Hot off the press: Prepare for changes to kernel extensions in macOS High Sierra (Apple HT208019)

donmontalvo
Esteemed Contributor III

Hot off the press:

Prepare for changes to kernel extensions in macOS High Sierra
https://support.apple.com/en-us/HT208019

--
https://donmontalvo.com
10 REPLIES 10

psliequ
Contributor III

Seems like disabling SKEL with MDM enrollment is a good solution to the problem of getting untrusted kexts in place and at scale.

dpertschi
Valued Contributor
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.

I read this as, simply enrolling into JAMF will disable SKEL. No?

donmontalvo
Esteemed Contributor III

@dpertschi si.

--
https://donmontalvo.com

gachowski
Valued Contributor II

uh... in beta 6 SKEL wasn't disabled... testing beta 7

C

alexjdale
Valued Contributor III

We don't perform MDM enrollment for our clients. MDM wasn't a thing when we started using JAMF and it never became part of our architecture since it didn't bring anything new to the table for us. Our JSS doesn't even have access to the Internet for security reasons.

Has anyone rolled out MDM enrollment late in the game? I'm very nervous that this will cause problems for us, but I have to handle SKEL somehow and the other options are untenable, requiring manual touch.

RobertHammen
Valued Contributor II

@alexjdale Once you get all of your ports open, shouldn't be a big deal to get it enabled. Pay attention to the MDM remediation part of @rtrouton's script here:

derflounder

You don't need to worry about removing old MDM profiles, but the remediating new MDM profiles may be helpful.

kstrick
Contributor III

I'm thinking that although it disables it for users when enrolled in JSS, i think it also means that we wil also be able to control which ones are approved via the JSS, so we gain some institutional control

RobertHammen
Valued Contributor II

@kstrick Needs a future version of macOS, with an updated MDM spec, to do that. Not to mention Jamf supporting the updated MDM spec, which they usually do right away...

kstrick
Contributor III

@RobertHammen yeah, i'm thinking long term.... we don't know if it would show up in 10.13.2 or 10.14.2, but at least the intention is there...

donmontalvo
Esteemed Contributor III

FYI...anyone confirm this?

aab5dfd9c6b5476d960833c18e65963d

--
https://donmontalvo.com