Key Takeaways for System and Kernel Extensions on macOS
Over the years, Apple has cultivated a reputation for creating high-quality products that are well-designed, easy to use, and reliable. It’s also no secret that Apple puts safety and security first when it comes to its devices. For companies that prioritize these considerations, macOS is their go-to choice.
To maintain their status in the marketplace, Apple decided to address certain security issues with their macOS devices. One of them involved restricting the installation of legacy kernel extensions and moving toward safer and more secure macOS system extensions. But what lead to this move? What accounts for the kernel extension being replaced in favor of system extensions?
Have no fear—here is everything you need to know about Apple extensions.
What is a system extension?
Third-party developers have long been dreaming up ways to extend the native capabilities of macOS. To create powerful apps, developers often need direct access to macOS hardware, peripheral hardware, or other OS functionality. Historically, this has been achieved through kernel extensions or KEXTs, which enable code to be executed at the macOS kernel level.
While KEXTs has allowed third-party developers to launch increasingly complex app functionality, they’ve also become an alarming attack vector for bad actors targeting macOS.
To counter this vulnerability, Apple announced macOS system extensions at its 2019 Worldwide Developer Conference as a way to begin pivoting away from kernel extensions. Seen as a major security advancement, system extensions run in the more tightly controlled userspace, outside of the kernel, to provide third-party developers with access to OS-level functionality while improving security and reliability.
This is how Apple describes macOS system extensions:
“System extensions work in the background to extend the functionality of your Mac without requiring kernel access. Some apps install kernel extensions, or KEXTs—a kind of system extension that works using older methods that aren’t as secure or reliable as modern alternatives. Your Mac identifies these as legacy system extensions.”
What are kernel extensions (KEXTs)?
KEXTs are application bundles or pieces of code designed to broaden macOS functionality by allowing software to load directly into the macOS kernel.
The macOS kernel is the heart of the operating system. From there, it facilitates the interaction between the software components and the kernel.
This allows the software to address the macOS hardware directly, and enables access to low-level OS interactions, including access to everything from peripheral hardware and memory management, to task management and disk management functionalities.
A KEXT bundle should include these two files:
- An assembled binary file with executable code
- An Info.plist file containing critical information about the kernel extension, such as name, version, identifier, and kernel library dependencies.
Sometimes, the bundle.kext folder also contains other files, including:
- Device firmware
- Resources (including those localized for use by user-mode applications)
- Plugins, including other KEXTs
Why are kernel extensions no longer recommended for macOS?
While KEXTs have historically given developers the freedom to design apps with complex functionalities, it has also presented quite a few security challenges for Apple.
For one, kernel extensions aren’t bound by your macOS’s security policies. Once it’s loaded into the macOS kernel, it gets complete access to all the hardware functionalities on the device, bypassing security rules.
Even when Apple required that third-party kernel extensions have user approval and a macOS restart and that the secure boot be configured to “Reduced Security,” hackers discovered new ways to bypass these safeguards and expose macOS systems through KEXTs.
Direct kernel access also has a direct impact on macOS reliability. If an application using KEXT crashes, it could take the whole system down.
Considering these potential vulnerabilities and reliability issues, KEXTS have been deprecated from macOS starting at macOS 10.15 and are no longer supported in macOS 11.0 and newer as they compromise the integrity and reliability of your operating system. Apple advises using solutions that don’t require extending the kernel and using macOS system extensions instead. Applications that rely on KEXTs will not operate on Macs running on macOS 11.0 and newer.
System extension pros and cons
From Apple’s perspective, macOS system extensions are a great leap forward in making macOS more secure. After all, third-party kernel extensions expose macOS to a greater possibility of exploit whereas macOS system extensions remove this attack path.
The downside is that some vendors have not yet upgraded their applications to use system extensions which means if you need those apps, you must keep your users on macOS 10.15 or older.
How to enable system extensions on macOS
System extensions can be enabled manually on devices by an administrator. When this happens, the user will be asked to open the “Security & Privacy” preferences to permit the extension.
On macOS, you can use “Extensions System Preferences” to enable and disable Apple and third-party extensions for the device.
To change these preferences, go to “Apple Menu,” then “System Preferences,’ and finally, click “Extensions.”
You also have the option to use the “Automator” app to create a “Quick Action” workflow that you can access anytime.
The manual enablement of system extensions gets the job done, but doesn’t provide the best end-user experience.
MDM providers, like Addigy, offer functionality for approved managed devices that will allow you to deploy defined system extensions en masse without prompts for approval that can disturb the end user.
What’s the current status of system extensions and KEXTs?
In 2019, Apple officially informed developers that macOS Catalina would be the last macOS to fully support legacy KEXTs.
Macs running macOS 10.15 and older can continue to run applications that require KEXTs, but those running macOS 11.0 and newer must run applications using system extensions if they need additional device access. It’s important to note that there are some system extensions that are currently incompatible with older versions of macOS.
In the event that macOS is using a legacy third-party extension, a system alert will appear. In that case, you need to reach out to its developer. When the app has been updated by the developer, installing that available update typically ends up resolving the issue by removing the dependency on the kernel extension. If the developer is unwilling to update the app, it’s probably time to start searching for an alternative.
For many businesses, navigating the Apple world can be tricky. Luckily, Addigy gives you the tools to seamlessly manage all the Apple devices in your managed networks.
We even offer training programs to sharpen your Apple device management skills.