Blocked Extensions in Mojave Deployments

RedWings
Contributor

302b71929f62465c867a0dc4bd795333
Is there anyway using JAMF Pro to automatically accept third party Extensions with a JAMF Pro deployment?

Especially for Standard users.

9 REPLIES 9

mack525
Contributor II

@RedWings This should help you for now PPPC Utility

Hugonaut
Valued Contributor II

yes you can deploy pre-approved kernel extensions with a configuration profile.

Jamf Pro Dashboard -> Computers -> Configuration Profile -> Create New & Select the Pane for 'Approved Kernel Extensions'

b0b32f1af0e54887a738a91051a3af89

here is a list provided by the community of everything you need: https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=1070689...
ie: Bundle & Team ID (see below screenshot) - if you can not find your bundle id / team id on the list - you can utilize the thread I linked below the screenshot to locate this information from the kernel extension itself on a computer that has it installed already.

3d187b597aa74daa8e5a14217cf6564a

here is a thread with a lot of information: https://www.jamf.com/jamf-nation/discussions/29646/how-to-kernel-extension-in-high-sierra

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

RedWings
Contributor

@Hugonaut Thanks! Not sure how I never saw this!

Hugonaut
Valued Contributor II

@RedWings you're welcome! - hockey allegiance aside #GoFlyers haha

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

RedWings
Contributor

Question, what's the easiest way to find the Bundle and Team ID for software? I have some software that isn't on this list:

https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=1070689416

iRyan23
New Contributor III

@RedWings This is the site I used to help get all the info needed to make the config profile:

https://technology.siprep.org/getting-the-team-id-of-kernel-extensions-in-macos-10-13-and-higher/

Here is another one that also looks helpful if the first one looks too confusing:

https://derflounder.wordpress.com/2018/04/12/whitelisting-third-party-kernel-extensions-using-profil...

RedWings
Contributor

Found them! Thanks!

EliasG
Contributor

f0a9199d33ee439e934640704cfec17f
So if i push this out to users, they will not get the block message and have to go system pref, security and allow?

fsjjeff
Contributor II

@RedWings Question, what's the easiest way to find the Bundle and Team ID for software? I have some software that isn't on this list
I was just working on this today, assuming the info is not available at the link posted earlier, the easiest way I found was to install it on a test machine, then run codesign against the extension where it gets installed in /Library/StagedExtensions.

codesign -dv --verbose=4 /Library/StagedExtensions/path/to/extension

Assuming it's been code signed (older ones might not), it should spit out something like the following, where you can copy out the TeamIdentifier and BundleID

Executable=/Library/StagedExtensions/Library/Extensions/ATTOCelerityFC8.kext/Contents/MacOS/ATTOCelerityFC8
Identifier=com.ATTO.driver.ATTOCelerityFC8
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=4223 flags=0x0(none) hashes=126+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=444ce105c5ddd388d1f107b86213550b52ed662f
CandidateCDHash sha256=1038e4fd79ea657c355aeccf7a2dff9395e2657b
Hash choices=sha1,sha256
Page size=4096
CDHash=1038e4fd79ea657c355aeccf7a2dff9395e2657b
Signature size=8966
Authority=Developer ID Application: ATTO Technology, Inc. (FC94733TZD)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 15, 2016 at 11:09:18 AM
Info.plist entries=21
TeamIdentifier=FC94733TZD
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=192