System Extension Whitelists

System extensions allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access.

About this task

Once installed, the whitelisted extensions become available to all users on the macOS system and can perform tasks that are previously reserved for kernel extensions. Learn more about system extensions.
Note:
  • Multiple system extension whitelists can be specified in a single policy itself.
  • Multiple system extension whitelists policies can be added to a policy group and deployed.

To create a System Extension Whitelist policy:

  1. Open the MDM app.
  2. Click Create Policy.
  3. From the list of policy types, select System Extension Whitelists. The following page appears.


  4. Enter the following details.
    • Policy Name: Enter a name for the policy.
    • Description: Enter description for your policy.
    • Operating System: Cannot be changed as this is applicable only to macOS.
    • Assign Policy to Site: Select a site from the dropdown menu to assign the policy to the selected site. Non-master operators can see only those sites in the dropdown menu to which they have access to.
  5. Under Define System Extension Whitelists, enter the Team ID and the Bundle ID.
    • Team ID: Team ID is unique to a specific development team. It is a 10-digit alphanumeric string, which Apple generates and associates with the developer’s or vendor’s Developer ID.
    • Bundle IDs: Bundle ID is an alphanumeric string that uniquely identifies a system extension policy. You can specify more than one Bundle ID separated by a comma for any given Team ID.
    To identify Team ID and Bundle IDs, obtain a list of system extensions that are present on the machine via terminal using the following command:
    systemextensionsctl list
    This command will show all the system extensions in effect on the machine across all products. You need to locate the ones of interest for whitelisting and create a policy or policies that cover everything you wish to whitelist.

    The output might look similar to the following:

    bigfixmdm@LP2-US-xxxxxxxx mdm % systemextensionsctl list
    
    1 extension(s)
    
    --- com.apple.system_extension.network_extension
    
    enabledactiveteamIDbundleID (version)name[state]
    
    **PXPZ95SK77com.paloaltonetworks.GlobalProtect.client.extension (5.2.6-87/1)GlobalProtectExtension[activated enabled]

    Where PXPZ95SK77 is the Team ID and com.paloaltonetworks.GlobalProtect.client.extension is the Bundle ID.

    Note:
    • To whitelist the system extension of an application from a specific vendor, you must specify both the Team ID and the Bundle ID.
    • Do not add multiple entries with the same Team ID, as only the last one in the list will actually be used. If you have multiple system extensions to whitelist with the same Team ID, add all the Bundle IDs in one entry separated by commas. For example:
      Bundle IDs: BundleID1,BundleID2,BundleID3
    • If you do not specify any extension type, the policy assumes all system extensions associated with the TeamID are allowed.
  6. Allowed System Extension Types:
    • Driver Extension: Select this to use the DriverKit framework and create drivers for USB, Serial, NIC, and HID devices that users can install in macOS. Learn more about DriverKit.
    • Network Extension: Select this to distribute network extension apps such as content filters, DNS proxies, and VPN clients as system extensions to macOS. Learn more about NetworkExtension.
    • Endpoint Security Extension: Endpoint security clients, including Endpoint Detection and Response software, antivirus software, can leverage the new EndpointSecurity API to monitor and even block system events to better conform with security policies and protect from potential malicious activity. Learn more about Endpoint Security.
  7. Add System Extension: If you want to whitelist more than one product from different vendors within a single policy, click Add Extension to add additional Team ID and Bundle IDs to the same policy.
  8. Click Save. The system extension whitelisting is created.

Results

A System Extension Whitelist policy is created and is ready to be deployed.

What to do next

Add the created policy to a policy group and deploy onto the MDM server or eligible devices.