Introduced in the latest version of macOS is the System Extension. If you would like to read more about System Extensions, I suggest reading Scott Knights informative post as it’s the best I’ve seen.
In this post I am going to detail how to identify a System Extension that is present on the machine utilizing Terminal or a CLI, How to create the configuration profile & How to create a PPPC Payload utilizing Jamfs PPPC Utility. I am not detailing Kernel Extensions as they are considered legacy on macOS 10.15, deprecated in macOS 10.16 & no longer relevant moving forward.
I am using Symantecs System Extension already installed on a test machine to gather the necessary information required in order to create the profile payloads & deploy enterprise wide.
Introduced in macOS 10.15 Catalina is the System Extension Controls Command. This command contains the following options.
systemextensionsctl(8) BSD System Manager's Manual systemextensionsctl(8) NAME systemextensionsctl -- System Extensions control DESCRIPTION The systemextensionsctl program can be used to list and control System Extensions installed on this machine. Darwin February 7, 2019 Darwin
systemextensionsctl: usage: systemextensionsctl developer [on|off] systemextensionsctl list [category] systemextensionsctl reset - reset all System Extensions state systemextensionsctl uninstall ; can also accept '-' for teamID
The Command we will be focusing on is systemextensionsctl list, when a System Extension is installed, this command provides us with the following information.
sudo systemextensionsctl list 1 extension(s) --- com.apple.system_extension.endpoint_security enabled active teamID bundleID (version) name [state] * * 9PTGMPNXZ2 com.symantec.mes.systemextension (10.0.0/10.0.0Symantec System Extension [activated enabled]
*Note the teamID & bundleID as we will need that information when creating the Configuration Profile & the name “com.symantec.mes.systemextension” as we will also use that later when locating the system extension.
*Very important to remember that the configuration profile must be deployed to & present on the end user / target machine prior to the client / application installation (in this example, Symantec) & the system extension(s) installation. If the configuration profile is not successfully deployed prior, the end user / target machine will still be prompted to manually allow the System Extension(s).
System Extension Configuration Profile
In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Configuration Profiles -> + New
Select: System Extensions Payload
Check: Allow users to approve system extensions
Display Name: Symantec (optional)
System Extension Types Dropdown Menu: Allowed System Extensions
Enter the teamID that was identified by utilizing the systemextensionsctl list command.
Under Allowed System Extensions, Select the + Add button on the right hand side of the window, Enter the bundleID that was identified by utilizing the systemextensionsctl list command. Save the bundleID setting (Not the entire profile).
Now Scope the Profile, Save & Deploy.
PPPC Configuration Profile
This will whitelist the system extension, in conjunction with the application that’s utilizing it, to access specific settings/locations on the machine.
To create the PPPC Configuration Profiles Payload, I will be utilizing Jamfs PPPC Utility
In order to create a PPPC Profile, you first need to know where to look. What are we looking for? In this case a System Extension & a property or properties to whitelist. When launching an application for the first time, a pop-up stating the application or part of the application (think binaries, etc) needs access to a certain part of the system (the property or properties), Desktop, Documents, Downloads, Photos, etc. However, that is not always the case when it comes to system extensions.Example of an Application prompting Access that requires a PPPC Profile
For this example, You would need to drag the Parallels Desktop application into the PPPC Utility & select the “Allow” option under the Documents Folder (property).
After Selecting “Fix” it prompts System Preferences to Open & Takes you directly to the Property that needs to be whitelisted, in this case we already knew “Full Disk Access”.
In order for Jamfs PPPC Utility to create a profile for the “Symantec System Extension” we need to locate the system extension file. Most System Extensions will be located in the /Library/SystemExtensions Directory. If this is not the case, you can search for the system extension file by running a find command using the system extensions name we located earlier by utilizing the system extensions control command. I used the mdfind command to locate Symantecs system extension.
sudo mdfind -name com.symantec.mes.systemextension
This results in the files location.
*Note the directory /AECF874B-1241-4F1D-9376-7445D1D7AC9D/ varies from machine to machine but this will not matter because the system extension is loaded & pppc only targets the loaded system extension regardless of path.
Now that we’ve located com.symantec.mes.systemextension.systemextension, launch Jamfs PPPC Utility, drag & drop the system extension into the “Applications” window pane, select it & whitelist the necessary properties. In this example, I’ve selected “Allow” for both the Accessibility & All Files Properties.
Once completed, select “Upload” in the bottom right hand corner of the PPPC Utility Window, Authenticate to your Jamf Pro Server & the PPPC Utility will upload it directly to your Configuration Profiles, ready to Scope & Deploy. Now, the System Extension being whitelisted allows Symantec to access all system files.
There you have it, a System Extension whitelisted via a configuration profile & a PPPC payload you can deploy throughout the enterprise.