Help

How to install kext using JSS on High Sierra?

anand
New Contributor II

Posted on ‎08-25-2017 12:27 AM

Hi jamf citizens,

Apple introduces the new kext restriction on High Sierra.

https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658

Above document describes how to install OSX software which has kext. The document recommends, boot macOS in recovery mode and configure TeamId using spctl command. It is practically difficult.

Our macOS client has kext and its deployment is highly depended up on the JSS.

I would like to know, is there any alternative like Microsoft driver signing which is not covered in this document? Or is there something different for jamf installation process?

Regards,
Anand Choubey

0 Kudos
6 REPLIES 6

bentoms
Release Candidate Programs Tester

Posted on ‎08-25-2017 12:39 AM

From: https://support.apple.com/en-gb/HT208019

In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra. In a future update to macOS High Sierra, you will be able to use MDM to enable or disable SKEL and to manage the list of kernel extensions which are allowed to load without user consent.

So as long as you're using the MDM part of the JSS, you'll be good.

0 Kudos

ftiff
Contributor

Posted on ‎08-25-2017 02:07 AM

Yes but: "In a future update to macOS High Sierra" !

So we're talking about a dot release later in the future. I hope it won't be with the now traditional ".3" enterprise update.

0 Kudos

rich_thomas
New Contributor III

Posted on ‎08-25-2017 05:37 AM

What they're saying is, nothing will change to begin with as long as the device is enrolled in the JSS. In future, you will be able to enable SKEL and manage it so that only sys admins can roll out kexts.

If I'm reading it right.

0 Kudos

gachowski
Valued Contributor II

Posted on ‎08-25-2017 09:57 AM

Deleted

0 Kudos

jhbush
Valued Contributor II

Posted on ‎08-25-2017 10:02 AM

@rich.thomas after a conversation with Apple yesterday I was told that administrators would be able to use a mobile config profile to manage whitelist / blacklist of kexts. This is not expected to be available at release but shortly after. It will be a new payload according to the SE that was doing the call.

0 Kudos

anand
New Contributor II

Posted on ‎08-27-2017 11:46 PM

Thanks for responses!

As Apple products are prevailing in Enterprise level, Apple should not introduce any such limitation which hurdles third party application deployment.

Regards,
Anand Choubey

0 Kudos