While trying to move our company to a more MDM + DEP centric workflow, we are trying to document for our support staff easy ways to deal with user approval of kernal extensions for software we deploy before we move to whitelisting through MDM deployments.
I've not found any good documenation for deployment guidelines or arhictecural overivews but picked up from posts that the kext policy database holds the authorisations, from what I can make out.
I wanted to emulate a few times the authorisation warnings for staff, by wiping out the kext loading authorisation and showing the warnings and how to resolve.
- Testing done on High Sierra 10.13.4 on a 2015 MBP
- Software with Kexts: Anti-Virus, Google Drive File Stream and Third party ethernet driver for USB-C multi-adaptor
Here's what I did:
1. Reboot into recovery
2. Unlock the boot drive
3. Open terminal
4. chroot /Volumes/[VolumeName]
5. sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
6. Listed all the kext_policy table records:
SELECT * FROM kext_policy;
7. List of entries where all the ones we add, so removed them all:
DELETE FROM kext_policy;
8. Checked this removed them all:
SELECT * FROM kext_policy;
9. Did the same for the kext_load_history_v3 (not sure if this is necessary)
10. Exited the database
11. Rebooted the macine
12. The machine then came up, logged in and received "System Extension Blocked" warnings for all three kexts.
13. Happy with this, I checked none of the 3rd party kexts were loading with:
kextstat | grep -v com.apple
14.Received nothing back.
15. Approved the extensions through System Preferences, and checked again with kextstat to make sure all were loaded (in this case had to reboot for one of them - but then all available)
16. I then tried the same thing again, removing just one of the records from the KextPolicy database. This time though on reboot the kext was still authorised.
17. At this point I was a bit confused. Tried blowing all the entries away as on the first try, but this time found that only one of the three was de-authorised to load - The Google Drive File Stream FUSE kext.
So I'm obvilously missing something here - the info I've found is incomplete, the authorisation process is a bit flaky or caching authorisations somewhere else?
As I'm predominatley a systems engineer and not a developer - I'm a bit stuck now. Yep I can try on more that one machine and this could be a one off issue but I"m interested in finding out more around this and hoping folks out there can point me in the right direction.
Any help greatly appriciated.
