Kernel extensions are present that need to be removed for testing deployment via Ivanti MDM.
Determine the extension is present:
From the target Mac, launch a terminal session and switch to an elevated shell session using the following command.
Then access the KextPolicy database using the following command.
Once in the SQLITE prompt, type the following command to list the installed kernel extensions:
select * from kext_policy;
The output will look similar to this:
Reboot into Recovery Mode:
While logged into macOS, the kext_policy DB is locked in Read Only mode, so the Mac will need to be rebooted into recovery mode. This can be done by following the steps in this Apple article. About macOS Recovery - Apple Support
Once recovery Mode has loaded, click Utilities, and select Terminal.
When in Recovery Mode, the SQLITE3 command cannot be launched from the current location. Instead, to connect to the database run the following commands:
cd /Volumes/Machintosh\ HD/usr/bin
./sqlite3 /Volumes/Machintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy
Remove the extension:
Once connected to the database, the 'select *' command can be used to list the installed extensions again if needed.
The example below lists the columns in the 'kext_policy' table
|Z3L495V9L4||com.intel.kext.intelhaxm||0||Intel Corporation Apps||4|
To delete KEXT data from the DB for specific application, determine what column data to use to target the extension.
For this example, I want to remove the CrowdStrike extensions, and I will use the Team_ID column, and the Bundle_ID column in my examples below. The IDs are case sensitive.
delete from kext_policy_mdm where Team_ID = ‘X9E956P446’;
delete from kext_policy_mdm where Bundle_ID like ‘%crowdstrike%’;
You can then run the 'select *' command again to verify the extension has been removed.