Kernel Extension

Introduction to KEXTs for macOS

KEXTs (Kernel Extensions) are modules that integrate deeply into the macOS operating system to extend its functionality or support specific hardware and system requirements. They operate at the kernel level — the “nervous system” of the operating system — and therefore provide access to resources and functions that are not directly accessible in user space.

Why are KEXTs needed?

  • Support for non-native hardware such as specific graphics cards, network adapters, or external storage devices.
  • Implementation of file systems (e.g., NTFS, FUSE) that are not available by default in macOS.
  • Extension of network functionality, e.g., for VPN protocols or virtual network interfaces.
  • Integration of security solutions and checks at the kernel level.
  • Development of virtualization platforms and their interaction with the kernel.

Advantages of KEXTs:

  • Deep system access: They enable features that would otherwise not be possible without direct kernel access.
  • Hardware compatibility: Devices and features not natively supported by macOS can be fully integrated through KEXTs.
  • Flexible expandability: Developers can create custom solutions for specific requirements.

Configuration and Application of the Policy

General

The following configuration options are available in the policy:

[ ] Allow users without administrator privileges to approve kernel extensions in Security & Privacy settings
[ ] User can approve additional kernel extensions
[ ] Allow all kernel extensions signed with these team identifiers

In general, all KEXTs with the same team identifier can be allowed. Alternatively, explicit extensions can be defined in the next section using a team identifier.

Allowed Kernel Extensions

Team IdentifierBundle ID
3T5GSNBU6Wcom.github.osxfuse.filesystems.osxfuse

picture

Reading Team Identifier and Bundle ID

The Team Identifier can be extracted from the downloaded macfuse-5.1.1.dmg using the following command:

codesign -d --verbose=2 macfuse-5.1.1.dmg 2>&1 | grep -i teamidentifier

Output:

TeamIdentifier=3T5GSNBU6W

The Bundle ID can be obtained from a manually installed KEXT (example: macFUSE) as follows:

kextstat | grep -i fuse

Output:

Executing: /usr/bin/kmutil showloaded
No variant specified, falling back to release
  265    0 0                  0x1830     0x1830     io.macfuse.filesystems.macfuse.25 (5.1.1) 67A4F7E1-82FE-30A4-A3B3-B6E8722C287A <9 7 6 5 3>

Thus, io.macfuse.filesystems.macfuse.25 is our required Bundle ID.

Note

Under Allowed Kernel Extensions, multiple Bundle IDs can be added for one team identifier — either when adding a new entry or when editing an existing one via the three-dot menu.

Apple KEXT →