Posted on 10-02-2017 10:59 PM
When I install Kaspersky Endpoint Security on High Sierra, I get the "System extension blocked" message.
I know I can go in and allow the kernel extension under System Preferences -> Security & Privacy.
That just keeps me from automating this for the enduser...
Have any of you gone about this new security feature in High Sierra in any clever way, so I don't need to either do it myself on every device, or disable checking kernel extension entirely (which I don't want to do)
Any feedback is highly appreciated.
Thanks.
Solved! Go to Solution.
Posted on 10-03-2017 03:50 AM
Hi @Jesper Erik's blog is awesome but was before Apple 'Fixed' the behaviour.
To answer your question, DEP is used to enrol a device in an MDM solution. That's pretty much its purpose, so you should be fine as long as your devices are enrolling correctly with your MDM (I'm guessing Jamf Pro as you're here).
Posted on 10-03-2017 02:32 AM
Posted on 10-03-2017 02:37 AM
Posted on 10-03-2017 03:14 AM
Hi @Jesper
From Ben's link:
For workflows that leverage mobile device management (MDM), all systems with a valid MDM profile installed will not require user approval to load any properly-signed kernel extension.
Posted on 10-03-2017 03:48 AM
Hi @daz_wallace
I saw that, thank you.
I was just thrown off by these lines in Erik Gomez' blog post:
WHAT IF I USE DEP AND MDM? As currently architected, enterprise customers using DEP do not have the ability to automatically approve Team IDs or completely disable this feature.
So I am in doubt if it means that it will not work if I use DEP only, or if it also does not work if I use DEP and MDM.
Posted on 10-03-2017 03:50 AM
Hi @Jesper Erik's blog is awesome but was before Apple 'Fixed' the behaviour.
To answer your question, DEP is used to enrol a device in an MDM solution. That's pretty much its purpose, so you should be fine as long as your devices are enrolling correctly with your MDM (I'm guessing Jamf Pro as you're here).
Posted on 10-03-2017 03:57 AM
Hi @daz_wallace ,
Thanks a lot for confirming this. It makes sense.
I understand the purpose of DEP, but just wanted to be sure, as I am in the design fase about our Jamf Pro/Mac/DEP setup.
Havent setup our Jamf instance yet, so had only non-MDM Macs to test our software on.
Being new to this community, I must say it lives up to its reputation of being awesome :-)
Ill mark your reply as the answer.
Thanks again.
Posted on 10-03-2017 03:59 AM
@Jesper No worries, Glad we could help.
Might be worth joining the (free) Mac Admins Slack instance if you'd prefer / also like a more 'chat-based' collaboration - http://macadmins.org
Posted on 03-30-2018 08:17 AM
Looks like Sophos Av is blocked. I was already enrolled in MDM before 10.13.4 and now I get this with Sophos AV.
Posted on 03-30-2018 10:31 AM
Yep, Apple only delayed this issue when they had earlier versions of High Sierra automatically disable UAKEL when MDM was enrolled/approved. UAKEL is re-enabled in 10.13.4 for all systems regardless of MDM status and you have to push a kernel policy whitelist profile.
Posted on 10-14-2019 10:37 AM
On OSMojave I have Sophos Whitelisted in Approved Kexts but Security and Privacy still says blocked... Did i miss something in JAMF?