System Extensions - Overview and Guide

Overview and recommendations for System Extensions

What is a System Extension?

System Extensions are the modern replacement to Kernel Extensions in macOS Catalina. With System Extensions, Apple provides new frameworks for developers to perform tasks previously reserved for Kernel Extensions. The primary new benefit of System Extensions is that they run in the user space rather than in the Kernel space, by running in the user space System Extensions cannot compromise the built-in security or stability of macOS. Although Kernel Extensions do still work in macOS Catalina, Apple has deprecated the use of certain types of KEXTs and developers should work to move their KEXTs to System Extensions as System Extension equivalent frameworks become available. Currently, there are three new System Extension frameworks available to replace KEXTs. KEXTs that operate outside of these new frameworks (such as virtualization software like VMware Fusion) must continue to use KEXTs until Apple offers equivalent System Extension frameworks.  

  • DriverKit - Use the new DriverKit framework to create drivers for USB, Serial, NIC, and HID devices that users can install on macOS Catalina. Learn more about DriverKit.
  • Network Extensions - Network extension apps such as content filters, DNS proxies, and VPN clients can now be distributed to a user’s Mac as system extensions on macOS Catalina. Learn more about NetworkExtension.
  • Endpoint Security - Endpoint security clients, including Endpoint Detection and Response software and antivirus software, can now leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security

System Extensions can also be allowed using a separate configuration profile. 

At the time of this article, most applications that used Kernel Extensions are still using Kernel Extensions. We recommend you reach out to your software vendors to encourage them to move to System Extensions.

Additional Information:

Kernel Extensions Overview - Apple Developer Documentation Archive

System Extensions - Apple Developer

What is a Kernel Extension?

Kernel Extensions, sometimes referred to as KEXTs, provide developers the ability to load code dynamically into the macOS Kernel. This allows access to internal Kernel interfaces allowing complex apps to function properly. Examples of such apps may be virtualization applications and hypervisors such as Parallels or VMware Fusion.

Differentiate between Kernel Extensions and System Extensions

If you are unsure if the software in question uses a System Extension or a Kernel Extension, there are a few tricks you can use to find out.

  • Contact the software manufacturer
  • Run the below command to list all active system extensions, after installing your software. If no system extensions are listed, then the software likely leverages a legacy Kernel Extension, in that case, please see this support article
systemextensionsctl list

Here is an example output, if no System Extensions are installed.

Last login: Fri May 22 11:05:10 on ttys000
This system is reserved for authorized Kandji use only, and may be monitored.
KandjiSupport@TestMac1 ~ % systemextensionsctl list
0 extension(s)

Here is an example output, with a System Extensions installed.

Last login: Fri May 22 12:59:03 on ttys000
This system is reserved for authorized Kandji use only, and may be monitored.
KandjiSupport@TestMac1 ~ % systemextensionsctl list
1 extension(s)

--- com.apple.system_extension.endpoint_security

enabled active teamID bundleID (version) name [state]

* * 9PTGMPNXZ2 com.symantec.mes.systemextension

(10.0.0/10.0.0) Symantec System Extension

[activated enabled]

Create a System Extension Profile

Follow these steps to create a System Extension profile in Kandji to pre-approve your Applications System Extension(s). 

  1. Login to your Kandji instance and navigate to the Library section using the navigation panel
  2. Click Add New

    Group 19
  3. Click System Extension then Add and Configure

    Group 18
  4. Give your new profile a name, such as KEXT allowance.
  5. Optional: If you deselect Allow users to approve Kernel Extensions this will prevent all users on the Mac from approving additional System Extensions not approved via a Profile, including local administrators.

    Additionally selecting this option will un-approve any System Extensions an end-user has previously approved. 

    Group 17
  6. Input the Team ID we collected in the previous section, this is the identifier in the third column of the terminal output "teamID".
  7. Optionally provide a name to associate with the Team ID.
  8. Under the System Extensions portion, you may optionally change the default value of Approve all system extensions leaving this option as default will pre-approve any System Extension from the specified Team ID. 
    You can optionally set this option to one of the following 
    • Allow specific system extensions this option will allow you to specify the exact bundle ID of the specific System Extension you want to approve, you can use the bundle ID you gathered in the previous section.  
    • Allow specific system extension types this option will allow you to specify specific System Extension types you want to be pre-approved from the developer. Such as
      Endpoint Security extensions, Driver extensions, or Network extensions.

      For our example of Symantec we would approve the Endpoint Security extensions type, as this matches with the system extension type listed in our terminal output from the previous section "com.apple.system_extension.endpoint_security"


      If needed, you can select the Add Team ID button and allow additional System Extensions Extensions in a single profile. 
  9. Click Save.Group 16