+17I thought that approved KEXT through MDM clients (i.e. Jamf) were still doable.
But the approved KEXT configurations policies I've tried to setup for my Monterey test machine all fail. Is this expected behavior? Are KEXT finally dead-dead?
And without a log to help me figure out why, how else can I troubleshoot config profiles that fail to load?
+10Hi, there are applications that still use kernal extensions. Are you testing this on an Intel or Apple Silicon mac?
+20KEXTs only work on 11.6.2 and below from what we see. We finally had to start targeting 11.6.2 and lower to ensure no failed KEXT errors.
+17Ugh, crazy couple of work days UNRELATED to this.
@junjishimazaki - Seems to be on both x86 and arm64.
@Daniel11 I'm seeing similar I think. At least with 11.4 I get extension popups even with config profiles to allow kext and sext (do we have a better abbreviation for system extension - yuck).
Although with the KEXT MDM profiles installed Security says I need a reboot to allow... which makes a little more sense. Maybe I just need to throw a restart after the 'imaging' workflow (DEPNotify) if finished. 🤔 🤔
+5Ugh, crazy couple of work days UNRELATED to this.
@junjishimazaki - Seems to be on both x86 and arm64.
@Daniel11 I'm seeing similar I think. At least with 11.4 I get extension popups even with config profiles to allow kext and sext (do we have a better abbreviation for system extension - yuck).
Although with the KEXT MDM profiles installed Security says I need a reboot to allow... which makes a little more sense. Maybe I just need to throw a restart after the 'imaging' workflow (DEPNotify) if finished. 🤔 🤔
I use SysExt in my docs... rather than sext... *grin*
+10Ugh, crazy couple of work days UNRELATED to this.
@junjishimazaki - Seems to be on both x86 and arm64.
@Daniel11 I'm seeing similar I think. At least with 11.4 I get extension popups even with config profiles to allow kext and sext (do we have a better abbreviation for system extension - yuck).
Although with the KEXT MDM profiles installed Security says I need a reboot to allow... which makes a little more sense. Maybe I just need to throw a restart after the 'imaging' workflow (DEPNotify) if finished. 🤔 🤔
@cwaldrip I just ran into this myself updating an app with a Kext on Monterey (Tuxera NTFS on Intel iMac) and remembered for a 'true silent install' a reboot with the policy payload > Restart Options > 'MDM Restart with Kernel Cache Rebuild' is now a requirement, in addition to having pre-approved Kext profile in place and the computer being enrolled in ADE/DEP. See this for more details: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
I should clarify - this is working for me on Intel (I have yet to test on Apple Silicon)
+17Yeah, I just found that the other day too. Once I read about it again I did the classic forehead slap.
+10Good to hear! Just to add to future read-alongs I've been testing and thought I'd mention, it's working for me on Silicon as well. However, for picky Kexts (like Tuxera) that don't load on boot/login but only once a user touches it, adding the optional kext path to the MDM Restart payload should in theory prevent user prompts to approve. However in this case (on Silicon) it didn't work for me and I had to 'fake' load the kext using this command post-app-install but pre-MDM restart:
kmutil load -p /Library/Filesystems/tuxera_ntfs.fs/Contents/Resources/Support/10.9/tuxera_ntfs.kextThis essentially simulates a user triggering the kext load which in this case was necessary for the kext cache to rebuild properly. Maybe it has to do with me installing while at the login window (education labs)? I don't know, I'm just happy it's working.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.