How to System Extension in macOS

Hugonaut
Valued Contributor II

Detailed step by step guide using Symantecs system extension as an example since that seemed to be m...

Creating this thread for everyone to share new found knowledge, best practices & management tactics all in one place as we venture into a new Kext-Less macOS.

WWDC System Extensions Keynote

https://developer.apple.com/system-extensions/

Click Here for a Great Breakdown of System Extensions from Scott Knight

To start, the best way I know of to obtain a list of system extensions that are present on the machine via terminal is the following command.

systemextensionsctl list

This command will produce the following information regarding system extensions.

enabled active  teamID  bundleID (version)  name    [state]

for a full example, using symantecs release for macOS 10.15, the following is populated

Hugonaut$ systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
*   *   9PTGMPNXZ2  com.symantec.mes.systemextension (10.0.0/10.0.0)    Symantec System Extension   [activated enabled]
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
55 REPLIES 55

Hugonaut
Valued Contributor II

@joelsenders I have smart groups setup for each operating system. I then have a separate configuration profile categories for each os.

for example, I have a Mojave Smart Group & Catalina Smart Group. I then have separate categories of configuration profiles, a Mojave Category & Catalina Category. Each category has almost identical Configuration profiles, every new OS I create them all again & cater to whats needed. So the Mojave Config Categories profiles are explicitly scoped to Mojave Machines & Same goes for Catalina.

When the Mojave machine runs the upgrade & then becomes Catalina, at first login or first check in as catalina, all Mojave profiles are removed & it lays down the new configuration profiles, including the new symantec profile.

That method is working for me.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

joelsenders
New Contributor III

@Hugonaut Thanks for the response. I've got a similar setup; the problem is that once the system extension is installed on Catalina, the system extension whitelist doesn't work. It still requires the user to approve it.

It's like there is a race condition; Once Catalina is installed, the whitelist profile needs to come down BEFORE the SEP system extension gets installed. Otherwise it doesn't work. I've got a machine right now in this condition, and there is nothing I can do to whitelist the system extension other than to manually approve it. The whitelist profile does nothing.

Hugonaut
Valued Contributor II

very strange. I had no issue laying down the system extension profile payload on a catalina machine that already had sep installed. It worked so I never dove deeper. I would like to see what other people share about this

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

joelsenders
New Contributor III

I appreciate your report. I am going to spin up some VMs and do some more testing.

spalmer
Contributor III

After reading posts on the #symantec channel on the MacAdmins Slack team and here I think there may be some differences in the SEP client based on where you get it.

If you don't use a Management Console Server and download standalone/unmanaged version of the installer from MySymantec (or whatever Broadcom calls it now), like we do, you get a single installer that works for both macOS 10.14 and macOS 10.15 that installs a version of SEP that has both the Kernel Extension and System Extension.

If you download from a Management Console it sounds like you get two versions of the installer, one for macOS 10.14 and older and one for macOS 10.15 and newer. However, I can't verify the second method as we don't have a Management Console Server.

joelsenders
New Contributor III

@spalmer Yes you are correct. We have a SEPM, and it provides us with two different client installers. However, both identify as the same version. From what I can see, the Mojave and below installer doesn't install the system extension into /Library/SystemExtensions (obviously since it's not supported). The Catalina version does. However, the Mojave and below installer installs the system extension into /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions. It would seem that when a machine that has this version is then upgraded to Catalina, the SEP client recognizes that it needs this system extension, and installs it itself (by copying from /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions into /Library/SystemExtensions). That way, a new client install is not necessary when you upgrade to Catalina. This seems like a good idea. I could be wrong on how this works, but that has been in accordance with all of my testing.

My issue is still that the system extension whitelist simply doesn't work. The machine I am typing from currently has all of the whitelist profiles (system extension, kernel extension, PPPC) but still asks me to manually approve in System Preferences > Security and Privacy.

goadeff
New Contributor

SEP client asking for manual approval of system extension and privacy preferences after upgrade to macOS 10.15, despite the correct configuration policies being in place? The related *.systemextension type is new in Catalina; it doesn't run in earlier macOS versions. I would expect that the OS upgrade would re-check policy against the new extension. But it doesn't. Remains to be seen whether this is a Symantec or Apple bug. And the following isn't really a fix, but demonstrates how to get macOS to re-query the configuration policy: un/re-install SEP but don't use the RemoveSymantecMacFiles tool because it does not handle the newer systemextension. As a matter of fact, the current version of this tool will stop and ask you to use the application's uninstaller if it detects a newer Symantec product. You can still run RSMF afterward.

ATTENTION: You must use the uninstall option in your product's "Symantec Endpoint Protection" menu.

...
ea13acad61a9485e9072e6c70b1759e3

Older versions of RSMF won't warn you, and won't reset the stuck "waiting for user authorization" and re-installing SEP will put you back where you started.

alexander2020
New Contributor

Is there a way to check if a mdm profile with an approved system extension is installed on MacOS?
Approved kext can be found in the file /var/db/SystemPolicyConfiguration/KextPolicy. Is there something similar for System Extensions?

mhasman
Valued Contributor

Hello,

With SEP 14.3 MP1, Broadcom system extension is needed to be added.

Did you get it working?

hstanley
New Contributor III

@mhasman I'm seeing the same with SEP 14.3 MP1--even though I have the Broadcom system extension whitelisted via config profile. Edited to add: I didn't have this problem with the system extension being blocked with SEP 14.3.

I'm also seeing the same old issue with SEP 14.3 MP1 where even after the Broadcom system extension is allowed, it doesn't actually install/activate until after someone launches the SEP client for a moment. (This is confirmed by running 'sudo systemextensionsctl list' in Terminal before and after launching the SEP client.) We have had a case open with Broadcom since 6/30/2020, but it's going nowhere.

mhasman
Valued Contributor

@hstanley Same here. Even when Broadcom system attention is allowed, SEP is not updating components and definitions (technically, not functioning) until someone manually lunches SEP client

toconnor
New Contributor II

@mhasman @hstanley Hopefully your SEP support team has already provide this info but just in case anyone else needs it; had the same issue with SEP 14.3 and apparently it's a known issue https://knowledge.broadcom.com/external/article?articleId=198559. Vendor's workaround is to run a post-install script that facilitates opening the GUI prior to the required restart.

hstanley
New Contributor III

@toconnor Thanks for the link! Our SEP support has not provided any info yet, so I appreciate you sharing.

joelsenders
New Contributor III

I have SEP 14.3 running correctly in macOS 10.15. Just like in prior versions, you need the kernel extension and system extension whitelisted, as well as the proper PPPC settings. Also, leave all of your existing SEP whitelists and PPPC settings in place. Just add these to them.

Kernel Extension Team ID for Broadcom is now: Y2CCP3S9W7

System Extension Team ID for Broadcom is now: Y2CCP3S9W7
System Extension to be allowed is: com.broadcom.mes.systemextension

PPPC settings:
Identifier:
com.broadcom.mes.systemextension
Code Requirement:
identifier "com.broadcom.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = Y2CCP3S9W7
(Allow access to ALL SystemPolicy services)

Identifier:
com.broadcom.sep.mainapp
Code Requirement:
identifier "com.broadcom.sep.mainapp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = Y2CCP3S9W7
(Allow access to ALL SystemPolicy services)

(This one below may not be necessary, but I included it anyway)
Identifier:
com.symantec.SymLUHelper
Code Requirement:
identifier "com.symantec.SymLUHelper" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "9PTGMPNXZ2"
(Allow access to ALL SystemPolicy services)

I also still have to have all of these config profiles present on the system BEFORE SEP 14.3 is installed, or else none of it works. So I have a system in place to make sure SEP never gets installed unless all of this is present. If anyone wants further info on it, I'd be happy to provide more.

ShaneJ
New Contributor

@Hugonaut  Your posts have been very helpful, I keep seeing you pop when I'm searching for answers as a new jamf user, thank you.