Hi jamf citizens,
Apple introduces the new kext restriction on High Sierra.
Above document describes how to install OSX software which has kext. The document recommends, boot macOS in recovery mode and configure TeamId using spctl command. It is practically difficult.
Our macOS client has kext and its deployment is highly depended up on the JSS.
I would like to know, is there any alternative like Microsoft driver signing which is not covered in this document? Or is there something different for jamf installation process?
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra. In a future update to macOS High Sierra, you will be able to use MDM to enable or disable SKEL and to manage the list of kernel extensions which are allowed to load without user consent.
So as long as you're using the MDM part of the JSS, you'll be good.
What they're saying is, nothing will change to begin with as long as the device is enrolled in the JSS. In future, you will be able to enable SKEL and manage it so that only sys admins can roll out kexts.
If I'm reading it right.
@rich.thomas after a conversation with Apple yesterday I was told that administrators would be able to use a mobile config profile to manage whitelist / blacklist of kexts. This is not expected to be available at release but shortly after. It will be a new payload according to the SE that was doing the call.
Thanks for responses!
As Apple products are prevailing in Enterprise level, Apple should not introduce any such limitation which hurdles third party application deployment.