System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

Introduced in the latest version of macOS is the System Extension. If you would like to read more about System Extensions, I suggest reading Scott Knights informative post as it’s the best I’ve seen.

In this post I am going to detail how to identify a System Extension that is present on the machine utilizing Terminal or a CLI, How to create the configuration profile & How to create a PPPC Payload utilizing Jamfs PPPC Utility. I am not detailing Kernel Extensions as they are considered legacy on macOS 10.15, deprecated in macOS 10.16 & no longer relevant moving forward.

I am using Symantecs System Extension already installed on a test machine to gather the necessary information required in order to create the profile payloads & deploy enterprise wide.

Identify

Introduced in macOS 10.15 Catalina is the System Extension Controls Command. This command contains the following options.

Man Page

systemextensionsctl(8)    BSD System Manager's Manual   systemextensionsctl(8)

NAME
     systemextensionsctl -- System Extensions control

DESCRIPTION
     The systemextensionsctl program can be used to list and control System Extensions installed on this machine.

Darwin                         February 7, 2019                         Darwin

Usage

systemextensionsctl: usage:
	systemextensionsctl developer [on|off]
	systemextensionsctl list [category]
	systemextensionsctl reset  - reset all System Extensions state
	systemextensionsctl uninstall  ; can also accept '-' for teamID

The Command we will be focusing on is systemextensionsctl list, when a System Extension is installed, this command provides us with the following information.

sudo systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	9PTGMPNXZ2	com.symantec.mes.systemextension (10.0.0/10.0.0Symantec System Extension	[activated enabled]

*Note the teamID & bundleID as we will need that information when creating the Configuration Profile & the name “com.symantec.mes.systemextension” as we will also use that later when locating the system extension.

 

Race Condition

*Very important to remember that the configuration profile must be deployed to & present on the end user / target machine prior to the client / application installation (in this example, Symantec) & the system extension(s) installation. If the configuration profile is not successfully deployed prior, the end user / target machine will still be prompted to manually allow the System Extension(s).

System Extension Configuration Profile

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Configuration Profiles -> + New

Select: System Extensions Payload
Select: Configure
Check: Allow users to approve system extensions
Display Name: Symantec (optional)
System Extension Types Dropdown Menu: Allowed System Extensions

Enter the teamID that was identified by utilizing the systemextensionsctl list command.

9PTGMPNXZ2

Under Allowed System Extensions, Select the + Add button on the right hand side of the window, Enter the bundleID that was identified by utilizing the systemextensionsctl list command. Save the bundleID setting (Not the entire profile).

com.symantec.mes.systemextension

Now Scope the Profile, Save & Deploy.

PPPC Configuration Profile

This will whitelist the system extension, in conjunction with the application that’s utilizing it, to access specific settings/locations on the machine.

Read more about User Data Protection & Privacy Preference Policy Controls here

To create the PPPC Configuration Profiles Payload, I will be utilizing Jamfs PPPC Utility

In order to create a PPPC Profile, you first need to know where to look. What are we looking for? In this case a System Extension & a property or properties to whitelist. When launching an application for the first time, a pop-up stating the application or part of the application (think binaries, etc) needs access to a certain part of the system (the property or properties), Desktop, Documents, Downloads, Photos, etc. However, that is not always the case when it comes to system extensions.

Example of an Application prompting Access that requires a PPPC Profile

For this example, You would need to drag the Parallels Desktop application into the PPPC Utility & select the “Allow” option under the Documents Folder (property).

Using Symantec Endpoint protection for my example, when first launching it states at the top “Full Disk Access is not enabled” with a “Fix” button.

After Selecting “Fix” it prompts System Preferences to Open & Takes you directly to the Property that needs to be whitelisted, in this case we already knew “Full Disk Access”.

In order for Jamfs PPPC Utility to create a profile for the “Symantec System Extension” we need to locate the system extension file. Most System Extensions will be located in the /Library/SystemExtensions Directory. If this is not the case, you can search for the system extension file by running a find command using the system extensions name we located earlier by utilizing the system extensions control command. I used the mdfind command to locate Symantecs system extension.

sudo mdfind -name com.symantec.mes.systemextension

This results in the files location.

/Library/SystemExtensions/AECF874B-1241-4F1D-9376-7445D1D7AC9D/com.symantec.mes.systemextension.systemextension
*Note the directory /AECF874B-1241-4F1D-9376-7445D1D7AC9D/ varies from machine to machine but this will not matter because the system extension is loaded & pppc only targets the loaded system extension regardless of path.

Now that we’ve located com.symantec.mes.systemextension.systemextension, launch Jamfs PPPC Utility, drag & drop the system extension into the “Applications” window pane, select it & whitelist the necessary properties. In this example, I’ve selected “Allow” for both the Accessibility & All Files Properties.

Once completed, select “Upload” in the bottom right hand corner of the PPPC Utility Window, Authenticate to your Jamf Pro Server & the PPPC Utility will upload it directly to your Configuration Profiles, ready to Scope & Deploy. Now, the System Extension being whitelisted allows Symantec to access all system files.

There you have it, a System Extension whitelisted via a configuration profile & a PPPC payload you can deploy throughout the enterprise.

2 thoughts on “System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

Leave a Reply

Your email address will not be published. Required fields are marked *