Help

Approved KEXT under Monterey

cwaldrip
Valued Contributor

Posted on ‎01-05-2022 02:02 PM

I thought that approved KEXT through MDM clients (i.e. Jamf) were still doable.

But the approved KEXT configurations policies I've tried to setup for my Monterey test machine all fail. Is this expected behavior? Are KEXT finally dead-dead?

And without a log to help me figure out why, how else can I troubleshoot config profiles that fail to load?

0 Kudos
7 REPLIES 7

junjishimazaki
Valued Contributor

Posted on ‎01-05-2022 03:39 PM

Hi, there are applications that still use kernal extensions. Are you testing this on an Intel or Apple Silicon mac?

0 Kudos

daniel_ross
Contributor III

Posted on ‎01-10-2022 04:51 PM

KEXTs only work on 11.6.2 and below from what we see.  We finally had to start targeting 11.6.2 and lower to ensure no failed KEXT errors.

0 Kudos

cwaldrip
Valued Contributor

Posted on ‎01-10-2022 07:39 PM

Ugh, crazy couple of work days UNRELATED to this.

@junjishimazaki - Seems to be on both x86 and arm64.
@Daniel I'm seeing similar I think. At least with 11.4 I get extension popups even with config profiles to allow kext and sext (do we have a better abbreviation for system extension - yuck).

Although with the KEXT MDM profiles installed Security says I need a reboot to allow... which makes a little more sense. Maybe I just need to throw a restart after the 'imaging' workflow (DEPNotify) if finished. 🤔

0 Kudos

robertliebsch
Contributor
In response to cwaldrip

Posted on ‎01-12-2022 09:11 AM

I use SysExt in my docs... rather than sext... *grin*

 

jonw
Contributor
In response to cwaldrip

‎01-21-2022 09:21 AM - edited ‎01-21-2022 09:34 AM

@cwaldrip   I just ran into this myself updating an app with a Kext on Monterey (Tuxera NTFS on Intel iMac) and remembered for a 'true silent install' a reboot with the policy payload > Restart Options > 'MDM Restart with Kernel Cache Rebuild' is now a requirement, in addition to having pre-approved Kext profile in place and the computer being enrolled in ADE/DEP.  See this for more details: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web

I should clarify - this is working for me on Intel (I have yet to test on Apple Silicon)

 

cwaldrip
Valued Contributor

Posted on ‎01-21-2022 03:13 PM

Yeah, I just found that the other day too. Once I read about it again I did the classic forehead slap.

0 Kudos

jonw
Contributor

Posted on ‎01-21-2022 03:44 PM

Good to hear!  Just to add to future read-alongs I've been testing and thought I'd mention, it's working for me on Silicon as well.  However, for picky Kexts (like Tuxera) that don't load on boot/login but only once a user touches it, adding the optional kext path to the MDM Restart payload should in theory prevent user prompts to approve.  However in this case (on Silicon) it didn't work for me and I had to 'fake' load the kext using this command post-app-install but pre-MDM restart:

kmutil load -p /Library/Filesystems/tuxera_ntfs.fs/Contents/Resources/Support/10.9/tuxera_ntfs.kext

This essentially simulates a user triggering the kext load which in this case was necessary for the kext cache to rebuild properly.  Maybe it has to do with me installing while at the login window (education labs)?  I don't know, I'm just happy it's working.

0 Kudos