Overview and recommendations for KEXTs.
What is a Kernel Extension?
Kernel Extensions, sometimes referred to as KEXTs, provide developers the ability to load code dynamically into the macOS Kernel. This allows access to internal Kernel interfaces allowing complex apps to function properly. Examples of such apps may be virtualization applications and hypervisors such as Parallels or VMware Fusion.
What is a System Extension?
System Extensions are the modern replacement to Kernel Extensions in macOS Catalina. With System Extensions, Apple provides new frameworks for developers to perform tasks previously reserved for Kernel Extensions. The primary new benefit of System Extensions is that they run in the user space rather than in the Kernel space, by running in the user space System Extensions cannot compromise the built-in security or stability of macOS. Although Kernel Extensions do still work in macOS Catalina, Apple has deprecated the use of certain types of KEXTs and developers should work to move their KEXTs to System Extensions as System Extension equivalent frameworks become available. Currently, there are three new System Extension frameworks available to replace KEXTs. KEXTs that operate outside of these new frameworks (such as virtualization software like VMware Fusion) must continue to use KEXTs until Apple offers equivalent System Extension frameworks.
- DriverKit - Use the new DriverKit framework to create drivers for USB, Serial, NIC, and HID devices that users can install on macOS Catalina. Learn more about DriverKit.
- Network Extensions - Network extension apps such as content filters, DNS proxies, and VPN clients can now be distributed to a user’s Mac as system extensions on macOS Catalina. Learn more about NetworkExtension.
- Endpoint Security - Endpoint security clients, including Endpoint Detection and Response software and antivirus software, can now leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security
System Extensions can also be whitelisted using a separate configuration profile.
At the time of this article, most applications that used Kernel Extensions are still using Kernel Extensions. We recommend you reach out to your software vendors to encourage them to move to System Extensions.
Kernel Extensions Overview - Apple Developer Documentation Archive
System Extensions - Apple Developer
How can I find Team IDs and Bundle identifiers?
Method 1: (Easier)
- Copy and run the script below in terminal, this will create then open a CSV file on your desktop with the information on Kernel Extensions currently installed on your Mac.
echo "Team ID,Bundle Identifier,KEXT Allowed,Developer Name,Flags"> ~/Desktop/kext.csv
sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT * FROM kext_policy;" | sed 's/|/,/g' >> ~/ Desktop/kext.csv
If you see the same “Team ID” listed multiple times, this is because it has multiple bundle identifiers (Kernel Extension Files) associated with that Team ID.
- Open Terminal and run the following command:
sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- Then run the following command:
SELECT * FROM kext_policy;
- You will be presented with output similar to the following:
The first column is the “Team ID”, the second column is the bundle identifier, the third column is whether or not it is allowed, the fourth column is the developer, and the last column is any flags.
Creating a Kernel Extension Profile
- Login to your Kandji Account and navigate to the Library section using the navigation panel.
- Select Add New in the top right corner.
- Select Kernel Extension Profile.
- Give your new profile a name, we suggest that you name it the name of the software you are whitelisting the Kernel Extension for, as Kandji currently only supports whitelisting one Team ID per Profile.
- Optional: If you deselect Allow users to approve Kernel Extensions this will prevent all users on the Mac from allowing additional Kernel Extensions not whitelisted via a Profile, including local administrators.
- Input a Name for the Team ID, this is optional, but we suggest putting the vendor name for simplicity.
- Input the Team ID we collected in the previous section, this is the identifier in the first column.
- Under Approved Kernel Extensions you may optionally specify individual bundle identifiers, the bundle identifier for an associated Team ID can be found in the second column of the data we collected in the previous section. Optionally you may choose a display name for the bundle identifier.
- Select Save, you may now add your Kernel Extension profile to a blueprint in your Kandji Account.