Kernel extension policy configuration (macOS device policy)
The Kernel extension policy configuration lets you approve or block selected third-party kernel extensions (also called legacy system extensions).
When you assign the policy to a Mac, the user must accept it. This doesn’t apply to Macs managed with Apple Business Manager.
System extensions on macOS Catalina 10.15 and later are a replacement for kernel extensions. You can’t manage system extensions with the Kernel extension policy configuration.
|Allow user-approved extensions||When an app wants to install a kernel extension not approved by this configuration, macOS asks the user to approve it. |
When you turn the setting off, all extensions not approved by this configuration are blocked.
|Approve Sophos extensions||Sophos kernel extensions are approved.|
|Approved Team IDs||A list of Team ID values. |
Kernel extensions signed by one of these IDs are approved.
Find the Team ID
To find the Team ID of a kernel extension, install it on a Mac in your test environment. Then enter the following two commands in Terminal:
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy SELECT * FROM kext_policy;
Control-D to exit the sqlite3 session.
You get one line of output for every kernel extension installed. In each line, the first value is the Team ID.