User-Approved Kernel Extension Loading

Hi All

According to the tech note at https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658

at the end Apple states: "all systems with a valid MDM profile installed will not require user approval to load any properly-signed kernel extension".


I have looked at the new 10.13 swerver profile manager and Apple Configutator 2.5 and there are no kext loading sections that I can see.

Can anyone shed any light on what they mean by a "valid MDM profile".


Cheers


Jonathan

Replies

https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/1-Introduction/Introduction.html


"The MDM payload can be placed within a configuration profile (

.mobileconfig
) file distributed using email or a webpage, as part of the final configuration profile delivered by an over-the-air enrollment service, or automatically using the Device Enrollment Program. Only one MDM payload can be installed on a device at any given time."


Sorry to provide such a broad-scope article, but you may want to brush up on what consitutes a device as "managed", and what that means from a management/end-user perspective. When there is an device-level (mobileconfig) MDM profile installed on the device, it then becomes "managed", so to answer your question, a valid MDM profile is an installed mobileconfig profile (System Preferences > Profiles) which designates that device is "managed" by an administrative Mobile Device Management Server (be it an available Profile Manager instance, AirWatch MDM, or any other variety of MDM solutions).


Hope this helps a bit.