Skip to main content
This Library Item is available for Mac computers

What Is a System Extension?

System extensions are the modern replacement for kernel extensions (kexts) in macOS Catalina and later. With system extensions, Apple provides new frameworks for developers to perform tasks previously reserved for kexts. The primary benefit of system extensions is that they run in user space rather than kernel space, which means they can’t compromise the built-in security or stability of macOS. Although kexts still work in macOS Catalina, Apple has deprecated certain types, and developers should migrate their kexts to system extensions as equivalent frameworks become available. Currently, there are three new system extension frameworks available to replace kexts:
  • DriverKit: Create drivers for USB, Serial, NIC, and HID devices that users can install in macOS Catalina or newer. Learn more about DriverKit.
  • Network Extensions: Distribute network extension apps such as content filters, DNS proxies, and VPN clients as system extensions in macOS Catalina or newer. Learn more about NetworkExtension.
  • Endpoint Security: Monitor and block system events using the EndpointSecurity API to conform with security policies and protect from malicious activity in macOS Catalina or newer. Learn more about Endpoint Security
Kexts that operate outside of these new frameworks—such as virtualization software—must continue to use kexts until Apple offers equivalent system extension frameworks. System extensions can also be allowed using a separate configuration profile. If you’re using an application that still uses a kernel extension, we recommend reaching out to your software vendors to encourage them to migrate to system extensions.

Additional Information

Kernel Extensions Overview - Apple Developer Documentation Archive System Extensions - Apple Developer

What Is a Kernel Extension?

Kernel extensions, sometimes referred to as kexts, allow developers to load code dynamically into the macOS kernel. They provide access to internal kernel interfaces that enable complex apps to function properly. Examples include virtualization applications and hypervisors such as Parallels or VMware Fusion.

The Difference Between Kernel Extensions and System Extensions

If you’re unsure whether a piece of software uses a system extension or a kext, there are a few ways to find out:
  • Contact the software manufacturer
  • After installing your software, run the command below to list all active system extensions. If no system extensions are listed, the software likely uses a legacy kext
systemextensionsctl-list.sh
systemextensionsctl list
Here’s an example of the output you might see if no system extensions are installed:
terminal-output.txt
Iru Endpoint Support@TestMac1 ~ % systemextensionsctl list
0 extension(s)
Here’s an example of the output you might see if a system extension is installed:
systemextensionsctl-with-extensions.txt
Iru Endpoint Support@TestMac1 ~ % systemextensionsctl list
1 extension(s)

--- com.apple.system_extension.endpoint_security

enabled active teamID bundleID (version) name [state]

* * 9PTGMPNXZ2 com.symantec.mes.systemextension 

(10.0.0/10.0.0) Symantec  

[activated enabled]

Create a System Extension Profile

Follow these steps to create a system extension profile in Iru Endpoint that will pre-approve an application’s system extension(s). To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Profile

Give your new profile a descriptive name, such as System Extension Allowance.
Screenshot needed: System Extension Library Item creation form with the descriptive name field being filled out.
2

Select Blueprints

Select the designed Blueprints.
Screenshot needed: Blueprint assignment interface with available Blueprints listed for the System Extension Library Item.
3

Configure User Approval

Optional: If you deselect Allow users to approve system extensions, this will prevent all users on the Mac—including local administrators—from approving additional system extensions not approved via a profile. Selecting this option will also disapprove any system extensions a user has previously approved.
Screenshot needed: “Allow users to approve system extensions” checkbox option being deselected.
4

Input Team ID

Input the Team ID; this is the identifier in the third column of the Terminal output generated by the systemextensionsctl list command discussed above.
Screenshot needed: Team ID field being filled out with the identifier from the Terminal output.
5

Provide Name

Optionally provide a Name to associate with the Team ID.
Screenshot needed: Name field being filled out to associate with the Team ID.
6

Configure System Extensions

Under the System Extensions portion, you may optionally change the default value of Approve all system extensions. Leaving this option at its default setting will preapprove any System Extension from the specified Team ID. You can optionally set this option to one of the following:
  • Allow specific system extensions: Allows you to specify the exact bundle ID of the specific system extension you want to approve; use the bundle ID generated by the systemextensionsctl list command described above. You can also optionally configure one or more of these specific extensions to be able to be removed automatically by admin tooling, such as Iru Endpoint or a vendor-provided package.
  • Allow specific system extension types: Allows you to specify system extension types from a developer—such as endpoint security extensions, driver extensions, or network extensions—that you want to be preapproved. For our Symantec example, we would approve the Endpoint security extensions type, as this matches the extension type generated by the systemextensionsctl list command described above.
Screenshot needed: System Extensions configuration options including “Approve all system extensions”, “Allow specific system extensions”, and “Allow specific system extension types” options.
7

Add Additional Team IDs

Optionally, you can select the Add Team ID button to allow additional system extensions in a single profile.
Screenshot needed: “Add Team ID” button being clicked to add additional system extensions.
8

Save Configuration

Click Save.