How To: Remove Kernel Extensions from macOS

Version 4

    Verified Product Versions

    Endpoint Manager 2018.x


    Kernel extensions are present that need to be removed for testing deployment via Ivanti MDM.



    Determine the extension is present:

    From the target Mac, launch a terminal session and switch to an elevated shell session using the following command.

    sudo sh


    Then access the KextPolicy database using the following command.


    sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy


    Once in the SQLITE prompt, type the following command to list the installed kernel extensions:


    select * from kext_policy;


    The output will look similar to this:




    Reboot into Recovery Mode:

    While logged into macOS, the kext_policy DB is locked in Read Only mode, so the Mac will need to be rebooted into recovery mode. This can be done by following the steps in this Apple article. About macOS Recovery - Apple Support

    Once recovery Mode has loaded,  click Utilities, and select Terminal.

    When in Recovery Mode, the SQLITE3 command cannot be launched from the current location. Instead, to connect to the database run the following commands:


    cd /Volumes/Machintosh\ HD/usr/bin

    ./sqlite3 /Volumes/Machintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy



    Remove the extension:

    Once connected to the database, the 'select *' command can be used to list the installed extensions again if needed.


    The example below lists the columns in the 'kext_policy' table

    Team_IDBundle_IDAllowedDeveloper_NameFlags Corporation Apps4
    G7HH3F8CAKcom.getdropbox.dropbox.kext0Dropbox, Inc.4
    X9E956P446com.crowdstrike.platform1CrowdStrike Inc.5
    X9E956P446com.crowdstrike.platform1CrowdStrike Inc.1


    To delete KEXT data from the DB for specific application, determine what column data to use to target the extension.


    For this example, I want to remove the CrowdStrike extensions, and I will use the Team_ID column, and the Bundle_ID column in my examples below. The IDs are case sensitive.


    delete from kext_policy_mdm where Team_ID = ‘X9E956P446’;




    delete from kext_policy_mdm where Bundle_ID like ‘%crowdstrike%’;


    You can then run the 'select *' command again to verify the extension has been removed.