Add the Kernel Extensions Policy Payload
Introduced in macOS High Sierra, the Kernel Extensions Policy payload allows administrators to whitelist Kernel Extensions on a user's behalf. This ensures applications work as expected and minimizes disruption to the device user.
In this section, you'll configure a Kernel Extension Policy for your test device.
1. Close System Preferences if opened
This section helps you to create a device profile which will change some system preferences in your Mac. However, to see those changes take place, you must first close any existing System Preference sessions if they are already open.
If System Preferences are opened, click X to close.
2. Add a macOS Device Profile
Return to the workstation you are taking the Hands-on Lab from. In the Workspace ONE UEM console:
- Select Devices
- Select Profiles & Resources
- Select Profiles
- Select Add
- Select Add Profile
3. Select Profile Platform
Select the macOS icon.
4. Select the Profile Context
Select the Device Profile icon.
5. Profile General Settings
Configure the device profile as follows:
- Select General if it is not already selected.
- Enter
macOS Kernel Extension Policy
for the profile name. - Select
Auto
for the Assignment Type. - Scroll down to view the Smart Groups field, and click in the search box. This will pop-up the list of created Smart Groups. Enter
All Devices
and select the All Devices ([email protected]) group.
- Note: You do not need to click Save or Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.
6. Select the Profile Payload
- Enter
Kernel
in the Profile search box - Click Kernel Extension Policy
- Click Configure
7. Configure Kernel Extension Policy
- Check the box for Allow User Overrides
- Click Add under Allowed Team Identifiers
- Enter
EG7KH642X6
(the VMware Fusion Team Identifier)
NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!
8. Add Allowed Kernel Extensions
- Scroll down until you see the section Allowed Kernel Extensions
- Click + ADD twice
- Enter
X9E956P446
(the CrowdStrike Team Identifier) andcom.crowdstrike.platform
as the BundleID
NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste! - Enter
X9E956P446
(the CrowdStrike Team Identifier) andcom.crowdstrike.sensor
as the BundleID
NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste! - Click Save and Publish
The above settings perform the following:
- Allow the user to whitelist Kernel Extensions if prompted
- Preemptively whitelist all Kernel Extensions signed by the VMware Fusion team's Team Identifier.
- Preemptively whitelist two specific bundle ID's signed by the Crowdstrike Team Identifier.
More detail about User-Approved Kernel Extension loading can be found on the VMware Blog: https://blogs.vmware.com/euc/2018/02/user-approved-kernel-extension-macos.html
0 Comments
Add your comment