System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

Introduced in the latest version of macOS is the System Extension. If you would like to read more about System Extensions, I suggest reading Scott Knights informative post as it’s the best I’ve seen.

In this post I am going to detail how to identify a System Extension that is present on the machine utilizing Terminal or a CLI, How to create the configuration profile & How to create a PPPC Payload utilizing Jamfs PPPC Utility. I am not detailing Kernel Extensions as they are considered legacy on macOS 10.15, deprecated in macOS 10.16 & no longer relevant moving forward.

I am using Symantecs System Extension already installed on a test machine to gather the necessary information required in order to create the profile payloads & deploy enterprise wide.


Introduced in macOS 10.15 Catalina is the System Extension Controls Command. This command contains the following options.

Man Page

systemextensionsctl(8)    BSD System Manager's Manual   systemextensionsctl(8)

     systemextensionsctl -- System Extensions control

     The systemextensionsctl program can be used to list and control System Extensions installed on this machine.

Darwin                         February 7, 2019                         Darwin


systemextensionsctl: usage:
	systemextensionsctl developer [on|off]
	systemextensionsctl list [category]
	systemextensionsctl reset  - reset all System Extensions state
	systemextensionsctl uninstall  ; can also accept '-' for teamID

The Command we will be focusing on is systemextensionsctl list, when a System Extension is installed, this command provides us with the following information.

sudo systemextensionsctl list
1 extension(s)
enabled	active	teamID	bundleID (version)	name	[state]
*	*	9PTGMPNXZ2 (10.0.0/10.0.0Symantec System Extension	[activated enabled]

*Note the teamID & bundleID as we will need that information when creating the Configuration Profile & the name “” as we will also use that later when locating the system extension.


Race Condition

*Very important to remember that the configuration profile must be deployed to & present on the end user / target machine prior to the client / application installation (in this example, Symantec) & the system extension(s) installation. If the configuration profile is not successfully deployed prior, the end user / target machine will still be prompted to manually allow the System Extension(s).

System Extension Configuration Profile

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Configuration Profiles -> + New

Select: System Extensions Payload
Select: Configure
Check: Allow users to approve system extensions
Display Name: Symantec (optional)
System Extension Types Dropdown Menu: Allowed System Extensions

Enter the teamID that was identified by utilizing the systemextensionsctl list command.


Under Allowed System Extensions, Select the + Add button on the right hand side of the window, Enter the bundleID that was identified by utilizing the systemextensionsctl list command. Save the bundleID setting (Not the entire profile).

Now Scope the Profile, Save & Deploy.

PPPC Configuration Profile

This will whitelist the system extension, in conjunction with the application that’s utilizing it, to access specific settings/locations on the machine.

Read more about User Data Protection & Privacy Preference Policy Controls here

To create the PPPC Configuration Profiles Payload, I will be utilizing Jamfs PPPC Utility

In order to create a PPPC Profile, you first need to know where to look. What are we looking for? In this case a System Extension & a property or properties to whitelist. When launching an application for the first time, a pop-up stating the application or part of the application (think binaries, etc) needs access to a certain part of the system (the property or properties), Desktop, Documents, Downloads, Photos, etc. However, that is not always the case when it comes to system extensions.

Example of an Application prompting Access that requires a PPPC Profile

For this example, You would need to drag the Parallels Desktop application into the PPPC Utility & select the “Allow” option under the Documents Folder (property).

Using Symantec Endpoint protection for my example, when first launching it states at the top “Full Disk Access is not enabled” with a “Fix” button.

After Selecting “Fix” it prompts System Preferences to Open & Takes you directly to the Property that needs to be whitelisted, in this case we already knew “Full Disk Access”.

In order for Jamfs PPPC Utility to create a profile for the “Symantec System Extension” we need to locate the system extension file. Most System Extensions will be located in the /Library/SystemExtensions Directory. If this is not the case, you can search for the system extension file by running a find command using the system extensions name we located earlier by utilizing the system extensions control command. I used the mdfind command to locate Symantecs system extension.

sudo mdfind -name

This results in the files location.

*Note the directory /AGF4574B-1241-561D-9376-7446D1D7AC9D varies from machine to machine but this will not matter because the system extension is loaded & pppc only targets the loaded system extension regardless of path.

Now that we’ve located, launch Jamfs PPPC Utility, drag & drop the system extension into the “Applications” window pane, select it & whitelist the necessary properties. In this example, I’ve selected “Allow” for both the Accessibility & All Files Properties.

Once completed, select “Upload” in the bottom right hand corner of the PPPC Utility Window, Authenticate to your Jamf Pro Server & the PPPC Utility will upload it directly to your Configuration Profiles, ready to Scope & Deploy. Now, the System Extension being whitelisted allows Symantec to access all system files.

There you have it, a System Extension whitelisted via a configuration profile & a PPPC payload you can deploy throughout the enterprise.

48 thoughts on “System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

  1. Great information but I have a question. Following these steps, should I end up with one Configuration file containing the PPPC Configuration Profile and System Extension or two separate ones?

    1. 2 Separate Configuration Profiles. 1 for PPPC & 1 For System Extension.

      Granularity regarding configuration profiles is best practice in my opinion.

      Thank you Jeff.

  2. I think you should rest assured the ABA report on signing statements closely characterizes the import of ‘Bush-II’ as both substance and sheer similarity of language employed in the many hundreds of statutes rejected by Bush-II.

  3. I intended to compose you one little observation to help thank you so much again just for the gorgeous views you’ve documented above. It’s certainly surprisingly generous of you to supply publicly all that a number of people could possibly have advertised as an e-book to help with making some profit on their own, most importantly now that you could possibly have tried it if you desired. The techniques additionally worked to be the great way to recognize that other people have a similar desire the same as my own to figure out whole lot more in terms of this issue. I know there are millions of more fun occasions up front for those who see your blog.

  4. Now here is the patio furniture idea to create
    at home for fulfilling the seating need, there is a table as well as the pieces for sitting other than the sofa.

  5. I intended to put you the tiny note so as to give many thanks once again relating to the unique knowledge you’ve documented here. It has been wonderfully open-handed with people like you giving easily all that a lot of folks would’ve offered for sale as an ebook in order to make some profit on their own, certainly considering that you could possibly have tried it if you wanted. These techniques as well served like the good way to recognize that someone else have the identical zeal much like my own to know the truth somewhat more in regard to this condition. I am sure there are thousands of more pleasant sessions in the future for those who look over your blog.

  6. I wanted to write down a simple note so as to thank you for those lovely tricks you are writing on this site. My rather long internet look up has at the end of the day been compensated with excellent concept to write about with my close friends. I ‘d say that most of us visitors are quite lucky to dwell in a really good site with very many outstanding people with beneficial guidelines. I feel really happy to have discovered your entire site and look forward to plenty of more awesome minutes reading here. Thank you once again for all the details.

  7. I intended to put you this little remark in order to thank you very much over again for your personal fantastic advice you’ve contributed here. It’s simply shockingly generous of people like you to offer publicly exactly what many people could possibly have offered for sale for an e-book to get some bucks for themselves, specifically given that you might well have tried it if you ever decided. These techniques as well acted to provide a easy way to be certain that other people online have a similar keenness much like my very own to find out way more on the topic of this issue. Certainly there are many more fun situations in the future for people who check out your website.

Leave a Reply

Your email address will not be published. Required fields are marked *