How To: Remove Kernel Extensions from macOS

Version 4

    Verified Product Versions

    Endpoint Manager 2018.x

    Issue:

    Kernel extensions are present that need to be removed for testing deployment via Ivanti MDM.

     

     

    Determine the extension is present:

    From the target Mac, launch a terminal session and switch to an elevated shell session using the following command.

    sudo sh

     

    Then access the KextPolicy database using the following command.

     

    sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

     

    Once in the SQLITE prompt, type the following command to list the installed kernel extensions:

     

    select * from kext_policy;
    

     

    The output will look similar to this:

    Kexy_policy.png

     

     

    Reboot into Recovery Mode:

    While logged into macOS, the kext_policy DB is locked in Read Only mode, so the Mac will need to be rebooted into recovery mode. This can be done by following the steps in this Apple article. About macOS Recovery - Apple Support

    Once recovery Mode has loaded,  click Utilities, and select Terminal.

    When in Recovery Mode, the SQLITE3 command cannot be launched from the current location. Instead, to connect to the database run the following commands:

     

    cd /Volumes/Machintosh\ HD/usr/bin

    ./sqlite3 /Volumes/Machintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy

     

     

    Remove the extension:

    Once connected to the database, the 'select *' command can be used to list the installed extensions again if needed.

     

    The example below lists the columns in the 'kext_policy' table

    Team_IDBundle_IDAllowedDeveloper_NameFlags
    DE8Y96K9QPcom.cisco.kext.acsock1Cisco1
    Z3L495V9L4com.intel.kext.intelhaxm0Intel Corporation Apps4
    G7HH3F8CAKcom.getdropbox.dropbox.kext0Dropbox, Inc.4
    X9E956P446com.crowdstrike.platform1CrowdStrike Inc.5
    X9E956P446com.crowdstrike.platform1CrowdStrike Inc.1

     

    To delete KEXT data from the DB for specific application, determine what column data to use to target the extension.

     

    For this example, I want to remove the CrowdStrike extensions, and I will use the Team_ID column, and the Bundle_ID column in my examples below. The IDs are case sensitive.

     

    delete from kext_policy_mdm where Team_ID = ‘X9E956P446’;

     

    Or

     

    delete from kext_policy_mdm where Bundle_ID like ‘%crowdstrike%’;

     

    You can then run the 'select *' command again to verify the extension has been removed.