Kernel Extensions, System Extensions, Privacy Preferences

Overview

Applications deployed to macOS devices may require the configuration of Kernel Extensions, System Extensions or Privacy Preferences. This can be remotely configured through Mosyle so the user isn't prompted to allow any additional items upon the installation of the application.

Kernel Extensions

The Kernel Extensions profile allows signed kernel extensions to load from a list of developer Team Identifiers or a list of Team Identifiers mapped to application Bundle Identifiers. Map Team Identifiers to Bundle Identifiers to allow specific Bundle Identifiers to load. Enter only the developer Team Identifier to allow all Bundle Identifiers.

Be sure to reference an application's software documentation if system extensions have replaced kernel extensions, or if both are needed. Mac computers running macOS 11 or later require user approval or manual intervention to load kernel extensions, unless it is a Mac computer with Apple silicon and Bootstrap Token is allowed for authentication. Check Apple's documentation for more information on kernel extensions and management of legacy extensions.

To create a Kernel Extensions Profile

Click Management > Click Kernel Extensions
Click “Add New Profile” and name the profile
Select options as needed:
- Allow User Override: This option allows users to approve kernel extensions that are not approved or pushed using the MDM
- Non-Admin User Approvals: This allows non-admin users to approve kernel extensions (Recommended on devices running macOS 11+)
Allowed Team Identifiers: to approve all kernel extensions from a specified developer, enter the developer Team identifier in the field
Allowed Kernel Extensions: to approve kernel extensions for specific bundle identifiers from a developer, enter the developer Team Identifier and the corresponding approved application Bundle Identifiers
Assign the profile to users and/or devices
Save

System Extensions

The System Extensions profile loads system extensions on devices running macOS 10.15 or later. System extensions run in the user space and replace Kernel extensions. As developers transition applications to use System Extensions instead of Kernel Extensions, apps may require the combination of Kernel Extensions profile in addition to the System Extensions profile in the meantime. Check the developer documentation to confirm the use of either Kernel or System Extensions. Reference Apple's documentation for more information about system extensions.

To create a System Extensions Profile

Click Management > System Extensions
Click “Add New Profile” and name the profile
Choose how to allow the extensions: Allow all system extensions from specific Team IDs; allow specific system extensions from specific Team IDs; allow specific system extensions
Enter the Team ID and Bundle ID
Assign the profile to users and/or devices
Save

Privacy Preferences

The Privacy profile configures privacy permissions for applications. It's installed at the system level, meaning configurations will not be visible to the logged-in user in System Settings > Privacy & Security.

Apple's MDM protocol does not provide MDM solutions access to remotely grant certain privacy permissions such as Camera, Microphone, Screen Sharing/Capture, Location Services, and Listen Events (Input Monitoring). For microphone and camera, these permissions may be approved by a Standard local account. By default, Screen Capture and Listen Events require Admin credentials. For devices running macOS 11+, you can create the Privacy profile with the option "Allow Standard User to Set (macOS 11 and later)" for these two permissions.

It's recommended to configure permissions by an application's Bundle Identifier unless otherwise instructed by software documentation. For binaries, it's recommended to configure by Application Path.

To create a Privacy Profile

Click Management > Click Security & Privacy > Privacy tab
Click “Add New Profile” and name the profile
Configure as needed
Assign the profile to users and/or devices
Save

Some features in Mosyle require the agent to have certain Privacy Permissions. Check the box “Install the Privacy Preferences Policy Control settings for the Mosyle Manager app to allow access to all necessary files and application data.”

What's needed before you get started

Network Requirements

Hardware and Software Requirements

Navigating the Interface

Account organization and profile assignments

Supported features and Apple integrations

Mosyle Manager app & Self-Service

Configuring Account Preferences

Subscription Models

Introduction

Enrollment Methods

Authentication & Assignment Options

Integrations

Management Profiles and Configurations

Apple Integrations

Other Integrations

What is MDM enrollment

Mosyle MDM Enrollment options

Automated Device Enrollment

Device Enrollment

User Enrollment

Users & Hierarchy

Device Assignment & User Authentication

Devices Overview

Shared Device Groups

Dynamic Device Groups

Basic Inventory Reports

Alerts

App Installation w/ Apple Apps and Books

Enterprise App Installation

Mosyle Catalog App Installation

Install PKG

App Center

Management profiles

Commands Activity Log

Managing OS Updates

Device Restrictions & Passcode Policies

Managing WiFi Connectivity

Kernel Extensions, System Extensions, Privacy Preferences

Securing Devices

Erasing Devices

Configuring Class Manager

Class Manager Features

Apple Classroom app

Mosyle Auth 2

Mosyle CDN

Device Scout

Detection & Removal

Admin On-Demand

DNS Filtering

Kernel Extensions, System Extensions, Privacy Preferences

Overview

Kernel Extensions

System Extensions

Privacy Preferences

No Comments