Add the Kernel Extensions Policy Payload

Introduced in macOS High Sierra, the Kernel Extensions Policy payload allows administrators to whitelist Kernel Extensions on a user's behalf.   This ensures applications work as expected and minimizes disruption to the device user.  

In this section, you'll configure a Kernel Extension Policy for your test device.

1. Close System Preferences if opened

Close System Preferences if opened

This section helps you to create a device profile which will change some system preferences in your Mac. However, to see those changes take place, you must first close any existing System Preference sessions if they are already open.

If System Preferences are opened, click X to close.

2. Add a macOS Device Profile

Add a macOS Device Profile

Return to the workstation you are taking the Hands-on Lab from. In the Workspace ONE UEM console:

  1. Select Devices
  2. Select Profiles & Resources
  3. Select Profiles
  4. Select Add
  5. Select Add Profile

3. Select Profile Platform

Select Profile Platform

Select the macOS icon.

4. Select the Profile Context

Select the Profile Context

Select the Device Profile icon.

5. Profile General Settings

Profile General Settings

Configure the device profile as follows:

  1. Select General if it is not already selected.
  2. Enter macOS Kernel Extension Policy for the profile name.
  3. Select Auto for the Assignment Type.
  4. Scroll down to view the Smart Groups field, and click in the search box. This will pop-up the list of created Smart Groups. Enter All Devices and select the All Devices ([email protected]) group.
  1. Note: You do not need to click Save or Save & Publish at this point.  This interface allows you to move around to different payload configuration screens before saving.

6. Select the Profile Payload

  1. Enter Kernel in the Profile search box
  2. Click Kernel Extension Policy
  3. Click Configure

7. Configure Kernel Extension Policy

  1. Check the box for Allow User Overrides
  2. Click Add under Allowed Team Identifiers
  3. Enter EG7KH642X6 (the VMware Fusion Team Identifier)
    NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!

8. Add Allowed Kernel Extensions

  1. Scroll down until you see the section Allowed Kernel Extensions
  2. Click + ADD twice
  3. Enter X9E956P446 (the CrowdStrike Team Identifier) and com.crowdstrike.platform as the BundleID
    NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!
  4. Enter X9E956P446 (the CrowdStrike Team Identifier) and com.crowdstrike.sensor as the BundleID
    NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!
  5. Click Save and Publish

The above settings perform the following:

  • Allow the user to whitelist Kernel Extensions if prompted
  • Preemptively whitelist all Kernel Extensions signed by the VMware Fusion team's Team Identifier.
  • Preemptively whitelist two specific bundle ID's signed by the Crowdstrike Team Identifier.

More detail about User-Approved Kernel Extension loading can be found on the VMware Blog:   https://blogs.vmware.com/euc/2018/02/user-approved-kernel-extension-macos.html

9. Publish the Device Profile

Click the Publish button.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.