Hot off the press: Prepare for changes to kernel extensions in macOS High Sierra (Apple HT208019)

Seems like disabling SKEL with MDM enrollment is a good solution to the problem of getting untrusted kexts in place and at scale.

In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.

I read this as, simply enrolling into JAMF will disable SKEL. No?

@dpertschi si.

uh... in beta 6 SKEL wasn't disabled... testing beta 7

C

We don't perform MDM enrollment for our clients. MDM wasn't a thing when we started using JAMF and it never became part of our architecture since it didn't bring anything new to the table for us. Our JSS doesn't even have access to the Internet for security reasons.

Has anyone rolled out MDM enrollment late in the game? I'm very nervous that this will cause problems for us, but I have to handle SKEL somehow and the other options are untenable, requiring manual touch.

@alexjdale Once you get all of your ports open, shouldn't be a big deal to get it enabled. Pay attention to the MDM remediation part of @rtrouton's script here:

derflounder

You don't need to worry about removing old MDM profiles, but the remediating new MDM profiles may be helpful.

I'm thinking that although it disables it for users when enrolled in JSS, i think it also means that we wil also be able to control which ones are approved via the JSS, so we gain some institutional control

@kstrick Needs a future version of macOS, with an updated MDM spec, to do that. Not to mention Jamf supporting the updated MDM spec, which they usually do right away...

@RobertHammen yeah, i'm thinking long term.... we don't know if it would show up in 10.13.2 or 10.14.2, but at least the intention is there...

FYI...anyone confirm this?