Kernel extension policy configuration (macOS device policy)

With the Kernel extension policy configuration you approve or block certain third-party kernel extensions (KEXTs). Without this configuration, macOS asks the user for approval when an app wants to install a kernel extension.

Note Users must accept the policy. This doesn’t apply to devices managed with Apple Business Manager.

Setting

Description

Allow user-approved extensions

When an app wants to install a kernel extension not approved by this configuration, macOS asks the user to approve it.

If the check box is cleared, extensions not approved by this configuration are blocked.

Approve Sophos extensions

Sophos kernel extensions are approved.

Approved Team IDs

A list of Team ID values.

Kernel extensions signed by one of these IDs are approved.

To find the Team ID of a kernel extension, install it on a Mac in your test environment. Then enter the following two commands in Terminal:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;

Use Control-D to exit the sqlite3 session.

You get one line of output for every kernel extension installed. In each line, the first value is the Team ID.