Add macOS kernel extensions in Intune

Note

macOS kernel extensions are being replaced with system extensions. For more information, see Support Tip: Using system extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.

On macOS devices, you can add features at the kernel-level. These features access parts of the OS that regular programs can't access. Your organization may have specific needs or requirements that aren't available in an app, a device feature, and so on.

To add kernel extensions that are always allowed to load on your devices, add "kernel extensions" (KEXT) in Microsoft Intune, and then deploy these extensions to your devices.

For example, you have a virus scanning program that scans your device for malicious content. You can add this virus scanning program's kernel extension as an allowed kernel extension in Intune. Then, "assign" the extension to your macOS devices.

With this feature, administrators can allow users to override kernel extensions, add team identifiers, and add specific kernel extensions in Intune.

This feature applies to:

  • macOS 10.13.2 and later

To use this feature, devices must be:

Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After you add these features in a profile, you can then push or deploy the profile to macOS devices in your organization.

This article shows you how to create a device configuration profile using kernel extensions in Intune.

Tip

For more information on kernel extensions, see kernel extension overview (opens Apple's web site).

What you need to know

  • Unsigned legacy kernel extensions can be added.
  • Be sure to enter the correct team identifier and bundle ID of the kernel extension. Intune doesn't validate the values you enter. If you enter wrong information, the extension won't work on the device. A team identifier is exactly 10 alphanumeric characters long.

Note

Apple released information regarding signing and notarization for all software. On macOS 10.14.5 and newer, kernel extensions deployed through Intune don't have to meet Apple's notarization policy.

For information on this notarization policy, and any updates or changes, see the following resources:

Create the profile

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Configuration profiles > Create profile.

  3. Enter the following properties:

    • Platform: Select macOS
    • Profile: Select Extensions.
  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS: Add kernel extensions to devices.
    • Description: Enter a description for the policy. This setting is optional, but recommended.
  6. Select Next.

  7. In Configuration settings, configure your settings:

  8. Select Next.

  9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.

    Select Next.

  10. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  11. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Next steps

After the profile is created, it's ready to be assigned. Next, assign the profile and monitor its status.