System Extension Payload

Payload that manages allowed system extensions on macOS (the modern replacement for kernel extensions). Allows extensions by team or bundle ID to bypass user prompts.

What to Know

System extensions provide a modern, more secure alternative to kernel extensions by running in user space rather than kernel space, reducing the risk of system instability and security vulnerabilities. macOS requires user approval for system extensions to prevent malicious software from gaining elevated privileges. The System Extension payload allows IT to pre-approve trusted extensions for enterprise software, ensuring seamless deployment of security tools, network filters, and endpoint protection without user prompts.

As Apple phases out kernel extension support, system extensions become essential for modern enterprise software. Organizations must transition from KEXT-based tools to system extension equivalents to maintain compatibility with current and future macOS versions.

Common Scenarios

Enterprise IT: Pre-approving system extensions for next-generation endpoint security platforms, DNS filtering tools, and corporate VPN clients. IT maintains approved extension lists and updates policies as vendors migrate from KEXTs to system extensions, ensuring continuous functionality during macOS upgrades.

MSP: Managing system extension approvals across client environments with varied security tool portfolios. MSPs track vendor migration timelines from KEXTs to system extensions and proactively update client policies to prevent compatibility issues during macOS update cycles.

Education: Approving system extensions for content filtering software, classroom management tools, and student safety applications. Schools ensure approved extensions maintain functionality as educational software vendors modernize their platforms for current macOS security architectures.

In Addigy

Addigy’s System Extension payload configuration allows admins to approve extensions by Team ID or bundle identifier, with separate controls for different extension types including network extensions, endpoint security, and driver extensions. Addigy provides templates for commonly deployed enterprise applications and validates extension identifiers before deployment.

Addigy’s catalog indicates which applications require system extensions versus deprecated KEXTs, helping admins plan compatibility strategies for fleet-wide macOS upgrades. Addigy logs extension approval status and provides troubleshooting guidance when applications fail to load due to missing approvals.