Kextpocalyse 2: The Remediation [Blog post by our own @franton)

donmontalvo
Esteemed Contributor II

@franton how on earth will we ever repay you?! Apple and Jamf should shower you with Bitcoins.

Kextpocalyse 2: The Remediation

1e359e66375f4bc09a86eb1e7d32be3e

What a way to quickly/easily inventory KEXTs on a computer...whether an OOB (baseline) or one with a bunch of stuff installed (to grow list of TeamID/BundleIDs).

--
https://donmontalvo.com
90 REPLIES 90

macbentosh
New Contributor III

per my interpretation of apple's docs. You need both. Almost like a Team ID and then a definition of what .kext the team id covers

gachowski
Valued Contributor II

In our testing we just used the Team ID and it looks like it's working... with a different AV vendor...

C

allanp81
Valued Contributor

So I have this working "fine" by adding the team IDs to a configuration profile, but...

WHY WHY WHY Apple!!! Because the MDM profile applied via Jamf Pro has to be user approved, the config profile with the kext exceptions then fails to apply and just shows under the the management tab for a machine as failed. It seemingly then never installs until I manually click to remove the failed message.

Is this as expected? If this is how it's going to be then I'm making a serious consideration to never upgrade any of our existing machines to High Sierra as this is getting ridiculous.

macbentosh
New Contributor III

Well depends on enrollment. Enrolling with DEP works and requires no action. Enrolling with Recon or /enroll will require you to accept an install. Upgrading to 10.13.4 with a machines enrolled will convert to a user authorized enrollment.

FUN!!!

allanp81
Valued Contributor

@macbentosh Yes sadly none of those answers match our setup so we're screwed essentially.

HNTIT
Contributor II

I have the exact same issue.

Background :
JAMF Pro 10.2.2
OSX 10.13.4
Non DEP Deployed
MDM Profile HAS been approved.

I have gathered all the Data required.

TV3T7A76P4|com.cososys.driver.EPPDeviceController|0|CoSoSys|4
TV3T7A76P4|com.cososys.eppclient.eppkauth|0|CoSoSys|4
TV3T7A76P4|com.cososys.kext.EPPUsbHelper|0|CoSoSys|4
6HB5Y2QTA3|com.hp.kext.io.enabler.compound|1|HP Inc.|0
AH4XFXJ7DK|com.fortinet.fct.kext.avkern2|0|Fortinet, Inc|4
AH4XFXJ7DK|com.fortinet.kext.fctrouternke|0|Fortinet, Inc|4
AH4XFXJ7DK|com.fortinet.fct.kext.fctapnke|0|Fortinet, Inc|4

I have Created a Kernel Extension Profile and it has deployed successfully.

I STILL get prompted for these Extensions on the machine.

I have tried having the Profile use Just the ID, and also the bundles, neither option actually works.

Has anyone got any ideas ?

HNTIT
Contributor II

Odd discovery

In the output from the database, there are 2 numbers in each line, the first is a 0 and the second a 4 (Except the HP one) when deployed by the Profile.

If I respond to the prompt and manually approve the Extensions, both numbers change to a 1.

Not sure of the significance of the numbers, but this may well have something to do with it.

KyleEricson
Valued Contributor

I'm having the exact same issue with sophos av.


Hire me as an independent contractor.

allanp81
Valued Contributor

I have come up with a solution that I think will work for us for the time being:

By following the guide at "https://derflounder.wordpress.com/2018/03/30/detecting-user-approved-mdm-using-the-profiles-command-line-tool-on-macos-10-13-4/#more-9616" to create a new extension attribute to recognise if a device has been user approved or not, I have come up with a way to at least make some of it simpler if you are still imaging the old fashioned way.

I have created a simple app that is distributed to the management account desktop during the imaging. Once a mac is imaged and obviousy enrolled in MDM, we can then just login, run the app and hey presto, MDM is approved and the kernel extension config profile is then applied.

What the app actually does is just open the System Preferences>Profiles pane which defaults to the MDM approval page, waits 30 seconds for a user to click approve and then forces a jamf inventory update. Within a second of this inventory update the kernel config profile is installed successfully.

It does mean that we'll still have a manual process but at present I don't see we have any choice. Maybe Apple will listen and give enterprise customers a way to do this automatically without using DEP. You never know....

HNTIT
Contributor II

Will give that a whirl, thanks

HNTIT
Contributor II

I have the Extension Attribute up and running, and my Kernel Extensions Whitelist Policy now only applies if the MDM Profile reports as approved.

However the Prompt still comes up on screen to Approve the Application.

If I look I still get....

TV3T7A76P4|com.cososys.kext.EPPUsbHelper|0|CoSoSys|4
Still none the wiser as to what these 2 numbers mean, all I know is right now they are a 0 and a 4, and if I approve the extensions through thr user interface they both change to a 1, and then the prompts go away.

Any ideas ?

allanp81
Valued Contributor

I've added the whitelist using purely the team ID, there's a long list here: https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=0

Once MDM has been user approved etc. it then applies and the nags go away.

HNTIT
Contributor II

@allanp81 sadly not, MDM is approved, and all is added by team ID only and it still nags.

18c5aa474b1b4b66aeaf36fb0cf7084a

allanp81
Valued Contributor

And the profile is definitely applied to the machine? @HNTIT

HNTIT
Contributor II

@allanp81 yep definitely

jalcorn
Contributor II

@allanp81 this is awesome

allanp81
Valued Contributor

@jalcorn what is?

jalcorn
Contributor II

@allanp81 the google doc you just posted

HNTIT
Contributor II

Very handy, but sadly not comprehensive, the one I am trying to get working is not listed.

:(

bpavlov
Honored Contributor

@HNTIT It's a community based list. If you have vendors/software KEXT that are not on the list then contribute to it. Pay it forward!

HNTIT
Contributor II

@bpavlov DOH !!!! Total brain fart, didn't even spot that.

CoSoSys added to the list.

The_Lapin
New Contributor III

@HNTIT

Still none the wiser as to what these 2 numbers mean, all I know is right now they are a 0 and a 4, and if I approve the extensions through thr user interface they both change to a 1, and then the prompts go away.

The third field (first number) will be either a 0 or 1, with 0 meaning not approved / off, and 1 meaning approved / on.

The fifth field (second number) is the flag field. I have no idea what the flags mean but I see the same behavior as you. Manually approving a kext will switch that fifth field to a 1. I've seen it be 4, 8, and 1.

I'd love to see some documentation on the fifth field digits.

HNTIT
Contributor II

It appears that policies are applying correctly to fresh built machines, but older ones appear confused when applying retrospectively.
Still testing

tjhall
Contributor III

Trying to sort out Crowdstrike and looks like some kexts are missed out if just running kextstat in Terminal (I only get one entry)
If I run "sqlite3 /var/db/SystemPolicyConfiguration/KextPolic"y and "SELECT * FROM kext_policy;"

X9E956P446|com.crowdstrike.sensor|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.CSAA|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.FileInfo|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.IOServices|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Kauth|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.libreactos|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Network|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.NMR|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.platform|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.TDB|1|CrowdStrike Inc.|8

kstrick
Contributor III

Guys,
just got to JAMF 10.4.1 (from 9.101.4) getting acclimated with changes--

About to start with KEXT settings as we will need it for several products---

I know when it comes to MDM Config Profiles,
best practice is to break up settings as much as possible, best way to manage...

For KEXT approval, is it best to put them all in one, or split by product?
(I'm not sure how well the union of multiple KEXT profiles works, or if it)

What's your experience?
ks

kstrick
Contributor III

(disregard my last post)

clegger06
New Contributor III

@donmontalvo and @franton ,

I am in day 1 of learning kexts.

When I run < sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy > and then run < SELECT * FROM kext_policy; > I get an error, "Unable to open database" in terminal.

I have spent some time using Google to research the sqlite error, but to no real success. Do you have any suggestions?

I am running the command on macOS 10.12.6, does this make a difference? I currently don't have access to a 10.13.x machine, I plan on imaging one this week, I am just trying to provision what I can before getting one spun up.

Any help is appreciated, thank you.

dach_hau
New Contributor

Thank you for this!

cdinsight
New Contributor II

Has anyone had recent success with the script posted by @franton ? It appears to be a great script that generates a PList, however there's no instructions. Are we to prepare our baseline device by installing and manually authorizing the KEXTs, and then run the script?

I ran the script on a baseline 10.13.5 device, did not manually authorize the KEXTs before running the script. Thus far the generated PList isn't working on my sample devices.

Thanks!

tjhall
Contributor III

@cdinsight You want to run the script after everything is setup and installed. The script then produces a plist file which you roll out via a config policy. We use both this one and one with manual entries. One thing to keep in mind is that the kext exclusion policy (at least with Sophos) needs to be present before any software that requires the approval (unless already installed) . The kext policy also needs to be installed after the jamf mdm profile has been approved (unless it's DEP) so requires some tinkering with the policies and smart groups to make it work.

cdinsight
New Contributor II

Thanks @tjhall. To confirm: you're using both the @franton's script in a Custom Payload, and the 'Approved Kernal Extension' Payload with Team IDs?

tjhall
Contributor III

@cdinsight Yes, Franton's script is on the base build, then a manual one as well. It might be overkill but provides flexibility and I've seen some instances where the script hasn't picked up all the kexts (Crowdstrike being one example).

Johnny_Kim
Contributor II

I ran the script on a new build after all the applications are installed. Took the plist and uploaded to config profile. I can see that the Macbook received the profile on another new laptop. The nagging stopped but when I check with sqlite command, the app isn't approved. It shows 0 on the 3rd field and a 4 on the last field. This is for the Epson projector software. (When you run the epson EasyMP software, it throw an error stating "you need to restart your computer to enable audio output". The error is misleading and has nothing to do with a reboot).

I'm running 10.13.5 with DEP. Did I miss something?

Thanks in advance!

costes
New Contributor II

I have a bundle_id without a team_id.

Using @AVmcclint 's post, as well as @donmontalvo's many posts for quidance, I continuously get the following result:

6HB5Y2QTA3 | com.hp.kext.io.enabler.compound | Hewlett Packard | (blah blah blah...)
| com.ni.Fantom.nxtFwdl | 1 | Legacy Developer: N1 | 1

It's for the LEGO Mindstorm NXT software, which is old.

JAMF requires a team_id be input, and I cannot leave it blank. Does anyone have any thoughts?

FutureFacinLuke
Contributor II

Thanks for this, my custom triggered Lab Builds were throwing these up all over the place.

The Script works great for capturing stuff that isn't in https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=0

thomast
New Contributor III

Here's what I'm getting for Symantec 1401 MP2 under sqlite3 as posted above:

9PTGMPNXZ2|com.symantec.ips.kext|0|Symantec|4
9PTGMPNXZ2|com.symantec.internetSecurity.kext|0|Symantec|4
9PTGMPNXZ2|com.symantec.nfm.kext|0|Symantec|4

I have tried both profiles below separately and together just to test. I tried resetting the NRAM after each too. I still see this: "System software from developer "Symantec" was blocked from loading." under security & privacy > general

Any sage advice to assist on this? Anything I'm doing incorrectly?

00f21d09e053414fb2132de10e27510e
ad0ed38fce914f049f7b85a9a02cd6a5

carlo_anselmi
Contributor III

Hello as far as SEP in concerned, my expereince is the profile to whitelist kexts has to be distributed BEFORE installing it.
Hope it helps
Csrlo

carlo_anselmi
Contributor III

thomast
New Contributor III

thanks @carlo.anselmi . I'll try that and let you know how it goes. Maybe I'll try it on a fresh build just to verify.

thomast
New Contributor III

So, I installed a second time after fulling wiping SEP, and it didn't prompt me on the same machine. The allow button was still there, but it didn't throw any fits about needing to click it. I'll have to test a little more to make sure. However, it appears fine so far.