System Extensions (macOS Device)
Use the System Extensions profile configuration to allow installation of system
extensions. A system extension in macOS extends system functionality without
modifying the kernel, improving security and stability. It runs in user space and
includes driver, network, and endpoint security extensions.
Note: If you enable an application's system extensions before
applying the payload, you cannot disable them in the configuration. For example,
if you enable a security extension before deploying the profile, the profile
cannot disable it.
Important: Requires
macOS 10.15 or later.
You do this when:
General
| Name | Specify a descriptive name for the system extensions payload. |
| Allow user to approve extensions |
Users can enable system extensions not explicitly allowed in this payload, such as during installation or when an application requires additional permissions. If they do not approve, the extension remains blocked and cannot run or modify the system. |
Allowed Team Identifiers
| Valid signed system extensions | Provides the user an option to allow all validly signed system extensions of the specified team identifiers to load. |
| Team identifier | Enter the team identifier of the application extension. A
team identifier is a 10-character alphanumeric string (for
example, EQHXZ8M8AV). |
| Driver extension | Enable to support additional or specialized hardware functions through custom drivers. |
| Network extension | Enable to extend and customize network functionalities by enabling the creation of advanced network configuration and protocols. This feature supports VPN services, network filtering, and traffic management to enhance and secure network operations. |
| Endpoint security extension | Enhance system security by monitoring and managing security events on endpoints. Toggle this option to activate real-time threat detection, policy enforcement, and incident response. |
Allowed System Extensions
In the Allowed System Extensions section, you can specify which applications have
their system extensions enabled. For example, Google LLC has multiple applications
linked to its team identifier. To enable extensions for a specific application,
enter its bundle ID along with the team identifier.
| System extensions | Provides the user an option to allow a specific set of system
extensions to always load. Enter the bundle identifier and team
identifiers for the allowed system extensions. Select the plus
icon to start adding items.
|