Kernel Extensions: Overview and Guide

Overview and recommendations for KEXTs.

What Is a Kernel Extension?

Kernel extensions, sometimes referred to as kexts, enable developers to load code dynamically into the macOS kernel. This provides access to internal kernel interfaces, allowing complex apps to function properly. Examples of such apps include virtualization applications and hypervisors such as Parallels or VMware Fusion.

What Is a System Extension?

System extensions are modern replacements of kernel extensions in macOS Catalina. With system extensions, Apple provides new frameworks for developers to perform tasks previously reserved for kernel extensions. The primary new benefit of system extensions is that they run in the user space rather than in the kernel space; by running in the user space, system extensions cannot compromise the built-in security or stability of macOS.

Although kernel extensions do still work in macOS Catalina, Apple has deprecated the use of certain types of kexts and developers should work to move their kexts to system extensions as equivalent system extension frameworks become available. Currently, there are three new system extension frameworks available to replace kexts. Kexts that operate outside of these new frameworks (such as virtualization software like VMware Fusion) must continue to use kexts until Apple offers equivalent system extension frameworks.  

  • DriverKit: Use the new DriverKit framework to create drivers for USB, Serial, NIC, and HID devices that users can install on macOS Catalina. Learn more about DriverKit.
  • Network Extensions: Network extension apps such as content filters, DNS proxies, and VPN clients can now be distributed to a user’s Mac as system extensions on macOS Catalina. Learn more about NetworkExtension.
  • Endpoint Security: Endpoint security clients, including antivirus and endpoint detection and response software, can leverage the EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security

System extensions can also be allowed using a separate configuration profile. 

At the time of this article, most applications that used kernel extensions are still using kernel extensions. We recommend you reach out to your software vendors to encourage them to move to system extensions.

Additional Information:

Kernel Extensions Overview (Apple Developer Documentation Archive)

System Extensions (Apple Developer)

How Can I Find Team IDs and Bundle Identifiers?

To find the specific Team IDs and bundle identifiers, perform the following steps on a Mac that has already approved the desired kernel Extensions. 

Method 1: (Easier)

  1. Copy and run the script below in Terminal.

echo "Team ID,Bundle Identifier,KEXT Allowed,Developer Name,Flags"> ~/Desktop/kext.csv

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT * FROM kext_policy;" | sed 's/|/,/g' >> ~/Desktop/kext.csv

open ~/Desktop/kext.csv

A CSV file will appear on your desktop. Inside you'll find the information on kernel extensions currently installed on your Mac, including Team IDs and bundle identifiers. 

If you see the same “Team ID” listed multiple times, this is because it has multiple bundle identifiers (kernel extension files) associated with that Team ID.

Method 2:

  1. Open Terminal and run the following command:
    sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
  2. Then run the following command:
    SELECT * FROM kext_policy;
  3. You will be presented with output similar to:

The first column is the Team ID, the second column is the bundle identifier, the third column is whether or not it is allowed, the fourth column is the developer, and the last column is any flags.

Creating a Kernel Extension Profile

  1. Login to your Kandji account and navigate to the Library section in the left-hand navigation panel.
  2. Select Add New in the top right corner.
  3. Select Kernel Extension Profile.
  4. Give your new profile a Name.
  5. Optional: If you deselect Allow users to approve kernel extensions, this will prevent all users on the Mac, including local administrators, from allowing additional kernel extensions that are not allowed by a profile.
  6. Input a Name for the Team ID; this is optional, but we suggest entering the vendor name for simplicity.
  7. Input the Team ID you collected in the previous section—the identifier in the first column.
  8. Under Approved Kernel Extensions you may optionally specify individual bundle identifiers; the bundle identifier for an associated Team ID can be found in the second column of the data you collected in the previous section. Optionally you may choose a display name for the bundle identifier. If needed, you can select the Add Team ID button and allow additional kernel extensions in a single profile. 
  9. Select Save. You may now add your kernel extension profile to a Blueprint in your Kandji account.