使用 Intune 添加 macOS 系统和内核扩展Add macOS system and kernel extensions in Intune


macOS 内核扩展正在替换为系统扩展。macOS kernel extensions are being replaced with system extensions. 有关详细信息,请参阅支持提示:在 Intune 中为 macOS Catalina 10.15 使用系统扩展而不是内核扩展For more information, see Support Tip: Using system extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.

在 macOS 设备上,可以添加内核扩展和系统扩展。On macOS devices, you can add kernel extensions and system extensions. 内核扩展和系统扩展都允许用户安装可扩展操作系统的本机功能的应用扩展。Both kernel extensions and system extensions allow users to install app extensions that extend the native capabilities of the operating system. 内核扩展在内核级别执行其代码。Kernel extensions execute their code at the kernel level. 系统扩展在严格控制的用户空间中运行。System extensions run in a tightly controlled user-space.

要添加始终允许在设备上加载的扩展,请使用 Microsoft Intune。To add extensions that are always allowed to load on your devices, use Microsoft Intune. Intune 使用“配置文件”创建和自定义这些设置,从而满足组织需求。Intune uses "configuration profiles" to create and customize these settings for your organization's needs. 在配置文件中添加这些功能后,就可以将配置文件推送或部署到组织的 macOS 设备上。After you add these features in a profile, you then push or deploy the profile to macOS devices in your organization.

本文介绍系统扩展和内核扩展。This article describes system extensions and kernel extensions. 还将介绍如何通过 Intune 使用扩展创建设备配置文件。It also shows you how to create a device configuration profile using extensions in Intune.

系统扩展System extensions

系统扩展在用户空间中运行,并且不能访问内核。System extensions run in the user space, and don’t access the kernel. 其目的是为了提高安全性并提供更多的最终用户控制,同时限制内核级别攻击。The goal is to increase security, provide more end user control, and limit kernel level attacks. 这些扩展可以是:These extensions can be:

  • 驱动程序扩展,包括 USB 驱动程序、网络接口卡 (NIC)、串行控制器和人机接口设备 (HID)Driver extensions, including drivers to USB, network interface cards (NIC), serial controllers, and human interface devices (HID)
  • 网络扩展,包括内容筛选器、DNS 代理和 VPN 客户端Network extensions, including content filters, DNS proxies, and VPN clients
  • 终结点安全扩展,包括终结点检测、终结点响应和防病毒Endpoint security extensions, including endpoint detection, endpoint response, and antivirus

系统扩展包含在应用程序包中,并从应用安装。System extensions are included in an app's bundle, and installed from the app.

有关系统扩展的详细信息,请参阅系统扩展(打开 Apple 网站)。For more information on system extensions, see system extensions (opens Apple's web site).

内核扩展Kernel extensions

内核扩展在内核级别添加功能。Kernel extensions add features at the kernel-level. 这些功能可访问正常程序无法访问的 OS 部分。These features access parts of the OS that regular programs can't access. 组织可能具有应用、设备功能等无法满足的特定需求或要求。Your organization may have specific needs or requirements that aren't available in an app, a device feature, and so on.

例如,你有一个病毒扫描程序,可扫描设备中是否存在恶意内容。For example, you have a virus scanning program that scans your device for malicious content. 你可使用 Intune 将此病毒扫描程序的内核扩展添加为允许的内核扩展。You can add this virus scanning program's kernel extension as an allowed kernel extension in Intune. 然后,向 macOS 设备分配该扩展。Then, "assign" the extension to your macOS devices.

利用此功能,管理员可以允许用户替代内核扩展,添加团队标识符,以及使用 Intune 添加特定内核扩展。With this feature, administrators can allow users to override kernel extensions, add team identifiers, and add specific kernel extensions in Intune.

有关内核扩展的详细信息,请参阅内核扩展(打开 Apple 网站)。For more information on kernel extensions, see kernel extensions (opens Apple's web site).


  • 此功能适用于:This feature applies to:

    • macOS 10.13.2 及更高版本(内核扩展)macOS 10.13.2 and newer (kernel extensions)
    • macOS 10.15 及更高版本(系统扩展)macOS 10.15 and newer (system extensions)

    从 macOS 10.15 到 10.15.4,内核扩展和系统扩展可并行运行。From macOS 10.15 to 10.15.4, kernel extensions and system extensions can run side by side.

  • 要使用此功能,设备必须符合以下情况:To use this feature, devices must be:

须知内容What you need to know

  • 可以添加未签名的旧版内核扩展和系统扩展。Unsigned legacy kernel extensions and system extensions can be added.
  • 请确保输入正确的团队标识符和扩展的程序包 ID。Be sure to enter the correct team identifier and bundle ID of the extension. Intune 不会验证输入的值。Intune doesn't validate the values you enter. 如果输入的信息不正确,则该扩展将无法在设备上运行。If you enter wrong information, the extension won't work on the device. 团队标识符长度正好为 10 个字母数字字符。A team identifier is exactly 10 alphanumeric characters long.


Apple 发布了有关所有软件的签名和公证的信息。Apple released information regarding signing and notarization for all software. 在 macOS 10.14.5 和更新版本中,通过 Intune 部署的内核扩展不必满足 Apple 的公证策略。On macOS 10.14.5 and newer, kernel extensions deployed through Intune don't have to meet Apple's notarization policy.

有关此公证策略以及任何更新或更改的信息,请参阅以下资源:For information on this notarization policy, and any updates or changes, see the following resources:

创建配置文件Create the profile

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “配置文件” > “创建配置文件”。Select Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择“macOS”Platform: Select macOS
    • 配置文件:选择“扩展”。Profile: Select Extensions.
  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入策略的描述性名称。Name: Enter a descriptive name for the policy. 为策略命名,以便稍后可以轻松地识别它们。Name your policies so you can easily identify them later. 例如,策略名称最好是“macOS:配置登录屏幕”向设备上的内核扩展添加防病毒扫描。For example, a good policy name is macOS: Add antivirus scanning to kernel extensions on devices.
    • 描述:输入策略的说明。Description: Enter a description for the policy. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  6. 选择“下一步”。Select Next.

  7. 在“配置设置”中,配置以下设置:In Configuration settings, configure your settings:

  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择将接收配置文件的用户或组。In Assignments, select the users or groups that will receive your profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  11. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

后续步骤Next steps

创建配置文件后,即可进行分配。After the profile is created, it's ready to be assigned. 下一步,分配配置文件监视其状态Next, assign the profile and monitor its status.