Configure System Extensions Profile
System extensions on macOS allow software, such as network extensions, DriverKit, and endpoint security solutions, to extend the functionality of macOS without requiring kernel-level access. System extensions run in user space, ensuring they do not compromise the security or stability of macOS.
This profile enables administrators to manage system extension access for applications and installers on target devices. It is applicable only to Device Enrollments.
To create a profile to configure System Extensions on the enrolled device(s), follow these steps:
On the SureMDM Web Console, navigate to Profiles > macOS > Add > System Extensions > Configure.
Enter a Profile Name and click Add.
In the Configure System Extension Action prompt, configure the below options and click Add:
| Settings | Description |
|---|---|
| System Extension Action | Select the action type: Allowed Team Identifiers - A Team identifier defines valid, signed system extensions that are allowed to load. Approved system extensions are those signed with any of the specified team identifiers. Allowed System Extensions - Allows all System Extensions by defining each one by Bundle Identifier and Team Identifier (if required) |
| Team Identifier | A team identifier is 10 alphanumeric characters long. You can find your team ID on developer.apple.com |
| System Extension Types | Allows specific/all System Extensions against a Team Identifier - Network Extension - Driver Extension - Endpoint Security Extension |
| Bundle ID | Specify the Bundle ID of the application. Upon adding, system will allow all system extensions against the bundle ID of the application |
The added configuration will be reflected in the table section.
- The following option should be checked if required:
- Block user Overrides - When checked, it prevents users from approving additional system extensions beyond those explicitly allowed by configuration profiles
- Click Save.
The newly created profile will be listed in the Profiles section.
Go back to the Home tab and select the macOS device(s) or group(s).
Click Apply to launch the Apply Job/Profile To Device prompt.
In the Apply Job/Profile To Device prompt, select the Created Profile, and click Apply.