whitelisting kernel extensions via team id's


whitelisting kernel extensions via team id's


We are currently looking at making the jump over from JAMF to Meraki - partially give us more control over other non-apple devices. (which we will be deploying in the future ) for the moment we are pretty much 100% MacOS based. (just portable systems, not IOS)


I've hit a pretty hard block though, and I'm hoping others here have run into this and can provide me with some ideas.


User Approved Kernel Extensions. the Kextpocylipse. 

Introduced in 10.13.2 this was a major major impact across all of our managed systems.

Cisco anyconnect, crowdstrike, vmware fusion, google file stream, and multipe other applications are part of our standard system deployment.  The end users needing to go into system pref/security and hit "allow" each time they try to run these apps (the first time) after upgrading, is totally unacceptable.  I have many users who will NOT go and do this - as such, things like our endpoint protection (crowdstrike) will not even be able to run.  I still have a good 50% of my user base running 10.12.x - When they upgrade all of them will hit this wall, UNLESS I have some sort of profile I can push out to them.  If it applies fast enough during login, they may not get the wall of "system extension blocked!" error messages (I had almost 12 of them when I first upgraded)


In JAMF I was able to use their user approved kernel extensions policy to specify a list of team pre-approved TeamIDs - thus making the system just automatically allow these applications to work, without the user having to go into system preferences/security and hit "allow"


I'm now trying to figure out how I can accomplish this in Meraki Systems Manager - they do not (yet?) have a payload option for this - 

Is there a 3rd party program I can use to make a whitelist profile, then user Systems Manager to push it to my 10.13.2+ systems? 

I tried Apple Configurator 2, but it doesn't have a kext part as of yet.


I'm stuck in a hard place here. What have any of you done to get past this?  




- Dagan


7 Replies 7
Building a reputation

@Dagan You can definitely create them in the macOS Server app ($20 in the app store), under the Profile Manager section. If you're coming from Jamf, that Profile Manager is going to be your best friend b/c it offers multiple templates (including kernel extension approval) and the ability to create custom profiles that Meraki does not support.


Here's an example profile I made in Profile Manager for Symantec: https://github.com/ducksrfr/mac_admin/blob/master/profiles/kernelext_symantec.mobileconfig


Oh that is fantastic!

My previous job was in Apple Enterprise support, so I already have the server app - lucky me!


I'll experiment with that. Thank you for the quick response and the example!  

Hi sshort,

I'm still fairly new to this remote-management world, and despite using Meraki for a year, I'm certain I'm scratching the surface here with what I can accomplish with it....   Anywho~ let me see if I understand your solution correctly: 


From your post above, it seems like all I would need to do is create a .mobileconfig profile via the macOS Server app and then push it out to the users via System Manager > MDM Settings > Add Profile  > Upload custom Apple profile


Is that correct? 

Then moving forward, I just need to create a new profile each time we have a program/app that runs into the System Extension Blocked error when we attempt to install.



I'm actually migrating from Casper/Jamf - SO I had a full ktext kernel extension policy built there.  I found that I can actually EXPORT that sucker as a .mobileconfig straight from jamf.


I added it to meraki like you mentioned, and it is working perfect.


Another option would be to build it with the server OS - yes.


You just need it to be a .mobileconfig file and meraki is happy to deal with it.


Building a reputation

@rguthrie Yep, here's an example of the profile I made for Symantec: https://github.com/ducksrfr/mac_admin/blob/master/profiles/kernelext_symantec.mobileconfig


In terms of "finding" the bundle identifers or Team IDs, I recommended installing the apps you need to find this info from on a test Mac. Approve the Kernel extensions as needed if prompted.


Find the bundle identifiers of apps requiring kernel extension approval: 

kextstat | grep -v com.apple


Find the Team ID of apps requiring kernel extension approval: 

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

SELECT * FROM kext_policy;

Thanks so much all!! 

Off topic:  what caused the jamf to meraki move @Dagan ?    I'm happy with Meraki meself, but recently the question of "have we looked into jamf" came up and any insight would be awesome. thanks!


JAMF is fantasic and super powerful for *just* Mac OS and iOS devices.
My end users want more.
They want Windows OS, BYOD, Chrome OS..etc... JAMF just won't do that.
So, we either buy a SECOND tool to do that, or migrate to one tool to use them all.

Plus, cost wise, 1 year of JAMF = 3 years of Meraki....
My accounting guy really loved that math.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.