroll in Jamf...
User had 10.13.4, etc.
IT pushed out something like Sophos
User got pop-up to approve KEXT
User did not approve
IT realized KEXT mobileconfig needs to be pushed
IT pushes mobileconfig
New devices get mobileconfig
New devices are not prompted
Old devices get mobileconfig
Old device KEXT still not approved
Anybody have any elegant leads on this?
So far, from what I'm reading, this is a whole lot of going to each device, going into Recovery mode and running some terminal commands.
I think once you've sent the Kext profile then it will just get approved anyway, that seems to be what I've found.
@caine.horr In the case of Sophos I'd say the best thing would be to re-install Sophos.
The approved kext should preferably be in place before the Sophos installation. Then the user would not get any notification or prompt for approval.
Our Sophos install can/should is based on a smartgroup that has the approved kext as a pre-requisite and it works without issues or nottificications.
.
Very nice thank you!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.