Skip to main content

Detailed step by step guide using Symantecs system extension as an example since that seemed to be most popular.

Creating this thread for everyone to share new found knowledge, best practices & management tactics all in one place as we venture into a new Kext-Less macOS.

WWDC System Extensions Keynote

https://developer.apple.com/system-extensions/

Click Here for a Great Breakdown of System Extensions from Scott Knight

To start, the best way I know of to obtain a list of system extensions that are present on the machine via terminal is the following command.

systemextensionsctl list

This command will produce the following information regarding system extensions.

enabled active  teamID  bundleID (version)  name    [state]

for a full example, using symantecs release for macOS 10.15, the following is populated

Hugonaut$ systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
*   *   9PTGMPNXZ2  com.symantec.mes.systemextension (10.0.0/10.0.0)    Symantec System Extension   [activated enabled]

@hstanley Same here. Even when Broadcom system attention is allowed, SEP is not updating components and definitions (technically, not functioning) until someone manually lunches SEP client

@mhasman @hstanley Hopefully your SEP support team has already provide this info but just in case anyone else needs it; had the same issue with SEP 14.3 and apparently it's a known issue https://knowledge.broadcom.com/external/article?articleId=198559. Vendor's workaround is to run a post-install script that facilitates opening the GUI prior to the required restart.

@toconnor Thanks for the link! Our SEP support has not provided any info yet, so I appreciate you sharing.

I have SEP 14.3 running correctly in macOS 10.15. Just like in prior versions, you need the kernel extension and system extension whitelisted, as well as the proper PPPC settings. Also, leave all of your existing SEP whitelists and PPPC settings in place. Just add these to them.

Kernel Extension Team ID for Broadcom is now: Y2CCP3S9W7

System Extension Team ID for Broadcom is now: Y2CCP3S9W7
System Extension to be allowed is: com.broadcom.mes.systemextension

PPPC settings:
Identifier:
com.broadcom.mes.systemextension
Code Requirement:
identifier "com.broadcom.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = Y2CCP3S9W7
(Allow access to ALL SystemPolicy services)

Identifier:
com.broadcom.sep.mainapp
Code Requirement:
identifier "com.broadcom.sep.mainapp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = Y2CCP3S9W7
(Allow access to ALL SystemPolicy services)

(This one below may not be necessary, but I included it anyway)
Identifier:
com.symantec.SymLUHelper
Code Requirement:
identifier "com.symantec.SymLUHelper" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "9PTGMPNXZ2"
(Allow access to ALL SystemPolicy services)

I also still have to have all of these config profiles present on the system BEFORE SEP 14.3 is installed, or else none of it works. So I have a system in place to make sure SEP never gets installed unless all of this is present. If anyone wants further info on it, I'd be happy to provide more.

@Hugonaut  Your posts have been very helpful, I keep seeing you pop when I'm searching for answers as a new jamf user, thank you.

Terms & ConditionsCookie settingsAccessibility statement