Kernel Extension Policy Payload

Payload that manages allowed kernel extensions (KEXTs) on macOS. Allows pre-approval of specific KEXTs by team or bundle ID, bypassing user approval prompts.

What to Know

Kernel extensions operate at the deepest level of macOS with unrestricted access to system resources, making them powerful but potentially dangerous. macOS requires explicit user approval for KEXTs to prevent malicious software from gaining kernel-level access. The Kernel Extension Policy payload allows IT to pre-approve trusted KEXTs for enterprise software like security tools, VPN clients, and device drivers, eliminating disruptive approval prompts that confuse users and create support tickets.

Without pre-approval, users may deny necessary KEXTs out of confusion or security concerns, breaking critical enterprise software. Pre-approval also prevents users from accidentally approving malicious KEXTs disguised as legitimate software.

Common Scenarios

Enterprise IT: Pre-approving KEXTs for endpoint security software like CrowdStrike or Carbon Black, network filtering tools, and corporate VPN clients. This ensures security software deploys silently without user interaction, maintaining consistent security posture across the fleet.

MSP: Managing KEXT approvals for diverse client software portfolios, including industry-specific applications that require kernel access. MSPs maintain KEXT approval lists for each client’s approved software stack, updating policies as applications are added or removed.

Education: Approving KEXTs for classroom management software, content filtering tools, and specialized educational applications. Schools pre-approve KEXTs on shared devices to prevent student disruption and ensure consistent software functionality.

In Addigy

Addigy’s KEXT approval interface allows admins to specify allowed kernel extensions by Team ID or bundle identifier. Addigy provides templates for commonly used enterprise software and validates KEXT identifiers before deployment. When deploying software that requires KEXTs, Addigy can bundle the approval profile with the application installation to ensure seamless deployment.

Note that Apple has deprecated KEXTs in favor of System Extensions. Addigy’s catalog indicates which payloads apply to legacy KEXT-based software versus modern System Extension-based applications, helping admins plan for future macOS compatibility.