Approved Kernel Extensions on Big Sur

dennisnardi
Contributor

I thought apps that installed kernel extensions were being replaced with system extensions in Big Sur, but from what I'm seeing Box Drive and Cisco AnyConnect (4.9) are still installing as kexts. I installed both on a freshly wiped Big Sur machine and both prompt to allow the extension to be installed, and after reboot

kextstat | grep -v com.apple

shows the 2 approved extensions, while

systemextensctl list

shows nothing.

I have a config profile setup that was working on Catalina to automatically approve these kernel extensions but that doesn't seem to work on Big Sur. I've tried using just the team ID and the team ID + the bundle ID, and get the same behavior. I did check the "FIELD_ALLOW_NON_ADMIN_USER_APPROVALS" option, and can approve these as a non-admin at least.

I've also set up an approved system extension config profile and have tried just the team ID and the team ID + bundle ID, and I still can't get these extensions to be approved automatically.

I'm using Jamf cloud on 10.25.1. Is this just Big Sur being not officially supported on this release, or am I missing something?

1 ACCEPTED SOLUTION

MLBZ521
Contributor III

Jamf believes they have same-day support for Big Sur: https://www.jamf.com/blog/macos-big-sur-same-day-support/

That said, each vendor has to replace their KEXT with a System Extension. Big Sur isn't automatically converting those.

AnyConnect v4.9.03047 can use either a System Extension or KEXT. While it should prompt you to allow the SysExt, you can also deploy a Config Profile to pre-approve it. Cisco provides a sample profile for AnyConnect as it needs more than just the SysExt Payload (see: AnyConnect macOS 11 Big Sur Advisory).

Regarding KEXT functionality on Big Sur. Your Config Profiles allow the KEXT to be used. The user still has to approve it and restart to load it. It does not work like it did in Catalina. (Thank Apple.) Otherwise, non-MDM enrolled devices cannot run KEXTs without booting into Recovery, lowering their Security level, and then approving each KEXT.

Apple really wants to annoy, I mean, is trying to force vendors to replace their KEXTs by inconveniencing users.

View solution in original post

8 REPLIES 8

jgaitherccu
New Contributor III

Noticed the same behavior on my test machines with AnyConnect.

MLBZ521
Contributor III

Jamf believes they have same-day support for Big Sur: https://www.jamf.com/blog/macos-big-sur-same-day-support/

That said, each vendor has to replace their KEXT with a System Extension. Big Sur isn't automatically converting those.

AnyConnect v4.9.03047 can use either a System Extension or KEXT. While it should prompt you to allow the SysExt, you can also deploy a Config Profile to pre-approve it. Cisco provides a sample profile for AnyConnect as it needs more than just the SysExt Payload (see: AnyConnect macOS 11 Big Sur Advisory).

Regarding KEXT functionality on Big Sur. Your Config Profiles allow the KEXT to be used. The user still has to approve it and restart to load it. It does not work like it did in Catalina. (Thank Apple.) Otherwise, non-MDM enrolled devices cannot run KEXTs without booting into Recovery, lowering their Security level, and then approving each KEXT.

Apple really wants to annoy, I mean, is trying to force vendors to replace their KEXTs by inconveniencing users.

dennisnardi
Contributor

Ahhh, thank you! I wasn't aware of the new behavior regarding kext's. My institution is still running 4.9.01095, so it's still installing solely as a kext and not system extension. So all that makes sense now.

MLBZ521
Contributor III

Yeah, there are known issues with previous versions of AnyConnect. There may even still be issues, but I believe most are related to other integrations with AnyConnect and not base VPN functionality. That said, I've been using it for a few weeks now without issue, but we don't use any of said integrations.

jfisher
New Contributor II

Does anyone have the "Allowed System Extension" item (its kind of like a URL)? I tried using the same one I had in the original KEXT (com.box.filesystems.osxfuse) but its causing a new error where I can either Open Console or Terminate Box Drive (see below). 7abe2e56d84e4916b0efbe89d38668e2

cainehorr
Contributor III

So the BIG question is, is there a way to automate the approval process and defer the reboot until ALL SE's are loaded?

Much software has some form of KEXT/SE these days. Imagine a new deployment with 5, 6, 10 reboots... ANNOYING!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cainehorr
Contributor III

I see this, but not certain if it's going to help or not...

https://support.apple.com/en-us/HT211860

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

cwaldrip
Valued Contributor

So, reading that Apple KB it looks like you have to have your M1 machines enrolled in ABM if you want to manage the kext/SE's through Jamf. Otherwise you'll be rebooting to recovery and manually making a change on each machine. Shouldn't be an issue, but I know my resellers are painfully slow to get machines into ABM (Adorama, I'm looking at you!). :-