Create a Mac Kernel Extensions Policy

Some macOS apps require access to macOS Kernel Extensions (kexts), which can perform low-level tasks. JumpCloud’s Kernel Extensions Policy lets you preapprove access to specific Kernel Extensions before or after the app installation. This saves you time when managing Apple devices with Mobile Device Manager (MDM) because you don’t have to ask the end user to handle approvals because the policies are automatically approved.

This Kernel Extensions Policy requires a Team ID and Bundle ID for the app that you want to preapprove.

Note:

Kernel Extensions are of limited use beginning with macOS 11 Big Sur. Apple has deprecated a number of key features of Kernel Extensions with macOS 11 Big Sur, and provided additional options for System Extensions. Organizations should not expect Kernel Extensions to work on Apple silicon devices without manual interventions and decreased security. Because of that, and because of the deprecation warnings from Apple regarding their use, organizations should consider replacing any Kernel Extensions with System Extensions.

Locating the Team ID and Bundle ID

MacOS system services rely on code-signing information to identify apps that access key resources. Every signed, compiled app on macOS has a code signature that identifies the process that is running the app. Only signed apps can access these key system services, and Apple silicon Macs require signed apps. All Kernel Extensions are signed with a code-signing certificate that contains the Team ID of the organization that is responsible for the application. 

To locate an app’s Team ID and Bundle ID:
These instructions help you find the Team ID and Bundle ID so that you can set up access for an app that requires a Kernel Extension. The procedure uses a sample app called MacFUSE, an open source project that allows macOS devices to read and write alternative file systems that are not natively supported by the OS. You’ll substitute the app that requires a Kernel Extension.

  1. Run this command in Terminal to open a SQLite3 database:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

The device must have Kernel Extensions installed and approved.

  1. Run this command to view the Team ID and Bundle ID: 

SELECT * FROM kext_policy;

The resulting list contains all active non-Apple Kernel Extensions and their Bundle IDs. For example, this list is from a device with MacFUSE and other extensions installed:
3T5GSNBU6W|io.macfuse.filesystems.macfuse|1|Benjamin Fleischer|1
FC94733TZD|com.ATTO.driver.ATTOThunderLinkFC16|1|ATTO Technology, Inc.|1 EQHXZ8M8AV|com.google.drivefs.filesystems.dfsfuse|1|Google, Inc.|1 Y2CCP3S9W7|com.symantec.kext.wssa|0|Broadcom Inc|4

  1. Locate the Team ID, which is the first value. For MacFUSE, it’s 3T5GSNBU6W.
  2. Locate the Bundle ID, which is the second value. For MacFUSE, it’s io.macfuse.filesystems.macfuse.
  3. In JumpCloud’s Kernel Extension Policy, add the Team ID and Bundle ID. For instructions, See Create a Mac ApplicationPrivacy Preferences Policy.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case