Kernel Extensions - Overview and Guide

By Joe Wyatt-Borner

Overview and recommendations for KEXTs

What Is a Kernel Extension?

Kernel extensions sometimes referred to as kexts, enable developers to load code dynamically into the macOS kernel. This provides access to internal kernel interfaces, allowing complex apps to function properly. Examples of such apps include virtualization applications and hypervisors such as Parallels or VMware Fusion.

What Is a System Extension?

System extensions are modern replacements of kernel extensions since macOS Catalina. With system extensions, Apple provides new frameworks for developers to perform tasks previously reserved for kernel extensions. The primary new benefit of system extensions is that they run in the user space rather than in the kernel space; by running in the user space, system extensions cannot compromise the built-in security or stability of macOS.

Although kernel extensions do still work in macOS Catalina and beyond, Apple has deprecated the use of certain types of kexts and developers should work to move their kexts to system extensions as equivalent system extension frameworks become available. Currently, there are three new system extension frameworks available to replace kexts. Kexts that operate outside of these new frameworks (such as virtualization software like VMware Fusion) must continue to use kexts until Apple offers equivalent system extension frameworks.

  • DriverKit: Use the new DriverKit framework to create drivers for USB, Serial, NIC, and HID devices that users can install on macOS Catalina. Learn more about DriverKit.
  • Network Extensions: Network extension apps such as content filters, DNS proxies, and VPN clients can now be distributed to a user’s Mac as system extensions on macOS Catalina. Learn more about NetworkExtension.
  • Endpoint Security: Endpoint security clients, including antivirus and endpoint detection and response software, can leverage the EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security

System extensions can also be allowed using a separate configuration profile. 

Many applications now use system extensions as recommended by Apple. For any software still leveraging kernel extensions, we recommend reaching out to your software vendors to encourage them to move to system extensions.

Additional Information:

Kernel Extensions Overview (Apple Developer Documentation Archive)

System Extensions (Apple Developer)

How Can I Find Team IDs and Bundle Identifiers?

To find the specific Team IDs and bundle identifiers, perform the following steps on a Mac that has already approved the desired kernel Extensions. 

Method 1: (Easier)

  1. Copy and run the script below in Terminal.
echo "Team ID,Bundle Identifier,KEXT Allowed,Developer Name,Flags"> ~/Desktop/kext.csv

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT * FROM kext_policy;" | sed 's/|/,/g' >> ~/Desktop/kext.csv

open ~/Desktop/kext.csv

A CSV file will appear on your desktop. Inside you'll find the information on kernel extensions currently installed on your Mac, including Team IDs and bundle identifiers. 

If you see the same "Team ID" listed multiple times, this is because it has multiple bundle identifiers (kernel extension files) associated with that Team ID.

Method 2:

  1. Open Terminal and run the following command:
    sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
  2. Then run the following command:
    SELECT * FROM kext_policy;
  3. You will be presented with output similar to: