Legacy System Extensions Alerts

By Aaron Alquillera

Learn why your end users might be receiving alerts regarding Legacy Kernel Extensions

Changes in macOS Catalina version 10.15.4

Starting with macOS 10.15.4, Apple has begun alerting end users if their Mac has a Kernel Extension that leverages deprecated KPIs (Kernel Programming Interfaces).

Apple has begun referring to deprecated Kernel Extensions as "Legacy System Extensions" in certain macOS interfaces and support documentation.

An example of this alert can be seen below. 


Prevent this Alert

To prevent your users from seeing this notification you will need to allow any relevant Kernel Extension via Kandji. 

  1. Determine the Kernel Extension(s) causing the alerts and gather a list of all the developer names being presented to your end users.
  2. Determine the Kernel Extension developer's Team ID (and optionally KEXT bundle ID). The following Kandji support article will walk you through collecting this information from a Mac receiving the alert, as well as how to create the required KEXT approval profile in Kandji.
  3. We also highly encourage you to work with any Software Vendors that are impacted by this change and request that they move their Kernel Extension to a System Extension equivalent.

What is a Kernel Extension?

Essentially, KEXTs (Kernel Extensions) are bundles of code that let developers extend the capabilities of the kernel. These Kernel Extensions leverage Programming Interfaces know as KPIs (Kernel Programming Interfaces). Because the kernel is in charge of everything on the system, and because all KEXTs are given kernel privileges, these extensions are very powerful. Due to this high level of privilege, these extensions can cause what is known as "Kernel Panics"; essentially errors that occur in the macOS Kernel that are unrecoverable and require a system reboot. 

What is a System Extension?

Like KEXTs, System Extensions extend the functionality of the operating system. However, unlike KEXTs, System Extensions run in userland (Userspace), outside of the Kernel, thus free from many of the restrictions developers had to face while coding in the Kernel (many of which we’ll discuss in the next section). This significant departure from KEXT development dramatically improves the reliability of macOS and nearly eliminates the chance of an unrecoverable error.
System Extensions introduced in macOS Catalina replace certain types of Kernel Extensions and KPIs.
Kernel Extensions that leverage one or more of the following KPIs that have System Extension equivalents will cause the aforementioned alert.

KPISystem Extension Replacement
KAUTHEndpointSecurity
Network FilterNetworkExtension
IOHIDFamilyHIDDriverKit
IOUSBFamilyUSBDriverKit
USB NetworkingNetworkingDriverKit
USB SerialUSBSerialDriverKit 
USB Vendor Specific IPCUSBDriverKit / IOUSBHost / DriverKit 


About Legacy System Extensions
https://support.apple.com/en-us/HT210999
Additional information on deprecated Kernel Extensions 
https://developer.apple.com/support/kernel-extensions/
Additional information on System Extensions
https://developer.apple.com/system-extensions/