How To: Add Kernel Extension Exceptions using Ivanti MDM in 2018.3

Version 6

    Verified Product Versions

    Endpoint Manager 2018.x

    Issue:

    macOS High Sierra 10.13 introduces a new feature that requires user approval before loading new third-party kernel extensions.

     

     

    Finding Extensions:

     

    The easiest method to find the Team_ID needed for the .mobileconfig file is to install the desired application and approve the extension.

     

    Then launch a terminal session on the Mac and switch to an elevated shell session using the following command.

    sudo sh

     

    Access the KextPolicy database using the following command.

     

    sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

     

    Once in the SQLITE prompt, type the following command to list the installed kernel extensions:

     

    select * from kext_policy; 

     

     

    The output will look similar to this:

    Kext_Policy_Table.png

     

    The example below lists the columns in the above 'kext_policy' table

    Team_ID

    Bundle_ID

    Allowed

    Developer_Name

    Flags

    DE8Y96K9QPcom.cisco.kext.acsock1Cisco1
    Z3L495V9L4com.intel.kext.intelhaxm0Intel Corporation Apps4
    G7HH3F8CAKcom.getdropbox.dropbox.kext0Dropbox, Inc.4
    X9E956P446com.crowdstrike.platform1CrowdStrike Inc.5
    X9E956P446com.crowdstrike.platform1CrowdStrike Inc.1

     

     

    Create the MobileConfig file

     

    Using the output from the Kext_Policy table, locate the Team_ID for the application and add it to the 'AllowedTeamIdentifiers' section in the attached .mobileconfig file using the following syntax: <string>TeamID</string>

     

    <key>AllowedTeamIdentifiers</key>

    <array>

    <string>TeamID1</string>

    <string>TeamID2</string>

    </array>

     

    Please note: The Team IDs are case sensitive.

     

    Save the mobile config to the following folder on the core server.

    %install Directory%\LANDesk\ManagementSuite\ldlogon\AgentBehaviors\macOSPayloads\whitelisting_profiles

     

    Deploy the MobileConfig File

    From Agent Settings, import the .mobileconfig file into the macOS Device Configuration Profile, and schedule an update to agent settings to distribute the new configuration. In order for the kernel extensions to apply, the device will need to be enrolled in Ivanti MDM.

    Process 1

    Process 2

     

    To include the profile when a device is enrolled in MDM first, the profile will need to be selected in the Agent configuration for MDM enrollment which can be found in A

     

    For more information on installing the Ivanti macOS agent during MDM enrollment, please use the following document.

    About Integrated Device Management for MacOS in EPM 2018.3