Kernel extension policy configuration (macOS device policy)
The Kernel extension policy configuration lets you approve or block selected third-party kernel extensions (also called legacy system extensions).
When you assign the policy to a Mac, the user must accept it. This doesn’t apply to Macs managed with Apple Business Manager.
System extensions on macOS Catalina 10.15 and later are a replacement for kernel extensions. You can’t manage system extensions with the Kernel extension policy configuration.
|Allow user-approved extensions
When an app wants to install a kernel extension not approved by this configuration, macOS asks the user to approve it.
When you turn the setting off, all extensions not approved by this configuration are blocked.
|Approve Sophos extensions
|Sophos kernel extensions are approved.
|Approved Team IDs
A list of Team ID values.
Kernel extensions signed by one of these IDs are approved.
Find the Team ID
To find the Team ID of a kernel extension, install it on a Mac in your test environment. Then enter the following two commands in Terminal:
SELECT * FROM kext_policy;
Control-D to exit the sqlite3 session.
You get one line of output for every kernel extension installed. In each line, the first value is the Team ID.