Add macOS kernel extensions in Intune
macOS kernel extensions are being replaced with system extensions. For more information, see Support Tip: Using system extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.
On macOS devices, you can add features at the kernel-level. These features access parts of the OS that regular programs can't access. Your organization may have specific needs or requirements that aren't available in an app, a device feature, and so on.
To add kernel extensions that are always allowed to load on your devices, add "kernel extensions" (KEXT) in Microsoft Intune, and then deploy these extensions to your devices.
For example, you have a virus scanning program that scans your device for malicious content. You can add this virus scanning program's kernel extension as an allowed kernel extension in Intune. Then, "assign" the extension to your macOS devices.
With this feature, administrators can allow users to override kernel extensions, add team identifiers, and add specific kernel extensions in Intune.
This feature applies to:
- macOS 10.13.2 and later
To use this feature, devices must be:
Enrolled in Intune using Apple's Device Enrollment Program (DEP). Automatically enroll macOS devices has more information.
Enrolled in Intune with "user approved enrollment" (Apple's term). Prepare for changes to kernel extensions in macOS High Sierra (opens Apple's web site) has more information.
Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After you add these features in a profile, you can then push or deploy the profile to macOS devices in your organization.
This article shows you how to create a device configuration profile using kernel extensions in Intune.
For more information on kernel extensions, see kernel extension overview (opens Apple's web site).
What you need to know
- Unsigned legacy kernel extensions can be added.
- Be sure to enter the correct team identifier and bundle ID of the kernel extension. Intune doesn't validate the values you enter. If you enter wrong information, the extension won't work on the device. A team identifier is exactly 10 alphanumeric characters long.
Apple released information regarding signing and notarization for all software. On macOS 10.14.5 and newer, kernel extensions deployed through Intune don't have to meet Apple's notarization policy.
For information on this notarization policy, and any updates or changes, see the following resources:
- Notarizing your app before distribution (opens Apple's web site)
- Prepare for changes to kernel extensions in macOS High Sierra (opens Apple's web site)
Create the profile
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
- Platform: Select macOS
- Profile: Select Extensions.
In Basics, enter the following properties:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS: Add kernel extensions to devices.
- Description: Enter a description for the policy. This setting is optional, but recommended.
In Configuration settings, configure your settings:
In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as
US-NC IT Teamor
JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.
In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.