Overview and recommendations for system extensions
- What Is a System Extension?
- What Is a Kernel Extension?
- The Difference Between Kernel Extensions and System Extensions
- Create a System Extension Profile
What Is a System Extension?
System extensions are the modern replacement to kernel extensions (kexts) in macOS Catalina. With system extensions, Apple provides new frameworks for developers to perform tasks previously reserved for kexts. The primary new benefit of system extensions is that they run in the user space rather than in the kernel space; by running in the user space, system extensions cannot compromise the built-in security or stability of macOS. Although kexts do still work in macOS Catalina, Apple has deprecated the use of certain types of them, and developers should work to move their kexts to system extensions as equivalent frameworks become available.
Currently, there are three new system extension frameworks available to replace kexts:
- DriverKit: Use the new DriverKit framework to create drivers for USB, Serial, NIC, and HID devices that users can install in macOS Catalina or newer. Learn more about DriverKit.
- Network Extensions: Network extension apps such as content filters, DNS proxies, and VPN clients can now be distributed as system extensions to macOS Catalina or newer. Learn more about NetworkExtension.
- Endpoint Security: Endpoint security clients, including antivirus software, can now leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity in macOS Catalina or newer. Learn more about Endpoint Security
Kexts that operate outside of these new frameworks—such as virtualization software—must continue to use kexts until Apple offers equivalent system extension frameworks.
System extensions can also be allowed using a separate configuration profile.
If you are using an application that is still using a kernel extension, we recommend you reach out to your software vendors to encourage them to move to system extensions.
Additional Information:
Kernel Extensions Overview - Apple Developer Documentation Archive
System Extensions - Apple Developer
What Is a Kernel Extension?
Kernel extensions, sometimes referred to as kexts, allow developers to load code dynamically into the macOS kernel. They also provide access to internal kernel interfaces that enable complex apps to function properly. Examples of such apps include virtualization applications and hypervisors such as Parallels or VMware Fusion.
The Difference Between Kernel Extensions and System Extensions
If you are unsure whether a piece of software uses a system extension or a kext, there are a few ways to find out:
- Contact the software manufacturer.
- After installing your software, run the command below to list all active system extensions. If no system extensions are listed, then the software likely leverages a legacy kext.
systemextensionsctl list
Here is an example of the output you might see if no system extensions are installed.
KandjiSupport@TestMac1 ~ % systemextensionsctl list
0 extension(s)
Here is an example of the output you might see if a system extension is installed.
KandjiSupport@TestMac1 ~ % systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active teamID bundleID (version) name [state]
* * 9PTGMPNXZ2 com.symantec.mes.systemextension
(10.0.0/10.0.0) Symantec System Extension
[activated enabled]
Create a System Extension Profile
Follow these steps to create a system extension profile in Kandji that will pre-approve an application's system extension(s).
- Log in to your Kandji tenant and navigate to the Library section in the navigation panel.
- Click Add New.
- Click System Extension.
- Click Add & Configure.
- Give your new profile a descriptive name, such as System Extension Allowance.
- Select the Blueprint you wish to include from the Blueprint dropdown.
- Optional: If you deselect Allow users to approve system extensions, this will prevent all users on the Mac—including local administrators—from approving additional system extensions not approved via a profile. Additionally, selecting this option will disapprove any system extensions a user has previously approved.
- Input the Team ID; this is the identifier in the third column of the Terminal output generated by the systemextensionsctl list command discussed above.
- Optionally provide a Name to associate with the Team ID.
- Under the System Extensions portion, you may optionally change the default value of Approve all system extensions. Leaving this option at its default setting will preapprove any System Extension from the specified Team ID. You can optionally set this option to one of the following:
- Allow specific system extensions: Allows you to specify the exact bundle ID of the specific system extension you want to approve; use the bundle ID generated by the systemextensionsctl list command described above. You can also optionally configure one or more of these specific extensions to be able to be removed automatically by admin tooling, such as Kandji or a vendor-provided package.
- Allow specific system extension types: Allows you to specify system extension types from a developer—such as endpoint security extensions, driver extensions, or network extensions—that you want to be preapproved. For our Symantec example, we would approve the Endpoint security extensions type, as this matches the extension type generated by the systemextensionsctl list command described above.
If necessary, you can select the Add Team ID button to allow additional system extensions in a single profile.
- Click Save.