KEXTs and Big Sur

Recently I’ve been trying to get a KEXT to load in Big Sur on both Intel and Apple Silicon Macs without requiring an admin user to approve loading the KEXT and avoiding Apple Silicon’s “reboot into recovery to allow KEXT loading” bit.

This post will cover the MDM profile I’m deploying along with some commands that I used to help with testing KEXT deployment and approval on Big Sur.

Requirements

Auto enrolled MDM

The Mac has to have been automatically enrolled in MDM for the profile to automagically downgrade startup disk security on Apple Silicon Macs.

macOS 11.2

The ability to automagically downgrade startup disk security to allow KEXTs appears to have been added in macOS 11.2.

tl;dr

  • Use the new profile key AllowNonAdminUserApprovals set to true to allow non-admins to approve KEXTs and automagically downgrade startup disk security to allow KEXT loading
  • Some useful commands

KEXT Profile

The big thing that kept hanging me up with my KEXT deployment was that even with my KEXT profile deployed to my Mac it was still requiring an admin to unlock System Preferences and Allow the KEXT to load.

As it turns out, in Big Sur 11.2 there’s a new key that is needed to allow standard users to approve KEXTs: AllowNonAdminUserApprovals. Once I added that and set it to <true/> I was able to approve KEXTs as a standard user.

Even if your users are admins, using a profile like this will allow your users to bypass the step on Apple Silicon Macs that require the user to downgrade startup disk security to load KEXTs.

As of 11.2 this profile should be installed before an application that loads a KEXT is installed. Otherwise on an Apple Silicon Mac it will require the user to manually downgrade the startup disk security to load the KEXT.

If done correctly, when an app that loads a KEXT is installed, it will request approval, the user approves, and reboots. An Apple Silicon Mac should reboot twice. The first reboot I believe downgrades the disk security to allow KEXTs, and then triggers the second reboot.

Here’s the profile that I’m currently deploying to allow KEXTs

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
    <dict>
        <key>PayloadOrganization</key>
        <string>COMPANY</string>
        <key>PayloadDisplayName</key>
        <string>Approved Kernel Extensions</string>
        <key>PayloadDescription</key>
        <string>This profile contains a list of approved kernel extension vendors for macOS 11.</string>
        <key>PayloadIdentifier</key>
        <string>com.company.ake</string>
        <key>PayloadUUID</key>
        <string>F623CC98-8663-447C-B906-86DF5611B4EB</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadUUID</key>
                <string>585000CC-DDB7-40CF-8336-DEA5AF0F9579</string>
                <key>PayloadType</key>
                <string>com.apple.syspolicy.kernel-extension-policy</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>AllowNonAdminUserApprovals</key>
                <true/>
                <key>AllowedTeamIdentifiers</key>
                <array>
                    <!-- Egnyte Connect -->
                    <string>FELUD555VC</string>
                </array>
            </dict>
        </array>
    </dict>
</plist>

Useful Commands

By the time I figured all of this out I had already installed and approved the KEXT on my Apple Silicon and Intel Macs. I wanted to go through the whole process a few times to validate that everything is working as expected and my users wouldn’t get stuck with macOS requiring an admin to Allow the KEXT or worse an Apple Silicon Mac being stuck at recovery asking for an admin password.

Here are a few commands that let me check and reset things:

See what KEXTs are loaded (this replaces the deprecated kextstat command):

kmutil showloaded | grep -v com.apple

Clear staged KEXTs (used to finish clearing the KEXT files from the machine):

sudo kmutil clear-staging

Reset the KEXT DB – this requires rebooting into Recovery:

kmutil trigger-panic-medic --volume-root /Volumes/VOLUME

To fully test things out on Apple Silicon Macs, don’t forget to re-upgrade startup disk security in Recovery.

Reset Process

My reset process for testing was as follows:

  1. Uninstall Egnyte Desktop App
  2. Delete their left over receipts (😒)
  3. Clear staged KEXTs sudo kmutil clear-staging
  4. Shutdown
  5. Remove the KEXT profile in SimpleMDM
  6. Boot into Recovery Options
  7. Launch Terminal
  8. Reset the KEXT system kmutil trigger-panic-medic --volume-root /Volumes/VOLUME
  9. Launch Startup Security Utility
  10. Set to Full Security
  11. Reboot
  12. Verify the KEXT Profile is removed from System Preferences -> Profiles
  13. Reboot again (probably not necessary, but I want to make sure everything is fully propagated)

A note on SimpleMDM

As of 2021-03-18 SimpleMDM hasn’t implemented the AllowNonAdminUserApprovals key. This means that you can’t use their built-in Kernel Extension Policy. Instead you’ll have to deploy a custom profile . Here is a feature request to get the key implemented.

Wrap up notes

I’ve created two profiles: Approved Kernel Extensions and Approved Kernel Extensions Legacy. Legacy is deployed to only Intel Macs < 11. The new Approved Kernel Extensions profile will be deployed on Apple Silicon and Intel Macs >= 11.2.3 and any software requiring a KEXT (currently just Egnyte for us) will be similarly scoped.