System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

Introduced in the latest version of macOS is the System Extension. If you would like to read more about System Extensions, I suggest reading Scott Knights informative post as it’s the best I’ve seen.

In this post I am going to detail how to identify a System Extension that is present on the machine utilizing Terminal or a CLI, How to create the configuration profile & How to create a PPPC Payload utilizing Jamfs PPPC Utility. I am not detailing Kernel Extensions as they are considered legacy on macOS 10.15, deprecated in macOS 10.16 & no longer relevant moving forward.

I am using Symantecs System Extension already installed on a test machine to gather the necessary information required in order to create the profile payloads & deploy enterprise wide.

Identify

Introduced in macOS 10.15 Catalina is the System Extension Controls Command. This command contains the following options.

Man Page

systemextensionsctl(8)    BSD System Manager's Manual   systemextensionsctl(8)

NAME
     systemextensionsctl -- System Extensions control

DESCRIPTION
     The systemextensionsctl program can be used to list and control System Extensions installed on this machine.

Darwin                         February 7, 2019                         Darwin

Usage

systemextensionsctl: usage:
	systemextensionsctl developer [on|off]
	systemextensionsctl list [category]
	systemextensionsctl reset  - reset all System Extensions state
	systemextensionsctl uninstall  ; can also accept '-' for teamID

The Command we will be focusing on is systemextensionsctl list, when a System Extension is installed, this command provides us with the following information.

sudo systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	9PTGMPNXZ2	com.symantec.mes.systemextension (10.0.0/10.0.0Symantec System Extension	[activated enabled]

*Note the teamID & bundleID as we will need that information when creating the Configuration Profile & the name “com.symantec.mes.systemextension” as we will also use that later when locating the system extension.

 

Race Condition

*Very important to remember that the configuration profile must be deployed to & present on the end user / target machine prior to the client / application installation (in this example, Symantec) & the system extension(s) installation. If the configuration profile is not successfully deployed prior, the end user / target machine will still be prompted to manually allow the System Extension(s).

System Extension Configuration Profile

In your Jamf Pro Dashboard, Navigate to the following path
Computers -> Configuration Profiles -> + New

Select: System Extensions Payload
Select: Configure
Check: Allow users to approve system extensions
Display Name: Symantec (optional)
System Extension Types Dropdown Menu: Allowed System Extensions

Enter the teamID that was identified by utilizing the systemextensionsctl list command.

9PTGMPNXZ2

Under Allowed System Extensions, Select the + Add button on the right hand side of the window, Enter the bundleID that was identified by utilizing the systemextensionsctl list command. Save the bundleID setting (Not the entire profile).

com.symantec.mes.systemextension

Now Scope the Profile, Save & Deploy.

PPPC Configuration Profile

This will whitelist the system extension, in conjunction with the application that’s utilizing it, to access specific settings/locations on the machine.

Read more about User Data Protection & Privacy Preference Policy Controls here

To create the PPPC Configuration Profiles Payload, I will be utilizing Jamfs PPPC Utility

In order to create a PPPC Profile, you first need to know where to look. What are we looking for? In this case a System Extension & a property or properties to whitelist. When launching an application for the first time, a pop-up stating the application or part of the application (think binaries, etc) needs access to a certain part of the system (the property or properties), Desktop, Documents, Downloads, Photos, etc. However, that is not always the case when it comes to system extensions.

Example of an Application prompting Access that requires a PPPC Profile

For this example, You would need to drag the Parallels Desktop application into the PPPC Utility & select the “Allow” option under the Documents Folder (property).

Using Symantec Endpoint protection for my example, when first launching it states at the top “Full Disk Access is not enabled” with a “Fix” button.

After Selecting “Fix” it prompts System Preferences to Open & Takes you directly to the Property that needs to be whitelisted, in this case we already knew “Full Disk Access”.

In order for Jamfs PPPC Utility to create a profile for the “Symantec System Extension” we need to locate the system extension file. Most System Extensions will be located in the /Library/SystemExtensions Directory. If this is not the case, you can search for the system extension file by running a find command using the system extensions name we located earlier by utilizing the system extensions control command. I used the mdfind command to locate Symantecs system extension.

sudo mdfind -name com.symantec.mes.systemextension

This results in the files location.

/Library/SystemExtensions/AGF4574B-1241-561D-9376-7446D1D7AC9D/com.symantec.mes.systemextension.systemextension
*Note the directory /AGF4574B-1241-561D-9376-7446D1D7AC9D varies from machine to machine but this will not matter because the system extension is loaded & pppc only targets the loaded system extension regardless of path.

Now that we’ve located com.symantec.mes.systemextension.systemextension, launch Jamfs PPPC Utility, drag & drop the system extension into the “Applications” window pane, select it & whitelist the necessary properties. In this example, I’ve selected “Allow” for both the Accessibility & All Files Properties.

Once completed, select “Upload” in the bottom right hand corner of the PPPC Utility Window, Authenticate to your Jamf Pro Server & the PPPC Utility will upload it directly to your Configuration Profiles, ready to Scope & Deploy. Now, the System Extension being whitelisted allows Symantec to access all system files.

There you have it, a System Extension whitelisted via a configuration profile & a PPPC payload you can deploy throughout the enterprise.

6,703 thoughts on “System Extension : How to identify on macOS, Create a Configuration Profile, a PPPC Payload, & Deploy with Jamf (Example: Symantec System Extension)

  3. Great information but I have a question. Following these steps, should I end up with one Configuration file containing the PPPC Configuration Profile and System Extension or two separate ones?

    1. 2 Separate Configuration Profiles. 1 for PPPC & 1 For System Extension.

      Granularity regarding configuration profiles is best practice in my opinion.

      Thank you Jeff.

  4. Pingback: McAfee macOS Configuration Profiles - EddiesNotes.com

  13. I think you should rest assured the ABA report on signing statements closely characterizes the import of ‘Bush-II’ as both substance and sheer similarity of language employed in the many hundreds of statutes rejected by Bush-II.

  14. I intended to compose you one little observation to help thank you so much again just for the gorgeous views you’ve documented above. It’s certainly surprisingly generous of you to supply publicly all that a number of people could possibly have advertised as an e-book to help with making some profit on their own, most importantly now that you could possibly have tried it if you desired. The techniques additionally worked to be the great way to recognize that other people have a similar desire the same as my own to figure out whole lot more in terms of this issue. I know there are millions of more fun occasions up front for those who see your blog.

  16. Now here is the patio furniture idea to create
    at home for fulfilling the seating need, there is a table as well as the pieces for sitting other than the sofa.

  18. I intended to put you the tiny note so as to give many thanks once again relating to the unique knowledge you’ve documented here. It has been wonderfully open-handed with people like you giving easily all that a lot of folks would’ve offered for sale as an ebook in order to make some profit on their own, certainly considering that you could possibly have tried it if you wanted. These techniques as well served like the good way to recognize that someone else have the identical zeal much like my own to know the truth somewhat more in regard to this condition. I am sure there are thousands of more pleasant sessions in the future for those who look over your blog.

  24. I wanted to write down a simple note so as to thank you for those lovely tricks you are writing on this site. My rather long internet look up has at the end of the day been compensated with excellent concept to write about with my close friends. I ‘d say that most of us visitors are quite lucky to dwell in a really good site with very many outstanding people with beneficial guidelines. I feel really happy to have discovered your entire site and look forward to plenty of more awesome minutes reading here. Thank you once again for all the details.

  30. I intended to put you this little remark in order to thank you very much over again for your personal fantastic advice you’ve contributed here. It’s simply shockingly generous of people like you to offer publicly exactly what many people could possibly have offered for sale for an e-book to get some bucks for themselves, specifically given that you might well have tried it if you ever decided. These techniques as well acted to provide a easy way to be certain that other people online have a similar keenness much like my very own to find out way more on the topic of this issue. Certainly there are many more fun situations in the future for people who check out your website.

  436. В сентябре прошлого года был сформирован новый состав Собрания депутатов Зерноградского района, уже 6-го созыва. Его председателем была избрана Анна Касьяненко. Она – генеральный директор одного из наиболее крупных аграрных производств Ростовской области – СЗАО «СКВО», которое в Зерноградском районе является одним из системообразующих.
    Для генерального директора СЗАО «СКВО» Анны Касьяненко это новый этап, но в то же время продолжение ее общественной и социальной деятельности, которую она вела в рамках своего предприятия.
    https://skvoagro.ru/intervyu-anny-kasyanenko-dlya-parlamentskogo-vestnika-dona/

  567. Pingback: madridbet
  568. Pingback: meritking
  748. Pingback: meritking
  903. Pingback: grandpashabet

  933. That’s good, but I still don’t understand the purpose of this page posting, no or what and where do they get material like this.

  978. Experience the rich and satisfying world of pablo snus. Our premium collection of flavors is sure to please even the most discerning snus connoisseurs. From classic tobacco to refreshing mint, we have something for everyone. Join the snus community today and indulge in the ultimate best snus experience!

  983. Experience the bold and unique flavors of pablo snus. Our premium collection of snus products is made with only the finest ingredients, ensuring an unforgettable snus experience. Whether you’re a seasoned snus enthusiast or new to the world of snus, we have something for everyone. Join our community today and discover the ultimate snus experience!

  984. Step into the world of pablo snus and discover a new level of snus experience with our premium collection of flavors. From traditional to modern, we have something for everyone. Join our community of snus enthusiasts today and be a part of the ultimate snus adventure!

  1031. Can I show my graceful appreciation and give my secrets on really good
    stuff and if you want to know whats up? Let me tell you a quick info about
    how to change your life you know where to follow
    right?

  1079. Onko sinulla jo kokemusta nikotiinipusseist? Tarjoamme laajan valikoiman erilaisia makuja ja vahvuuksia, jotka ovat terveellinen vaihtoehto perinteisille tupakkatuotteille. Meilta loydat varmasti suosikkimakusi ja voit samalla vahentaa tupakoinnin haittoja. Tilaa nyt ja hyodynna nopea toimituksemme seka ammattitaitoinen asiakaspalvelumme.

  1088. Looking for a new way to enjoy nicotine? Look no further than disposable vape. Our wide selection of flavors and strengths ensures that you’ll find a satisfying alternative to traditional tobacco products. Order now and enjoy fast shipping and excellent customer service.

  1091. Experience the tantalizing world of the finest snus varieties and flavors, carefully crafted to satisfy your cravings and elevate your senses to a whole new level!

  1193. OMG! This is amazing. Ireally appreciate it~ May I show true love on a secret only I KNOW
    and if you want to really findout? You really
    have to believe mme and have faith and I will show how to find good hackers for good price Once again I want
    to show my appreciation and may all the blessing goes to you now!.

  1212. Ready to try a new vaping experience? Check out our selection of disposable vapes, offering a variety of flavors and strengths to suit your taste. From fruity to savory, we have something for everyone. Our disposable vapes are also a convenient and hassle-free option for those on the go. Try them out now and enjoy the satisfaction of high-quality products and excellent customer service.