Jamf Nation Community

donmontalvo · ‎12-26-2017

@franton how on earth will we ever repay you?! Apple and Jamf should shower you with Bitcoins.

What a way to quickly/easily inventory KEXTs on a computer...whether an OOB (baseline) or one with a bunch of stuff installed (to grow list of TeamID/BundleIDs).

--
https://donmontalvo.com

mhegge · ‎11-14-2018

We are having the Kernel Extension issue (10.13.6) with the latest Sophos Endpoint software installer. Their remedy is to boot every device in Recovery Mode and run something in terminal. Not acceptable remedy and impossible.

Trying the Configuration Profile route to approve the sophos kext

Awaiting the bundle IDs......

TomDay · ‎11-26-2018

Awesome script! Little bug for me though, one of the apps I approved in my system prefs doesn't appear in the Kext script output?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowUserOverrides</key>
    <false/>
    <key>AllowedTeamIdentifiers</key>
    <array>
      <string>268CCUR4WN</string>
      <string>34JN824YNC</string>
      <string>6HB5Y2QTA3</string>
      <string>8R7PS6VYW7</string>
      <string>DX6G69M9N2</string>
      <string>EG7KH642X6</string>
      <string>FC94733TZD</string>
      <string>K3TDMD9Y6B</string>
      <string>KBVSJ83SS9</string>
      <string>NDGSU3WA4Y</string>
    </array>
    <key>AllowedKernelExtensions</key>
    <dict>
      <key>268CCUR4WN</key>
      <array>
        <string>com.promise.driver.stex</string>
      </array>
      <key>34JN824YNC</key>
      <array>
        <string>com.Areca.ArcMSR</string>
      </array>
      <key>6HB5Y2QTA3</key>
      <array>
        <string>com.hp.kext.hp-fax-io</string>
        <string>com.hp.hpio.hp-io-printerclassdriver-enabler</string>
      </array>
      <key>8R7PS6VYW7</key>
      <array>
        <string>com.CalDigit.driver.HDPro</string>
      </array>
      <key>DX6G69M9N2</key>
      <array>
        <string>com.highpoint-tech.kext.HighPointIOP</string>
        <string>com.highpoint-tech.kext.HighPointRR</string>
      </array>
      <key>EG7KH642X6</key>
      <array>
        <string>com.vmware.kext.vmioplug.17.3.0</string>
        <string>com.vmware.kext.vmnet</string>
        <string>com.vmware.kext.vmci</string>
        <string>com.vmware.kext.vmx86</string>
        <string>com.vmware.kext.vmioplug.17.1.5</string>
      </array>
      <key>FC94733TZD</key>
      <array>
        <string>com.ATTO.driver.ATTOExpressSASHBA2</string>
        <string>com.ATTO.driver.ATTOCelerityFC8</string>
        <string>com.ATTO.driver.ATTOExpressSASRAID2</string>
      </array>
      <key>K3TDMD9Y6B</key>
      <array>
        <string>com.Accusys.driver.Acxxx</string>
      </array>
      <key>KBVSJ83SS9</key>
      <array>
        <string>com.citrix.kext.gusb</string>
      </array>
      <key>NDGSU3WA4Y</key>
      <array>
        <string>com.softraid.driver.SoftRAID</string>
      </array>
    </dict>
  </dict>
</plist>

rhooper · ‎12-05-2018

We are attempting to push out the Sophos AV, I have added the KEXT's needed for this to run, but it still is failing Services, even though I can see the KEXT's loaded. I have run the script in the top of this post, I have some KEXT's that have nothing to do with SOPHOS, but wondering if they may have something to do with basic operations of I/O connectors.
Below I have the output of the script, all the Sophos Bundle ID's are added, but there are more listed in this result than in the "SELECT * FROM kext_policy;" command. Will that make a difference?
When Launched Sophos says to approve the items in 'Privacy and Security', which is restricted. Short of disabling the security and Privacy I Am at my knowledge base. Please train me....
Thoughts or ideas are more than welcome. Why can Apple not just bring back the "Allow from Anywhere" radio button?

bazcurtis · ‎01-02-2019

@rhooper I have a thread about installing Sophos here - Approved Kernel Extensions still asking to be allowed
.

I have it working, but the Allow button is still visible, but the Endpoint is healthy and Green

dvasquez · ‎01-30-2019

Thank you!

jxh864 · ‎03-04-2019

@clegger06 You need to put sudo in front of the command. That is why you are getting the sqlite error.

Johnny

cainehorr · ‎03-04-2019

Love this... BUT...

Has anyone found a way to remotely re-enable a KEXT that a user may have not approved prior to pushing out a MDM config?

ie...

Device is enroll in Jamf...
User had 10.13.4, etc.
IT pushed out something like Sophos
User got pop-up to approve KEXT
User did not approve
IT realized KEXT mobileconfig needs to be pushed
IT pushes mobileconfig
New devices get mobileconfig
New devices are not prompted
Old devices get mobileconfig
Old device KEXT still not approved

Anybody have any elegant leads on this?

So far, from what I'm reading, this is a whole lot of going to each device, going into Recovery mode and running some terminal commands.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

allanp81 · ‎03-05-2019

I think once you've sent the Kext profile then it will just get approved anyway, that seems to be what I've found.

tjhall · ‎03-05-2019

@caine.horr In the case of Sophos I'd say the best thing would be to re-install Sophos.
The approved kext should preferably be in place before the Sophos installation. Then the user would not get any notification or prompt for approval.
Our Sophos install can/should is based on a smartgroup that has the approved kext as a pre-requisite and it works without issues or nottificications.

daniel_ross · ‎10-16-2019

.

dvasquez · ‎01-06-2020

Very nice thank you!

Jamf Nation Community

Kextpocalyse 2: The Remediation [Blog post by our own @franton)