HP Package at enrollment and KExt

Sandy
Valued Contributor II

Hi,
I am working on new laptop deployment with DEP, Catalina, trying to reduce clicks and suppress all confusing popups πŸ™‚
I have a Config Profile with third party extensions and team IDs including the only one I have found for HP.
I also have the box checked to allow users to approve System Extensions in that profile.
I have hp-printer-essentials-S-5_14_6 installing at enrollment and it is asking for approval and a regular user cannot approve. The Kext config profile is installed. The other interesting thing is that there are HP drivers installed so it looks like it installed despite the need for approval button...

15 REPLIES 15

cbrewer
Valued Contributor II

Does your Approved Kernel Extensions look like this?
2db534b9a4cc48d5b5eb2b192d85bdfc

Sandy
Valued Contributor II

@cbrewer

I did not include optional bundle IDs. D
9a4f9dbc4305475a868d73f27e029410
o you think that would fix this?

cbrewer
Valued Contributor II

According to documentation, no, you shouldn't need Bundle ID's. But I prefer only allowing what you must.

Sandy
Valued Contributor II

So then adding Bundle IDs would be more limiting, and unlikely to fix this issue (though a good idea πŸ™‚

cbrewer
Valued Contributor II

I'm installing that same package via policy without issue but typically when it's installed no user is currently logged in.

petestanley
New Contributor III

Only found this page after figuring out myself but landed on the same solution as @cbrewer.

Shouldn't have any issues with the latest "Essential Drivers" from HP Easy Admin and the Approved Kernel Extensions:

com.hp.kext.hp-fax-io
com.hp.hpio.hp-io-printerclassdriver-enabler

Team ID: 6HB5Y2QTA3

dstranathan
Valued Contributor II

Looks like you are talking about 2 things here: Kernel Extensions and System Extensions here.

MrRoboto
Contributor II

Installing the HP Essentials package on an M1 Mac running Big Sur (has config profiles whitelisting the HP Team ID for both Kext and SysExts, not explicitly listing the extensions) shows a prompt "System Extension Block" (this really means Kext but Big Sur gui always says system extension?). Same setup on a T2 Mac or older Intel Mac and no prompt at all.

Is this the expected behaviour? On M1 with Big Sur the end user always has to allow Kexts? I guess this is Apple's way of upsetting users until the developers move from Kext to SysExts?

dstranathan
Valued Contributor II

I have seen this issue on our (2) M1 test Macs in IT. Usually, this error pops up behind our DEPNotify GUI at enrollment/deployment once the HP pkgs are installed.

I have both System Extensions and Kernel Extensions approved via Jamf MDM profiles with HPs Team ID '6HB5Y2QTA3' and Extension Type 'Driver Extension' But haven't configured granular extension names.

I haven't seen any other options yet. Not sure if this is an HP or Apple issue/bug.

MrRoboto
Contributor II

One more issue, when trying to install a KEXT profile to M1 Mac it fails with "The operation couldn’t be completed. (SPErrorDomain error 10.)", System Extensions profile installs okay. No problems at all on Intel Macs.

dstranathan
Valued Contributor II

@MrRoboto I have see that behavior too.

MrRoboto
Contributor II

@dstranathan I found a couple other posts about the configuration profile install issue. Looks like it may be related to PI-009052: (Third-Party Issue) Configuration profiles with Kernel Extension Policy payloads may fail to install on computers with M1 chips if the computer cannot receive a Bootstrap Token from Jamf Pro during profile installation. Additionally, Startup Security settings must be set to allow MDM to manage legacy kernel extensions.

dstranathan
Valued Contributor II

What does "Startup Security settings must be set to allow MDM to manage legacy kernel extensions" mean?

Unlike Catalina (and earlier), macOS Big Sur (on ARM or X86) cant load kernel extensions at all, correct?

MrRoboto
Contributor II

More info here: https://www.jamf.com/jamf-nation/articles/793/manage-legacy-kernel-extensions-in-macos-11-using-jamf-pro

igarcia
New Contributor

M1 machines do not allow KEXT by default, only system ext.

According to Apple, you'll need to contact your MDM to allow them.

https://support.apple.com/guide/deployment-reference-macos/kernel-extensions-in-macos-apd37565d329/web