By default, the OS might allow users to approve unknown extensions not included in the configuration profile.
#Mac remove kernel extensions update#
When set to Not configured (default), Intune doesn't change or update this setting. Settings apply to: User approved device enrollment, Automated device enrollmentīlock User Overrides: Yes prevents users from approving system extensions that aren't in the allowed list. User approved device enrollment is required.You don't have to add team identifiers and kernel extensions. For example, enter for Bundle ID, and ABCDE12345 for Team identifier. The team identifier must be alphanumeric (letters and numbers) and have 10 characters. For unsigned legacy kernel extensions, use an empty team identifier. Only the kernel extensions you enter are allowed or trusted.Īdd the bundle identifier and team identifier of a kernel extension to load. PXPZ95SK77||1|Palo Alto Networks|5Īllowed Kernel Extensions: Use this setting to allow specific kernel extensions. In our example, the Team ID is PXPZ95SK77: Be sure you have root access, and can run a SUDO command on the device.In our example, the volume name is Macintosh HD.Sudo /Volumes/Macintosh\ HD/usr/bin/sqlite3 /Volumes/Macintosh\ HD/var/db/SystemPolic圜onfiguration/KextPolicy "SELECT * from kext_policy" On the macOS device, open the Terminal app, and run the following script: You can get the Team ID using the sqlite3 command from a macOS device that has the same app installed: The Team ID is stored on the local KextPolicy database. Locate your Team ID (opens Apple's web site) has more information. For example, enter ABCDE12345.Īfter you add a team identifier, it can also be deleted. In other words, use this option to allow all kernel extensions within the same team ID, which may be a specific developer or partner.Īdd a team identifier of valid and signed kernel extensions to load. Any kernel extensions signed with the team IDs you enter are allowed and trusted. Meaning, only extensions included in the configuration profile are allowed.įor more information on this feature, see user-approved kernel extension loading (opens Apple's web site).Īllowed Team Identifiers: Use this setting to allow one or many team IDs. By default, the OS might prevent users from allowing extensions not included in the configuration profile. Settings apply to: User approved device enrollment, Automated device enrollmentĪllow User Overrides: Yes lets users approve kernel extensions not included in the configuration profile. If you use the kernel extensions settings, then consider excluding macOS devices with M1 chips from receiving the kernel extensions profile. This behavior is a known issue, with no ETA.įor any macOS devices running 10.15 and newer, we recommend using system extensions (in this article). Kernel extensions don't work on macOS devices with the M1 chip, which are macOS devices running on Apple silicon.