Jamf Nation Community

In our testing we just used the Team ID and it looks like it's working... with a different AV vendor...

C

So I have this working "fine" by adding the team IDs to a configuration profile, but...

WHY WHY WHY Apple!!! Because the MDM profile applied via Jamf Pro has to be user approved, the config profile with the kext exceptions then fails to apply and just shows under the the management tab for a machine as failed. It seemingly then never installs until I manually click to remove the failed message.

Is this as expected? If this is how it's going to be then I'm making a serious consideration to never upgrade any of our existing machines to High Sierra as this is getting ridiculous.

Well depends on enrollment. Enrolling with DEP works and requires no action. Enrolling with Recon or /enroll will require you to accept an install. Upgrading to 10.13.4 with a machines enrolled will convert to a user authorized enrollment.

FUN!!!

@macbentosh Yes sadly none of those answers match our setup so we're screwed essentially.

I have the exact same issue.

Background :
JAMF Pro 10.2.2
OSX 10.13.4
Non DEP Deployed
MDM Profile HAS been approved.

I have gathered all the Data required.

TV3T7A76P4|com.cososys.driver.EPPDeviceController|0|CoSoSys|4
TV3T7A76P4|com.cososys.eppclient.eppkauth|0|CoSoSys|4
TV3T7A76P4|com.cososys.kext.EPPUsbHelper|0|CoSoSys|4
6HB5Y2QTA3|com.hp.kext.io.enabler.compound|1|HP Inc.|0
AH4XFXJ7DK|com.fortinet.fct.kext.avkern2|0|Fortinet, Inc|4
AH4XFXJ7DK|com.fortinet.kext.fctrouternke|0|Fortinet, Inc|4
AH4XFXJ7DK|com.fortinet.fct.kext.fctapnke|0|Fortinet, Inc|4

I have Created a Kernel Extension Profile and it has deployed successfully.

I STILL get prompted for these Extensions on the machine.

I have tried having the Profile use Just the ID, and also the bundles, neither option actually works.

Has anyone got any ideas ?

Odd discovery

In the output from the database, there are 2 numbers in each line, the first is a 0 and the second a 4 (Except the HP one) when deployed by the Profile.

If I respond to the prompt and manually approve the Extensions, both numbers change to a 1.

Not sure of the significance of the numbers, but this may well have something to do with it.

I'm having the exact same issue with sophos av.

I have come up with a solution that I think will work for us for the time being:

By following the guide at "https://derflounder.wordpress.com/2018/03/30/detecting-user-approved-mdm-using-the-profiles-command-line-tool-on-macos-10-13-4/#more-9616" to create a new extension attribute to recognise if a device has been user approved or not, I have come up with a way to at least make some of it simpler if you are still imaging the old fashioned way.

I have created a simple app that is distributed to the management account desktop during the imaging. Once a mac is imaged and obviousy enrolled in MDM, we can then just login, run the app and hey presto, MDM is approved and the kernel extension config profile is then applied.

What the app actually does is just open the System Preferences>Profiles pane which defaults to the MDM approval page, waits 30 seconds for a user to click approve and then forces a jamf inventory update. Within a second of this inventory update the kernel config profile is installed successfully.

It does mean that we'll still have a manual process but at present I don't see we have any choice. Maybe Apple will listen and give enterprise customers a way to do this automatically without using DEP. You never know....

Will give that a whirl, thanks

I have the Extension Attribute up and running, and my Kernel Extensions Whitelist Policy now only applies if the MDM Profile reports as approved.

However the Prompt still comes up on screen to Approve the Application.

If I look I still get....

TV3T7A76P4|com.cososys.kext.EPPUsbHelper|0|CoSoSys|4
Still none the wiser as to what these 2 numbers mean, all I know is right now they are a 0 and a 4, and if I approve the extensions through thr user interface they both change to a 1, and then the prompts go away.

Any ideas ?

I've added the whitelist using purely the team ID, there's a long list here: https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=0

Once MDM has been user approved etc. it then applies and the nags go away.

@allanp81 sadly not, MDM is approved, and all is added by team ID only and it still nags.

And the profile is definitely applied to the machine? @HNTIT

@allanp81 yep definitely

@allanp81 this is awesome

@jalcorn what is?

@allanp81 the google doc you just posted

Very handy, but sadly not comprehensive, the one I am trying to get working is not listed.

:(

@HNTIT It's a community based list. If you have vendors/software KEXT that are not on the list then contribute to it. Pay it forward!

@bpavlov DOH !!!! Total brain fart, didn't even spot that.

CoSoSys added to the list.

@HNTIT

Still none the wiser as to what these 2 numbers mean, all I know is right now they are a 0 and a 4, and if I approve the extensions through thr user interface they both change to a 1, and then the prompts go away.

The third field (first number) will be either a 0 or 1, with 0 meaning not approved / off, and 1 meaning approved / on.

The fifth field (second number) is the flag field. I have no idea what the flags mean but I see the same behavior as you. Manually approving a kext will switch that fifth field to a 1. I've seen it be 4, 8, and 1.

I'd love to see some documentation on the fifth field digits.

It appears that policies are applying correctly to fresh built machines, but older ones appear confused when applying retrospectively.
Still testing

Trying to sort out Crowdstrike and looks like some kexts are missed out if just running kextstat in Terminal (I only get one entry)
If I run "sqlite3 /var/db/SystemPolicyConfiguration/KextPolic"y and "SELECT * FROM kext_policy;"

X9E956P446|com.crowdstrike.sensor|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.CSAA|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.FileInfo|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.IOServices|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Kauth|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.libreactos|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Network|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.NMR|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.platform|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.TDB|1|CrowdStrike Inc.|8

Guys,
just got to JAMF 10.4.1 (from 9.101.4) getting acclimated with changes--

About to start with KEXT settings as we will need it for several products---

I know when it comes to MDM Config Profiles,
best practice is to break up settings as much as possible, best way to manage...

For KEXT approval, is it best to put them all in one, or split by product?
(I'm not sure how well the union of multiple KEXT profiles works, or if it)

What's your experience?
ks

(disregard my last post)

@donmontalvo and @franton ,

I am in day 1 of learning kexts.

When I run < sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy > and then run < SELECT * FROM kext_policy; > I get an error, "Unable to open database" in terminal.

I have spent some time using Google to research the sqlite error, but to no real success. Do you have any suggestions?

I am running the command on macOS 10.12.6, does this make a difference? I currently don't have access to a 10.13.x machine, I plan on imaging one this week, I am just trying to provision what I can before getting one spun up.

Any help is appreciated, thank you.

Thank you for this!

Has anyone had recent success with the script posted by @franton ? It appears to be a great script that generates a PList, however there's no instructions. Are we to prepare our baseline device by installing and manually authorizing the KEXTs, and then run the script?

I ran the script on a baseline 10.13.5 device, did not manually authorize the KEXTs before running the script. Thus far the generated PList isn't working on my sample devices.

Thanks!

@cdinsight You want to run the script after everything is setup and installed. The script then produces a plist file which you roll out via a config policy. We use both this one and one with manual entries. One thing to keep in mind is that the kext exclusion policy (at least with Sophos) needs to be present before any software that requires the approval (unless already installed) . The kext policy also needs to be installed after the jamf mdm profile has been approved (unless it's DEP) so requires some tinkering with the policies and smart groups to make it work.

Thanks @tjhall. To confirm: you're using both the @franton's script in a Custom Payload, and the 'Approved Kernal Extension' Payload with Team IDs?

@cdinsight Yes, Franton's script is on the base build, then a manual one as well. It might be overkill but provides flexibility and I've seen some instances where the script hasn't picked up all the kexts (Crowdstrike being one example).

I ran the script on a new build after all the applications are installed. Took the plist and uploaded to config profile. I can see that the Macbook received the profile on another new laptop. The nagging stopped but when I check with sqlite command, the app isn't approved. It shows 0 on the 3rd field and a 4 on the last field. This is for the Epson projector software. (When you run the epson EasyMP software, it throw an error stating "you need to restart your computer to enable audio output". The error is misleading and has nothing to do with a reboot).

I'm running 10.13.5 with DEP. Did I miss something?

Thanks in advance!

I have a bundle_id without a team_id.

Using @AVmcclint 's post, as well as @donmontalvo's many posts for quidance, I continuously get the following result:

6HB5Y2QTA3 | com.hp.kext.io.enabler.compound | Hewlett Packard | (blah blah blah...)
| com.ni.Fantom.nxtFwdl | 1 | Legacy Developer: N1 | 1

It's for the LEGO Mindstorm NXT software, which is old.

JAMF requires a team_id be input, and I cannot leave it blank. Does anyone have any thoughts?

Thanks for this, my custom triggered Lab Builds were throwing these up all over the place.

The Script works great for capturing stuff that isn't in https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=0

Here's what I'm getting for Symantec 1401 MP2 under sqlite3 as posted above:

9PTGMPNXZ2|com.symantec.ips.kext|0|Symantec|4
9PTGMPNXZ2|com.symantec.internetSecurity.kext|0|Symantec|4
9PTGMPNXZ2|com.symantec.nfm.kext|0|Symantec|4

I have tried both profiles below separately and together just to test. I tried resetting the NRAM after each too. I still see this: "System software from developer "Symantec" was blocked from loading." under security & privacy > general

Any sage advice to assist on this? Anything I'm doing incorrectly?

Hello as far as SEP in concerned, my expereince is the profile to whitelist kexts has to be distributed BEFORE installing it.
Hope it helps
Csrlo

@thomast

thanks @carlo.anselmi . I'll try that and let you know how it goes. Maybe I'll try it on a fresh build just to verify.

So, I installed a second time after fulling wiping SEP, and it didn't prompt me on the same machine. The allow button was still there, but it didn't throw any fits about needing to click it. I'll have to test a little more to make sure. However, it appears fine so far.