Is there any way to disable and remove a system extension with root

Hi Experts,


Do you know is there any way to disable and remove a system extension with root(no source code)? I try systemextensionsctl, but it needs to disable SIP.

Thanks in advance.

Accepted Reply

As far as I can tell, Apple has designated the Finder as the "API" for this task.

I have a slightly different spin on this, namely that there is no API for this task. This comes up with a lot of security- and privacy-sensitive features:

  • For development and testing machines, you can disable SIP.

  • For managed machines, you can use MDM.

  • Otherwise there is no API because the feature is under the explicit control of the user.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

When I need to disable a sysex, I use the Finder to delete its containing app.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,


Glad to see your reply:)

Actually, I want to create the shell script to do so(delete App), but I can still see the system extension after reboot.


You must use the Finder to delete the container app. Supposedly, systemextensionsctl will be updated one day so that it doesn't require SIP disabled. It is possible there is some system task scheduled inside launchd that could do it. I haven't bothered to go looking for such a thing. That would be a fragile solution anyway. As far as I can tell, Apple has designated the Finder as the "API" for this task.

Thanks, John for your clarification.

As far as I can tell, Apple has designated the Finder as the "API" for this task.

I have a slightly different spin on this, namely that there is no API for this task. This comes up with a lot of security- and privacy-sensitive features:

  • For development and testing machines, you can disable SIP.

  • For managed machines, you can use MDM.

  • Otherwise there is no API because the feature is under the explicit control of the user.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

But what if the user wants to use one of those popular "app zapper" or "clean up" tools?


I realize there are two classes of users. Many users are unaware of the existence of kernel extensions, system extensions, launch daemons, etc. When they want to uninstall software, they drag an app to the trash. This API serves that class of users.


But there are many other users who have a bit more knowledge. They know about some of these "detrius" files, but they don't know what they do or how to properly shut them down and remove them. They use a number of popular utilities that search the system for any files whose name or metadata matches a bundle ID. Some of these files are actually created and manged by the operating system, but they don't know or care about that. They then delete all those files using whatever means the tool uses. That is probably not going to be the Finder. This API harms those users.


In a few cases, developers themselves don't know about any of this. One popular app that was one of the first to use system extensions also uses a custom uninstaller that does not properly delete its system extension. Another popular app doesn't include an uninstaller at all. Its web site tells user to drag the app to the trash, ignoring the launchd tasks. I met a developer from this company at a conference once and specifically asked him about this problem. He was aware of the problem, but simply didn't care. These are popular apps that are more likely to be used by that first class of users. This API harms those users.


I recognize that the first group of users are much more pleasant to deal with than the second. But all customers are vulnerable to developers of tools that either delete wide swaths of files from other developers or don't even delete their own files. Many users simply don't have the knowledge necessary to exercise this control. This is a problem that I see every day.

Hi,

I'm disabling my System Extension with root, by calling the System Extension Container App with an argument to deactivate.
But even though is executed as sudo, an alert popups asking the password to approve the deactivation.

Is there a way to avoid this alert using MDM ?