System Extensions - Overview and Guide

Overview and recommendations for system extensions

What Is a System Extension?

System extensions are the modern replacement to kernel extensions (kexts) in macOS Catalina. With system extensions, Apple provides new frameworks for developers to perform tasks previously reserved for kexts. The primary new benefit of system extensions is that they run in the user space rather than in the kernel space; by running in the user space, system extensions cannot compromise the built-in security or stability of macOS. Although kexts do still work in macOS Catalina, Apple has deprecated the use of certain types of them, and developers should work to move their kexts to system extensions as equivalent frameworks become available.

Currently, there are three new system extension frameworks available to replace kexts:

  • DriverKit: Use the new DriverKit framework to create drivers for USB, Serial, NIC, and HID devices that users can install in macOS Catalina. Learn more about DriverKit.
  • Network Extensions: Network extension apps such as content filters, DNS proxies, and VPN clients can now be distributed as system extensions to macOS Catalina. Learn more about NetworkExtension.
  • Endpoint Security: Endpoint security clients, including antivirus software, can now leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security

Kexts that operate outside of these new frameworks—such as virtualization software—must continue to use kexts until Apple offers equivalent system extension frameworks. 

System extensions can also be allowed using a separate configuration profile. 

At the time this article was written, most applications that used kexts are still using them. We recommend you reach out to your software vendors to encourage them to move to system extensions.

Additional Information:

Kernel Extensions Overview - Apple Developer Documentation Archive

System Extensions - Apple Developer

What Is a Kernel Extension?

Kernel extensions, sometimes referred to as kexts, give developers the ability to load code dynamically into the macOS kernel. They provide access to internal kernel interfaces that enable complex apps to function properly. Examples of such apps include virtualization applications and hypervisors such as Parallels or VMware Fusion.

The Difference Between Kernel Extensions and System Extensions

If you are unsure whether a piece of software uses a system extension or a kext, there are a few ways to find out:

  • Contact the software manufacturer.
  • After installing your software, run the command below to list all active system extensions. If no system extensions are listed, then the software likely leverages a legacy kext; in that case, please see this support article
systemextensionsctl list

Here is an example of the output you might see if no system extensions are installed.

Last login: Fri May 22 11:05:10 on ttys000
This system is reserved for authorized Kandji use only, and may be monitored.
KandjiSupport@TestMac1 ~ % systemextensionsctl list
0 extension(s)

Here is an example of the output you might see if a system extension is installed.

Last login: Fri May 22 12:59:03 on ttys000
This system is reserved for authorized Kandji use only, and may be monitored.
KandjiSupport@TestMac1 ~ % systemextensionsctl list
1 extension(s)

--- com.apple.system_extension.endpoint_security

enabled active teamID bundleID (version) name [state]

* * 9PTGMPNXZ2 com.symantec.mes.systemextension

(10.0.0/10.0.0) Symantec System Extension

[activated enabled]

Create a System Extension Profile

Follow these steps to create a system extension profile in Kandji that will pre-approve an application's system extension(s). 

  1. Log in to your Kandji instance and navigate to the Library section in the navigation panel.
  2. Click Add New.

    Group 19
  3. Click System Extension then Add and Configure

    Group 18
  4. Give your new profile a name, such as "KEXT allowance."
  5. Optional: If you deselect Allow users to approve system extensions, this will prevent all users on the Mac—including local administrators—from approving additional system extensions not approved via a profile. Additionally, selecting this option will disapprove any system extensions a user has previously approved. 

    Group 17
  6. Input the Team ID; this is the identifier in the third column of the Terminal output generated by the systemextensionsctl list command discussed above.
  7. Optionally provide a Name to associate with the Team ID.
  8. Under the System Extensions portion, you may optionally change the default value of Approve all system extensions. Leaving this option at its default setting will preapprove any System Extension from the specified Team ID. You can optionally set this option to one of the following 
    • Allow specific system extensions: Allows you to specify the exact bundle ID of the specific system extension you want to approve; use the bundle ID generated by the systemextensionsctl list command described above.
    • Allow specific system extension types: Allows you to specify system extension types from a developer—such as endpoint security extensions, driver extensions, or network extensions—that you want to be preapproved. For our Symantec example, we would approve the Endpoint security extensions type, as this matches the extension type generated by the systemextensionsctl list command described above.

      If necessary, you can select the Add Team ID button to allow additional system extensions in a single profile. 
  1. Click Save.Group 16