Use a Kernel Extension Policy profile to explicitly allow applications and installers that use kernel extensions to load on your end users' devices.

This profile controls restrictions and settings for User Approved Kernel Extension Loading on macOS v10.13.2 and later.


  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
    This profile is not enabled for the User level.
  2. Configure the profile General settings.
  3. Select the Kernel Extension Policy payload.
  4. Select the Allow User Overrides check box to approve additional kernel extensions not explicitly allowed by configuration profiles.
    This option allows any application to install on the end users' devices without approval for a kernel extension. If you select this option, the extension policy settings below provide no additional functionality.
  5. If you choose not to allow users to override kernel extensions, configure the extension policy settings.
    Setting Description
    Whitelist Team Identifiers

    Team identifiers for which all validly signed kernel extensions will be allowed to load.

    Use the Add button to add additional identifiers.

    Whitelist Kernel Extentions

    Signed kernel extensions that will always be allowed to load on the machine. Enter a Team Identifier and a Bundle ID for each app. For unsigned legacy kernel extensions, use an empty key for the team identifier.

    Use the Add button to add additional extensions.