How to install kext using JSS on High Sierra?

anand
New Contributor II

Hi jamf citizens,

Apple introduces the new kext restriction on High Sierra.

https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658

Above document describes how to install OSX software which has kext. The document recommends, boot macOS in recovery mode and configure TeamId using spctl command. It is practically difficult.

Our macOS client has kext and its deployment is highly depended up on the JSS.

I would like to know, is there any alternative like Microsoft driver signing which is not covered in this document? Or is there something different for jamf installation process?

Regards,
Anand Choubey

6 REPLIES 6

bentoms
Release Candidate Programs Tester

From: https://support.apple.com/en-gb/HT208019

In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra. In a future update to macOS High Sierra, you will be able to use MDM to enable or disable SKEL and to manage the list of kernel extensions which are allowed to load without user consent.

So as long as you're using the MDM part of the JSS, you'll be good.

ftiff
Contributor

Yes but: "In a future update to macOS High Sierra" !

So we're talking about a dot release later in the future. I hope it won't be with the now traditional ".3" enterprise update.

rich_thomas
New Contributor III

What they're saying is, nothing will change to begin with as long as the device is enrolled in the JSS. In future, you will be able to enable SKEL and manage it so that only sys admins can roll out kexts.

If I'm reading it right.

gachowski
Valued Contributor II

Deleted

jhbush
Valued Contributor II

@rich.thomas after a conversation with Apple yesterday I was told that administrators would be able to use a mobile config profile to manage whitelist / blacklist of kexts. This is not expected to be available at release but shortly after. It will be a new payload according to the SE that was doing the call.

anand
New Contributor II

Thanks for responses!

As Apple products are prevailing in Enterprise level, Apple should not introduce any such limitation which hurdles third party application deployment.

Regards,
Anand Choubey