Kernel extensions and "Allow remote management of kernel extensions" option in Recovery

lisanelson2
New Contributor III

Hello,

We have an old piece of hardware (I say old – it's from 2019) that doesn't have newer software, so it still has kernel extensions instead of system extensions. I can't mandate replacing the hardware, so I'm stuck with it.

I'm trying to figure out how to get the software to install under Sonoma on a Silicon Mac. I have found plenty of stuff that says that I have to boot into Recovery, go to the Startup Security Utility, and check the box "Allow remote management of kernel extensions and automatic software updates". But of course naturally I want to automate this, not have to have somebody go around and do this.

The JAMF article about managing legacy kernel extensions includes this baffling item:

"Note: Enrolling computers with JAMF Pro via a PreStage Enrollment can automatically enable this setting. No further action is needed."

"CAN automatically enable." What does that even mean? There's nothing about how to do it, and I can't find any settings in my pre-stage enrollment that seem to have anything to do with it. And I can't find any further documentation!

Does anybody know how JAMF can be persuaded to change "can" into "will"?

Thanks,
Lisa.

3 REPLIES 3

scottb
Honored Contributor

I don't understand the above tbh, but what software are you running that needs Kernel Extensions?

I would hope your software library is current and has none...

That said, just EACS the Mac and install Sonoma.  Whatever you're running in Jamf will install upon enrollment on a clean system...

Maybe I don't get your ask, so post back.

AJPinto
Esteemed Contributor

To install KEXTs you need to disable SIP, then do the thing and turn SIP back on. There is no way to do this within the OS. You may not be able to mandate hardware updates, but you likely have final say on what software can exist. Simply tell the BU this software will no longer function or be allowed on new devices due to not meeting current application development standards and move on . If the application has not been updated since 2019, I am sure your security infrastructure would love to know about that application.

scottb
Honored Contributor

Yeah, no KernExt...I'm sure most 2019 Macs can run Sonoma, and any software worth 2¢ won't have those any longer...

What @AJPinto said...