Jamf Nation Community

@cbrewer

I did not include optional bundle IDs. D

o you think that would fix this?

According to documentation, no, you shouldn't need Bundle ID's. But I prefer only allowing what you must.

So then adding Bundle IDs would be more limiting, and unlikely to fix this issue (though a good idea :)

I'm installing that same package via policy without issue but typically when it's installed no user is currently logged in.

Only found this page after figuring out myself but landed on the same solution as @cbrewer.

Shouldn't have any issues with the latest "Essential Drivers" from HP Easy Admin and the Approved Kernel Extensions:

com.hp.kext.hp-fax-io
com.hp.hpio.hp-io-printerclassdriver-enabler

Team ID: 6HB5Y2QTA3

Looks like you are talking about 2 things here: Kernel Extensions and System Extensions here.

Installing the HP Essentials package on an M1 Mac running Big Sur (has config profiles whitelisting the HP Team ID for both Kext and SysExts, not explicitly listing the extensions) shows a prompt "System Extension Block" (this really means Kext but Big Sur gui always says system extension?). Same setup on a T2 Mac or older Intel Mac and no prompt at all.

Is this the expected behaviour? On M1 with Big Sur the end user always has to allow Kexts? I guess this is Apple's way of upsetting users until the developers move from Kext to SysExts?

I have seen this issue on our (2) M1 test Macs in IT. Usually, this error pops up behind our DEPNotify GUI at enrollment/deployment once the HP pkgs are installed.

I have both System Extensions and Kernel Extensions approved via Jamf MDM profiles with HPs Team ID '6HB5Y2QTA3' and Extension Type 'Driver Extension' But haven't configured granular extension names.

I haven't seen any other options yet. Not sure if this is an HP or Apple issue/bug.

One more issue, when trying to install a KEXT profile to M1 Mac it fails with "The operation couldn’t be completed. (SPErrorDomain error 10.)", System Extensions profile installs okay. No problems at all on Intel Macs.

@MrRoboto I have see that behavior too.

@dstranathan I found a couple other posts about the configuration profile install issue. Looks like it may be related to PI-009052: (Third-Party Issue) Configuration profiles with Kernel Extension Policy payloads may fail to install on computers with M1 chips if the computer cannot receive a Bootstrap Token from Jamf Pro during profile installation. Additionally, Startup Security settings must be set to allow MDM to manage legacy kernel extensions.

What does "Startup Security settings must be set to allow MDM to manage legacy kernel extensions" mean?

Unlike Catalina (and earlier), macOS Big Sur (on ARM or X86) cant load kernel extensions at all, correct?

More info here: https://www.jamf.com/jamf-nation/articles/793/manage-legacy-kernel-extensions-in-macos-11-using-jamf-pro

M1 machines do not allow KEXT by default, only system ext.

According to Apple, you'll need to contact your MDM to allow them.

https://support.apple.com/guide/deployment-reference-macos/kernel-extensions-in-macos-apd37565d329/web