Skip to main content

Hi,

I've been trying to deploy Mcafee EPO on High Sierra. Secure Kernel Extension Loading of High Sierra seems to block it, no matter if I

sudo dpctl --master-disabl

on machine and "Allow apps downloaded form" change to "anywhere"
the client still needs to Allow this Kernel Extension by manually.
is there any way to allow it by command line or script?

Thanks ,


Tag. Putting my name on here so I get updates on this thread. I heard if you had an MDM profile, user wouldn't be prompted for KEXT installs and that was the only way. Looking forward to hearing other thoughts on this issue.


@thoule

which MDM profile should be run to prevent it ? is there a specific one ?


A JAMF MDM profile (look at computer in JSS, does it say " MDM Capability: YES") would do it. Or boot to recovery partition and run spctl command.

https://developer.apple.com/library/content/technotes/tn2459/_index.html

How This Affects Enterprise App Distribution For enterprise deployments where it is necessary to distribute software that includes kernel extensions without requiring user approval, there are two options: If your workflow is based on imaging, boot into Recovery OS and use the spctl kext-consent command. For detailed information about the spctl command, run the command spctl help. This command can either disable the user approval requirement completely or specify a list of Team IDs whose KEXTs may be loaded without user approval. The spctl command works in any installation environment, including Recovery OS and from NetBoot/NetInstall/NetRestore images. Note that the Team ID list maintained by spctl is separate from the system-wide policy database. For workflows that leverage mobile device management (MDM), all systems with a valid MDM profile installed will not require user approval to load any properly-signed kernel extension. To reiterate, all third-party KEXTs that were already installed at the time of upgrading to macOS High Sierra are automatically approved and don't require any user action.

https://developer.apple.com/library/content/technotes/tn2459/_index.html

and especially

https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658-CH1-TNTAG4


found a nice article explaining how to do it during imaging :
https://grahamgilbert.com/blog/2017/09/11/enabling-kernel-extensions-in-high-sierra/

@thoule I don't get how "MDM Capability: YES" info will help me in here, can you be more detailed if there is any procedure need to be done?

Thanks


@m3ir .. to echo @thoule .. Follow those steps to boot into the recovery OS and disable user approval requirement for KEXT installs...

Also, you can just go into profiles from Sys Pref, and make sure the MDM Profile has been approved. That alone should have bypassed the KEXT prompts if you didn't disable it using the steps in the link above. But either way, that MDM Profile needs to be approved if you want to manage security settings.


Thanks Guys!
seems "MDM Capability: NO" is the issue ...


I have MDM capability: Yes and I am still seeing this.


Why not just build a configuration profile with a list of allowed developers? That's what we did. I got it deployed before most of my users upgraded to High Sierra 10.13.4. I followed the steps from this site to get the team IDs for the extensions. I then created a configuration profile that contains the team IDs that I collected. So far, it has worked very well.

https://grahamgilbert.com/blog/2017/09/11/enabling-kernel-extensions-in-high-sierra/


@howie_isaacks not only makes sense but also follows the Apple standards, see here https://support.apple.com/en-us/HT208019


@howie_isaacks

Hi

How did you make this work?
I am still having some issues.
Can you share some screen shots?

Thanks


issues has been resolved.
Thanks!


@PE2000 Here's a screenshot. It's simple. I'm using the Approved Kernel Extensions payload. I add a display name, and then fill in the Team ID of the developer who made the extensions I want to approve. I scoped the extension to all Macs running macOS High Sierra 10.13.4 or above.