System Extension Whitelists
System extensions allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access.
About this task
Note:
- Multiple system extension whitelists can be specified in a single policy itself.
- Multiple system extension whitelists policies can be added to a policy group and deployed.
To create a System Extension Whitelist policy:
- Open the MDM app.
- Click Create Policy.
- From the list of policy types, select System Extension
Whitelists. The following page appears.
- Enter the following details.
- Policy Name: Enter a name for the policy.
- Description: Enter description for your policy.
- Operating System: Cannot be changed as this is applicable only to macOS.
- Assign Policy to Site: Select a site from the dropdown menu to assign the policy to the selected site. Non-master operators can see only those sites in the dropdown menu to which they have access to.
- Under Define System Extension Whitelists, enter the Team
ID and the Bundle ID.
- Team ID: Team ID is unique to a specific development team. It is a 10-digit alphanumeric string, which Apple generates and associates with the developer’s or vendor’s Developer ID.
- Bundle IDs: Bundle ID is an alphanumeric string that uniquely identifies a system extension policy. You can specify more than one Bundle ID separated by a comma for any given Team ID.
This command will show all the system extensions in effect on the machine across all products. You need to locate the ones of interest for whitelisting and create a policy or policies that cover everything you wish to whitelist.systemextensionsctl listThe output might look similar to the following:
bigfixmdm@LP2-US-xxxxxxxx mdm % systemextensionsctl list 1 extension(s) --- com.apple.system_extension.network_extension enabledactiveteamIDbundleID (version)name[state] **PXPZ95SK77com.paloaltonetworks.GlobalProtect.client.extension (5.2.6-87/1)GlobalProtectExtension[activated enabled]Where
PXPZ95SK77is the Team ID andcom.paloaltonetworks.GlobalProtect.client.extensionis the Bundle ID.Note:- To whitelist the system extension of an application from a specific vendor, you must specify both the Team ID and the Bundle ID.
- Do not add multiple entries with the same Team ID, as only the last
one in the list will actually be used. If you have multiple system
extensions to whitelist with the same Team ID, add all the Bundle
IDs in one entry separated by commas. For
example:
Bundle IDs: BundleID1,BundleID2,BundleID3 - If you do not specify any extension type, the policy assumes all system extensions associated with the TeamID are allowed.
- Allowed System Extension Types:
- Driver Extension: Select this to use the DriverKit framework and create drivers for USB, Serial, NIC, and HID devices that users can install in macOS. Learn more about DriverKit.
- Network Extension: Select this to distribute network extension apps such as content filters, DNS proxies, and VPN clients as system extensions to macOS. Learn more about NetworkExtension.
- Endpoint Security Extension: Endpoint security clients, including Endpoint Detection and Response software, antivirus software, can leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security.
- Add System Extension: If you want to whitelist more than one product from different vendors within a single policy, click Add Extension to add additional Team ID and Bundle IDs to the same policy.
- Click Save. The system extension whitelisting is created.