Traditionally, developers relied on Kernel Extensions (KEXTs) to grant their software access to system-level resources like memory, disk operations, and hardware peripherals. However, this approach posed inherent security risks, as Kernel Extensions operated within the kernel space, potentially compromising the stability and integrity of the entire operating system. Apple introduced macOS System Extensions to mitigate these vulnerabilities by releasing Catalina (10.15). This innovative paradigm shift empowers third-party developers to extend the capabilities of macOS while confining their code to the user space, thereby enhancing system security and resilience.

System Extension Frameworks: macOS System Extensions List

Apple’s System Extensions framework encompasses three distinct categories, each serving a specific purpose in extending macOS functionality:

1. DriverKit Extensions

DriverKit Extensions are the modern successors to Kernel Extensions for facilitating hardware support. They enable device drivers, such as those for USB, serial, network interface cards (NICs), and human interface devices (HIDs), to operate within the user space instead of the kernel space. DriverKit includes user-space versions of specific I/O Kit classes, allowing the kernel to forward I/O Kit events to the user space, fostering a safer environment for driver execution.

2. Network Extensions

Network Extensions empower developers to customize network behavior on macOS systems. This framework encompasses several extension types, including:

App Proxy: Designed to create VPN clients that implement flow-oriented, custom VPN protocols and handle network traffic based on connections or flows.

Packet Tunnel: Intended for developing VPN clients that implement packet-oriented, custom VPN protocols, managing network traffic at the packet level.

Filter Data: Facilitates the filtering of network “flows,” enabling monitoring and modification of network data at the flow level.

Filter Packet: Allows for the filtering of individual network packets, granting the ability to monitor and modify network data at the packet level.

DNS Proxy: Enables creating custom DNS providers, permitting the monitoring and modification of DNS requests and responses.

3. Endpoint Security Extensions

The Endpoint Security framework equips security vendors and developers with a comprehensive set of APIs to monitor and control system activity, safeguarding macOS systems against malicious threats. This framework provides a collection of APIs for monitoring and controlling processes, file system events, network activities, and kernel operations.

At its core, the Endpoint Security framework is implemented as a Kernel Extension (KEXT) located at /System/Library/Extensions/EndpointSecurity.kext. This KEXT comprises several key components, including the EndpointSecurityDriver, EndpointSecurityEventManager, EndpointSecurityClientManager, and EndpointSecurityMessageManager, facilitating seamless interaction between the operating system and the Endpoint Security framework.

Architectural Insights: Endpoint Security Framework

The Endpoint Security framework facilitates user-space communication through the IOUserClient class, leveraging two distinct subclasses based on the caller’s type:

EndpointSecurityDriverClient: This subclass requires the com.apple.private.endpoint-security.manager entitlement, which is exclusively held by the system process endpointsecurityd.

EndpointSecurityExternalClient: This subclass necessitates the com.apple.developer.endpoint-security.client entitlement, typically employed by third-party security software interacting with the Endpoint Security framework.

The libEndpointSecurity.dylib library serves as the communication bridge between system extensions and the kernel, leveraging the I/O Kit (IOKit) to interact with the Endpoint Security KEXT.

Two crucial system daemons play pivotal roles in managing and launching endpoint security system extensions:

endpointsecurityd: This daemon is responsible for managing and launching endpoint security system extensions, particularly during the early boot process. Only system extensions marked with NSEndpointSecurityEarlyBoot in their Info.plist file receive this early boot treatment.

sysextd: This daemon validates system extensions and moves them into the appropriate system locations. It then prompts the relevant daemon to load the extension. The SystemExtensions.framework is tasked with activating and deactivating system extensions.

How to Enable System Extensions on Mac

While System Extensions enhance the security and stability of macOS, specific applications may still rely on legacy Kernel Extensions (KEXTs). In such cases, you may encounter a notification prompting you to enable additional system extensions for the application to function correctly.

To allow system extensions to Mac devices, you’ll need to reboot into recovery mode and leverage the Startup Security Utility. Here’s a step-by-step guide:

1. Click the Apple menu and choose “Shut Down” to initiate the shutdown process.
2. Press and hold the power button on your Mac until you see the “Loading Startup Options” message.
3. Select “Options,” then click “Continue.”
4. Choose your startup disk, then click “Next.”
5. Enter your administrator password and click “Continue.”
6. Click “Utilities” in the menu bar and choose “Startup Security Utility.”
7. Select your boot disk and click “Security Policy.”
8. Select the button next to “Reduced Security.”
9. Check the box next to “Allow user management of kernel extensions from identified developers.”
10. Click “OK.”
11. Click the user pop-up menu and choose your administrator account, then enter the password and click “OK.”
12. Click the Apple menu and choose “Restart” to reboot your Mac.

Upon restarting, you may encounter a dialog box informing you that a System Extension was blocked. If so, click “Open Security Settings,” navigate to “System Settings > Privacy & Security,” scroll down to the “Security” section, and click “Allow” next to the message indicating that system software was blocked from loading.

Streamlining System Extension Management with Trio MDM

While manually enabling system extensions is a viable option, it can be a time-consuming and cumbersome process, especially when managing a fleet of macOS devices. This is where Trio MDM (Mobile Device Management) comes into play, offering a centralized and efficient solution for managing system extensions across your organization.

Trio MDM supports the ability to whitelist both Kernel Extensions and System Extensions, ensuring that approved applications can run seamlessly without compromising security. By specifying the Team Identifier, Bundle Identifier, or both within the MDM policy, you can preapprove the necessary extensions for your applications.

One of the key advantages of using Trio MDM is its ability to obtain an application’s Bundle Identifier automatically, eliminating the need for manual intervention. This streamlines the process of identifying and whitelisting the required extensions, saving valuable time and resources.

Furthermore, Trio MDM simplifies the activation of system extension settings by allowing you to send the “Restart” command to managed devices and set the “Rebuild Kernel Cache” option to “Yes” when sending the command. This ensures that the necessary system extensions are properly loaded and activated without requiring manual intervention on each individual device.

Experience the power of Trio MDM by requesting a free demo today. Our experts will guide you through implementing and optimizing our system extension management capabilities, tailored to your organization’s unique requirements.

Conclusion: The Future of macOS System Extensions

The introduction of macOS System Extensions marks a significant evolution in Apple’s approach to system-level software integration. By shifting from Kernel Extensions to System Extensions, Apple has effectively balanced the need for powerful, low-level system access with enhanced security and stability. This paradigm shift not only benefits end-users by creating a more robust operating system but also empowers developers to create innovative solutions without compromising system integrity.

As we’ve explored, the three primary categories of System Extensions—DriverKit, Network Extensions, and Endpoint Security Extensions—provide a comprehensive framework for extending macOS functionality. Each category serves a specific purpose, from hardware support to network customization and security monitoring, all while operating within the safer confines of user space.

While the transition to System Extensions may present some challenges, particularly for applications still reliant on legacy Kernel Extensions, the long-term benefits far outweigh the short-term inconveniences. The process of enabling System Extensions, though potentially complex for individual users, can be significantly streamlined using Mobile Device Management (MDM) solutions like Trio MDM.

As macOS continues to evolve, we can expect further refinements and expansions to the System Extensions framework. This ongoing development will likely give third-party developers even more powerful capabilities while maintaining Apple’s commitment to security and system stability.

For IT professionals and organizations managing macOS devices, staying informed about System Extensions and leveraging tools like Trio MDM will be crucial in navigating this new landscape. By embracing these changes and adapting management practices accordingly, businesses can make the most of macOS’s advanced features while maintaining a secure and efficient computing environment.