Kernel Extensions
Use the Kernel Extensions settings to configure third-party kernel extensions that you allow on a device. When you configure these settings, the operating system does not block the kernel extensions even if these settings are not configured in the macOS MDM policy that is applied on the device.
The following table describes the Kernel Extension settings:
| Policy setting | Description | Supported devices |
|---|---|---|
| Configure Kernel Extension | Kernel extensions that are allowed on the device. | macOS 10.13.2 and later |
| Allow Users to Approve Kernel Extensions | If this setting is enabled, users can approve other third-party kernel extensions that are not listed in the macOS MDM policy that is applied on the device. | |
| Allow Non Admin User to approve kernel Extensions | When this setting is turned on, non-admin users can approve additional kernel extensions in the Security & Privacy preferences. Supported on macOS 11 and later. The default value is False. | macOS 11 and later |
| Allowed Team Identifier | An alphanumeric string (only 10 uppercase or numeric characters are allowed) that uses the
vendor's Developer ID to sign the kexts certificate identifier. All kernel extensions that are associated with the team identifier are allowed. |
|
| Kernel Extension Bundle IDs | Comma-separated bundle IDs for the kernel extensions that are allowed on the device. One team identifier can have one or more kernel extension bundle IDs. |
Note: If a bundle ID is not provided, all kernel extensions that are associated with the
team ID are allowed. If both bundle IDs and the team ID are provided, only those bundle IDs that are
associated with the team ID are allowed.