- Jamf Nation Community
- Products
- Jamf Pro
- Re: How to install kext using JSS on High Sierra?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to install kext using JSS on High Sierra?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2017 12:27 AM
Hi jamf citizens,
Apple introduces the new kext restriction on High Sierra.
https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658
Above document describes how to install OSX software which has kext. The document recommends, boot macOS in recovery mode and configure TeamId using spctl command. It is practically difficult.
Our macOS client has kext and its deployment is highly depended up on the JSS.
I would like to know, is there any alternative like Microsoft driver signing which is not covered in this document? Or is there something different for jamf installation process?
Regards,
Anand Choubey
Labels:
- Labels:
-
Jamf Pro
-
Software Distribution
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2017 12:39 AM
From: https://support.apple.com/en-gb/HT208019
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra. In a future update to macOS High Sierra, you will be able to use MDM to enable or disable SKEL and to manage the list of kernel extensions which are allowed to load without user consent.
So as long as you're using the MDM part of the JSS, you'll be good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2017 02:07 AM
Yes but: "In a future update to macOS High Sierra" !
So we're talking about a dot release later in the future. I hope it won't be with the now traditional ".3" enterprise update.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2017 05:37 AM
What they're saying is, nothing will change to begin with as long as the device is enrolled in the JSS. In future, you will be able to enable SKEL and manage it so that only sys admins can roll out kexts.
If I'm reading it right.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2017 09:57 AM
Deleted
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2017 10:02 AM
@rich.thomas after a conversation with Apple yesterday I was told that administrators would be able to use a mobile config profile to manage whitelist / blacklist of kexts. This is not expected to be available at release but shortly after. It will be a new payload according to the SE that was doing the call.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2017 11:46 PM
Thanks for responses!
As Apple products are prevailing in Enterprise level, Apple should not introduce any such limitation which hurdles third party application deployment.
Regards,
Anand Choubey
