Kernel extension policy configuration (macOS device policy)
The Kernel extension policy configuration lets you approve or block selected third-party kernel extensions (also called legacy system extensions).
When you assign the policy to a Mac, the user must accept it. This doesn’t apply to Macs managed with Apple Business Manager.
Note
System extensions on macOS Catalina 10.15 and later are a replacement for kernel extensions. You can’t manage system extensions with the Kernel extension policy configuration.
Setting | Description |
---|---|
Allow user-approved extensions | When an app wants to install a kernel extension not approved by this configuration, macOS asks the user to approve it. When you turn the setting off, all extensions not approved by this configuration are blocked. |
Approve Sophos extensions | Sophos kernel extensions are approved. |
Approved Team IDs | A list of Team ID values. Kernel extensions signed by one of these IDs are approved. |
Find the Team ID
To find the Team ID of a kernel extension, install it on a Mac in your test environment. Then enter the following two commands in Terminal:
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;
Use Control-D
to exit the sqlite3 session.
You get one line of output for every kernel extension installed. In each line, the first value is the Team ID.