How To Kernel Extension in High Sierra
Couldn't find an All in One Place regarding Kernel Extension information so here we go. Creating this thread so everyone can Chip In Best Practices. - Link to a thread like this if im wrong about not having a thread like this so we arent redundant
via gui you can do the following
I believe 10.13 & up you can locate them at /Library/StagedExtensions/Library/Extensions
You can then find the BundleID by right clicking the kernel extension you want & select show package contents, then in contents directory you can open the .plist and view
for Team ID I only know this way - https://technology.siprep.org/getting-the-team-id-of-kernel-extensions-in-macos-10-13-and-higher/
In terminal run
then once in db run following command
SELECT * FROM kext_policy;
it will produce the Team ID & associated KEXTS
What are methods / best practices you use?
I was looking into this earlier in the year! JSS version 10.6 allows you to deploy a config profile for Kernel extensions. Once you create it and scope if a new Kernel Extention is needed just update already deployed one and it will update all your endpoint.
I'm using this CP for deploying KEXT for SEP 14.2 , Pulse Secure 9.0.2 and NextGen AV
hope this helps
Has anyone encountered an issue where they unchecked the "Allow users to approve kernel extensions" and now the option to "Allow" in Security & Privacy no longer appears. I have rechecked the box and pushed it back out but even after restarting I am unable to get the "Allow" to show.
The only fix I have found so far, is to touch every machine and reboot into recovery, go to terminal, and enter "spctl kext-consent disable"
Background: I was trying to make it to where Sophos didn't require the user to click "Allow" after installation. Added the team ID alone didn't fix at first, I disabled the "Allow users to approve kernel extensions" and it stopped appearing. I then ran into the issue on other machines a day or so later where the "Allow" option wouldn't appear at all for software that we didn't already have approved extensions established for.
Any assistance would be great.
So has anybody seen teh Kernel extentions not working after an in place upgrade from 10.13.3 to 10.14.3?
The Config Profile says Completed before I start the upgrade.
I was also thinking maybe because 10.13.3 doesn't know about Kernel Extensions, so then how do you make the timing work?
If you're using the Jamf-supplied PPPC profile that automatically installs after a user logs into Mojave for the first time post-upgrade, just make a smart group and scope your Kext profile to the presence of the PPPC profile. That should make sure the profile gets there quickly.
@szultzie Profiles generally only apply their magic once. 10.13.3 didn't know anything about UAKELs so when you pushed the profile to those machines it ignored it. As such, the profile won't magically wake up when you update/upgrade to 10.13.4+. Same with PPPC in 10.14.0+
What we do is scope UAKEL whitelist profiles only to machines ≥10.13.4. PPPC profiles scoped only to ≥10.14.0. The idea is you don't want to push a profile to a machine that doesn't know what to do with it.
Does the sucessful use of this profile done thru Jamf's built in Kernel Extension whitelist mean that the pop up does not show? Or does it mean that the pop up does show but that the user can allow without unlocking the Security tab in System Preferences? I'm testing this with McAfee on 10.13.6 using only the TeamIdentifier GT8P3H7SPW. The pop up still shows when in install McAfee 10.6.2 on a system but users can hit allow. Is this right? Should the pop show or not show at all?
The sqlite command you are using its second column values give you the Bundle Id of the software, why double the work. Use the following command on the sqlite prompt to find out the fields of the 'kext_policy' table.
The following lines are copied from my computer.
sqlite> SELECT * from kext_policy;
TXAEAV5RN4|com.epson.driver.EPSONProjectorMPPAudio|1|Seiko Epson Corporation|1
sqlite> PRAGMA table_info(kext_policy);