OPERATIONAL DEFECT DATABASE
...
...
Over the past few years, Apple has been making changes to macOS, which impacts the ability to deploy and manage software which use Kernel Extensions (kext). As software developers migrate to the newer System Extension API's, some apps that still use legacy kexts may have new challenges getting installed on macOS 11.The Kernel Extension profile remains a requirement for deploying kexts on macOS. But on macOS 11, devices will need to go through an extra step to complete the kext approval, requiring a user reboot.Apple has provided the following articles for administrators to understand kext implications to the device and user, depending on the enrollment type and device type Kernel Extensions in macOSEnterprise management of legacy system extensions in macOS Big SurKernel extensions in a Mac with Apple silicon The above articles outline some options to use the MDM protocol to aid in kext approval on macOS. While not all of these features are yet supported in the UEM console, administrators can use the Custom Commands feature to send the required settings.Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
Intel MacsFor Intel-based Macs, every time a kext is installed or updated, a reboot to rebuild the kernel cache will be required. If the user does not initiate it from the System Preferences pane, an MDM command can be sent to the device.1. Navigate to Devices > List View2. Select a macOS 11+ device > More Actions > Custom Command3. Paste the following XML <dict> <key>RebuildKernelCache</key> <true/> <key>KextPaths</key> <string>/Library/Extensions/Path-To-Extension-Here.kext</string> <key>RequestType</key> <string>RestartDevice</string> </dict> The KextPaths key is only required if the kext has not already tried to load before.On macOS 11.3+ the NotifyUser key can be added to the command to warn the user to perform the reboot. <dict> <key>RebuildKernelCache</key> <true/> <key>KextPaths</key> <string>/Library/Extensions/Path-To-Extension-Here.kext</string> <key>NotifyUser</key> <true/> <key>RequestType</key> <string>RestartDevice</string> </dict> Apple Silicon MacsFor M1 Macs, users will still need to reboot, but will also need to change a setting in the Recovery OS. Using an MDM command, macOS will instruct the user to reboot to change the setting manually.1. Navigate to Devices > List View2. Select an Apple Silicon macOS 11+ device > More Actions > Custom Command3. Paste the following XML <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Item</key> <string>MDMOptions</string> <key>MDMOptions</key> <dict> <key>PromptUserToAllowBootstrapTokenForAuthentication</key> <true/> </dict> </dict> </array> </dict> Sending this command will instruct macOS to warn the user that they must Shutdown and boot to the RecoveryOS and downgrade to Reduced Security.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
