macOS High Sierra 10.13 introduces a new feature that requires user approval before loading new third-party kernel extensions.
The easiest method to find the Team_ID needed for the .mobileconfig file is to install the desired application and approve the extension.
Then launch a terminal session on the Mac and switch to an elevated shell session using the following command.
Access the KextPolicy database using the following command.
Once in the SQLITE prompt, type the following command to list the installed kernel extensions:
select * from kext_policy;
The output will look similar to this:
The example below lists the columns in the above 'kext_policy' table
|Z3L495V9L4||com.intel.kext.intelhaxm||0||Intel Corporation Apps||4|
Create the MobileConfig file
Using the output from the Kext_Policy table, locate the Team_ID for the application and add it to the 'AllowedTeamIdentifiers' section in the attached .mobileconfig file using the following syntax: <string>TeamID</string>
Please note: The Team IDs are case sensitive.
Save the mobile config to the following folder on the core server.
Deploy the MobileConfig File
From Agent Settings, import the .mobileconfig file into the macOS Device Configuration Profile, and schedule an update to agent settings to distribute the new configuration. In order for the kernel extensions to apply, the device will need to be enrolled in Ivanti MDM.
To include the profile when a device is enrolled in MDM first, the profile will need to be selected in the Agent configuration for MDM enrollment which can be found in A
For more information on installing the Ivanti macOS agent during MDM enrollment, please use the following document.