How do I approve a Kernel Extension during imaging

aburrow
Contributor

Trying to deploy Sophos Endpoint as part of a Configuration using Imaging. With the changes to Kernel Extensions and the requirement to approve them. Current process is for the person running the Configuration to manually approve the Kext when Sophos installs and the Mac prompts. I am deploying a "Configuration Profile" which works on existing machines but doesn't apply during the Configuration. Is there a way to force the Configuration Profile to apply during the Configuration before the Sophos install?

8 REPLIES 8

kerouak
Valued Contributor

You could package up a kext whitelist configuration profile??

Have a look at this:
https://www.jamf.com/jamf-nation/discussions/23349/can-you-package-a-configuration-profile

tjhall
Contributor III

We don't use imagaging anymore but Sophos has never worked well to deploy using imaging since it calls in to the Sophos server during installation (which it can't do during imaging) so it has to be installed post imaging.
This is how we do it: the Sophos installation is based on a smartgroup which checks if a pre-approved KEXT config is installed already (which contains the approved Sophos kext). If that exists the Sophos installation happens.

allanp81
Valued Contributor

I believe a kext whitelist config profile can only be applied via an MDM server and only if the MDM profile has been user approved. You cannot install a config profile from the terminal/via a pkg etc.

kerouak
Valued Contributor

@allanp81

ummm.. MDM server....

This is Jamf Nation.. ie.. jamfpro??

Hugonaut
Valued Contributor II

@allanp81 is correct regarding user approved mdm settings - the following might work without the profile being user approved because its being placed by a package and set by a root user

BUT call me crazy, you can try this - off the cuff so don't hold me too it & please correct me where I'm wrong - not done coffee yet

Create a Policy. Policy will consist of a Package & Script.

Package - Create a package with the Sophos KEXT deployed to the correct directory ie. /System/Library/Extensions/SOPHOSKEXTHERE.kext

Script - Have a script run after package deployment modifying the KEXT.

pre 10.13 (I think)

#!/bin/bash

sudo chmod -R 755 /System/Library/Extensions/SOPHOSKEXTHERE.kext

sudo chown -R root:wheel /System/Library/Extensions/SOPHOSKEXTHERE.kext

sudo kextload /System/Library/Extensions/SOPHOSKEXTHERE.kext

sudo rm -R Extensions.kextcache

sudo rm -R Extensions.mkext

# Make Sure To Reboot Machine to Refresh Caches
# sudo shutdown -r now

Mac 10.13+

#!/bin/bash

sudo chmod -R 755 /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext

sudo chown -R root:wheel /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext

sudo kextload /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext

sudo kextcache -i /

# Make Sure To Reboot Machine to Refresh Caches
# sudo shutdown -r now
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

sshort
Valued Contributor

A DEP-enrolled Mac (or user-approved MDM/user-initiated enrollment) is the base requirement for installing the kernel extension whitelist profiles. I would create the profile, and then use the new feature in Jamf 10.10 to have the config profile install during prestage so that it's in place before a user gets to the desktop (and Sophos is installed).

Check out this article: https://derflounder.wordpress.com/2018/04/12/whitelisting-third-party-kernel-extensions-using-profil...

https://docs.jamf.com/10.10.0/jamf-pro/release-notes/What's_New.html 4c6ad0a2daf14154bca0b036205d9013

achristoforatos
Contributor II

Would using JAMF10.9 and a system using Mac OS 10.14 throw an error of, "The profile's payload did not validate properly." It was using prior to Mac OS 10.14 update.

allanp81
Valued Contributor

I haven't seen that error but I would presume that if it's trying to apply a setting that isn't valid for 10.14 then it would throw up that error?