Approve Kernel Extension via profile

With the release of OS High Sierra 10.13.4, I have found myself with notification prompting about allowing Kernel Extension for certain applications (Cylance,etc..)
Since I mostly use JAMF, the recent release of JAMF Pro 10.3 enables us to deploy a profile that will allow us to handle this prior to installation and for the user.

Following instructions from a post of Graham Gilbert, I was able to easily pull the IDs I needed from a computer that had successfully enabled the kernel extension.

Launch Terminal: sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
Then: SELECT * FROM kext_policy;

Once you have the IDs (It will be a 10 characters string), go into the Configuration Profiles in JAMF Pro and Click New
In General, Enter the name of your choosing i.e Approved Kernel Extensions
We also want to make sure it’s installed at the computer level

Once we have finished with General, let’s head to the bottom of the payload page and select Approved Kernel Extensions Payload

Click Configure, on the new displayed page we will enter the ID under Team ID, I would also use the display name to match the app we are enabling so here Cylance, Inc. and then enter the Team ID.
If you want to be more restrictive in allowing only some kernel extensions, use the kernel extension bundle option where you will enter the bundle specific information i.e com.Cylance.CyProtectDrvOSX
and with this, only the bundle specific will be approve should there be more bundle under the same Team ID

Repeat for all the Kernel Extensions you would like to approve and once done, scope it to the users you want and save to push it.

That’s it.


2 thoughts on “Approve Kernel Extension via profile

  1. This works for Macs that you are building right? Not for already deployed Macs in the field? You are hitting the database while its not active at installation time. It seemed to me that you could not do the insertion of the codes without user authorization once the database is active.

    Please let me know if I am wrong, thanks!

    • This will depends on if you are using DEP or not. I am using DEP so it doesn’t matter if it’s deployed now or later, as long as you are using an approved MDM, the profile will be deployed. Now say for a previously DEPed computer I have removed the MDM and manually re enrolled it into my MDM, it will not work until the you or the user goes into the Profiles Section in System Preferences and click approve for the Main MDM (the one that can wipe your computer, etc) once you have approved it there, the profiles will be deployed to the machine (and by profile here I am talking about the kernel extension one as the other profiles like wifi, firewall, etc will deploy fine without user approval). I hope this makes sense to you. As for the database, I just access it from a machine I have installed and approved the kernel extension I am interested in. Even if you manually approve the kernel extension via system preference, the data from the database will be the same as it would if you had done it via a profile.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s