System Extensions

Administrators can use System Extensions to remotely install app extensions that extend the functions of the operating system without requiring kernel-level access.

The System Extensions are executed in the user space rather than kernel space without compromising the security and stability of macOS. Even though both the system and the kernel extensions serve the same purpose, the System Extensions framework offers advanced security and reliability and can execute tasks that were previously reserved for kernel extensions. After System Extensions are installed, these extensions are available to all users in the system. You can delete these extensions by deleting the app.

MaaS360 supports the following extensions:
  • Driver extensions: These extensions include supported drivers such as USB, Serial, network interface cards (NIC), and human interface devices (HID).
  • Network extensions: These extensions support network extension apps such as content filters, DNS proxies, and VPN clients.
  • Endpoint Security extensions: These extensions include endpoint security clients such as Endpoint Detection and Response software and antivirus software.

Creating a System Extensions profile

Follow these steps to create a System Extensions profile:
  1. From the MaaS360 Portal Home page, go to Security > Policies.
  2. Open a macOS MDM policy and then click Advanced > System Extensions.
Enter the following System Extension settings:
Policy setting Description Supported devices
Configure System Extension System extensions that are allowed on the device. macOS 10.15+
Allow Users to Approve system extensions If this setting is enabled, users can approve additional system extensions that are not included in this policy.  
Allowed Team Identifier A unique 10-digit alphanumeric string that is generated by Apple and is associated with the developer account. All system extensions that are signed by these identifiers are loaded on the device. Use comma-separated team IDs to load multiple system extensions from various developers on the device.  
Allowed System Extension Types The supported system extension types.  
Allow All System Extensions If this setting is enabled, MaaS360 loads all of the system extensions that are signed with the trusted/allowed Team identifiers (developers).  
System Extension Bundle IDs A unique parameter that is specific to each system extension. Add both the team ID and bundle ID to approve specific system extensions from the specified developer.
Note: If you do not provide a bundle ID, all system extensions that are associated with the team ID are allowed.
Removable System Extension Bundle IDs The comma-separated bundle IDs of the system extensions that are allowed to remove themselves from the machine. macOS 12+