Skip to content

Kernel extension policy configuration (macOS device policy)

The Kernel extension policy configuration lets you approve or block selected third-party kernel extensions (also called legacy system extensions).

When you assign the policy to a Mac, the user must accept it. This doesn’t apply to Macs managed with Apple Business Manager.


System extensions on macOS Catalina 10.15 and later are a replacement for kernel extensions. You can’t manage system extensions with the Kernel extension policy configuration.

Setting Description
Allow user-approved extensions

When an app wants to install a kernel extension not approved by this configuration, macOS asks the user to approve it.

When you turn the setting off, all extensions not approved by this configuration are blocked.

Approve Sophos extensions Sophos kernel extensions are approved.
Approved Team IDs

A list of Team ID values.

Kernel extensions signed by one of these IDs are approved.

Find the Team ID

To find the Team ID of a kernel extension, install it on a Mac in your test environment. Then enter the following two commands in Terminal:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;

Use Control-D to exit the sqlite3 session.

You get one line of output for every kernel extension installed. In each line, the first value is the Team ID.