Need some advice… so with the new apple silicon macs we have had several new security features such as system extensions, secure and bootstrap tokens etc… automating tasks remotely without user intervention is complicated now… apple needs to figure out how to streamline this process for their new lineups, you guys got any tips you could share that helped you with this???
Legacy kexts vs system extensionsSolved
Tags
Replies (11)
This! It would be so helpful if we could share our processes to help make management easier…
So, I have been trying to organize my policies with PPPC, system and kernel extensions and separate them into individual policies, some apps have all configured in an individual policy, some have them configured as separate and some applied over others. Will removing and reassigning them break everything???
I guess for each app, deploying separate policies for PPPC and extensions is the way to go. It saves you a lot of trouble and is easier to sort…
I heard they are phasing out kernel extensions for newer macOS versions, when is it the right time to apply system extensions instead of kexts??
Apple support says it is already out, they consider kexts as legacy system extensions https://support.apple.com/en-us/HT211860 . They have a guide on how to manage kexts with unsupported KPIs and how system extensions will be the norm from macos Monterey onwards…
Thanks for that, I need to be on top of this for future deployments…
Sure, it’s already updated here in Help https://www.hexnode.com/mobile-device-management/help/how-to-configure-kernel-extension-settings-for-mac-with-hexnode-mdm/
Why shift from kexts to system extensions? seems like a swift move…
Kexts have deeper control over the core OS, making it vulnerable to exploits. While it helps with increased functionalities by addressing hardware directly at the kernel level, even a minor vulnerability could potentially brick the device. Apple’s first response was to enforce user approval for third-part kexts, and restart OS while loading the kernel. Unfortunately, hackers found a way to bypass this and hijack the OS. So, they rolled out system extensions with new framework support to get the same functionalities without jeopardizing security.
If a sys extension crashes, the rest of the system won’t be affected as it exists in the user space instead of the kernel space. There is an extensive blog on how sys extensions will effectively replace kexts:
https://www.hexnode.com/blogs/why-mac-system-extensions-are-the-modern-replacement-to-kernel-extensions-kexts/
Hi there,
Thank you for using Hexnode Connect!
You have nothing to worry about when switching from kexts to system extensions. Reassigning extensions will not hinder performance but may require some extensive effort. Updating outdated kexts with a newer version or replacing it with system extensions may require restarting the app and rebooting the system.
In macOS Big Sur and Monterey, apps notify users with dialogs that the app requires legacy system extensions (kexts). Mac computers with Apple silicon require special permission to run kexts: the security policy must be changed to Reduced Security before a user can install a kext. macOS Catalina will be the last macOS to support legacy system extensions fully. You may also search what kexts and system extensions run on your system with scripts.
Depending on the requirements for each app, identify which software uses kexts and update them. Unsupported or deprecated KPI will fail and needs to be replaced. Such KPIs can be replaced with their respective alternatives suggested by Apple and deployed using system extensions. Some apps require kexts to run until system extensions efficiently replace their functionalities. Remove policies with outdated kexts and associate policies with system extensions. Use team ID and bundle ID to install these extensions silently without user interaction.
Here is a quick guide on kernel and system extensions to seamlessly complete the transition from kexts to system extensions with Hexnode. Feel free to reach out for our assistance when needed.
Regards,
Ethan Miller
Hexnode UEM
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.
- This reply was modified 2 years, 9 months ago by Ethan.