Use a System Extensions profile to explicitly allow applications and installers that use system extensions to load on your end users' devices. The profile controls restrictions and settings for loading System Extensions on a User Approved MDM enrolled device running macOS v10.15 and later.

Prerequisites

The System Extensions framework allows an application to provide any of the following capabilities:
  • Network extensions (supported network extension apps such as content filters, DNS proxies, and VPN clients can be distributed as system extensions).
  • Endpoint security extensions (supported endpoint security clients such as Endpoint Detection and Response software and antivirus software).
  • Device driver extensions (supported drivers are those drivers that are developed using the DriverKit framework for USB, Serial, NIC, and HID devices).

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile or Device Profile to apply the profile only to the device's enrollment user or to the entire device.
  2. Configure the profile's General settings.
  3. Select the System Extensions payload.
  4. If you want the users to approve additional extensions that are not specified in the profile, enable Allow User Overrides.
  5. Configure Allowed System Extension Types settings. Provide the Team Identifier of the application extension and allow all or any of the supported system extension types to load on the device. You can configure multiple System Extension types in the same way. The default top row with the Team Identifier '*' represents global settings. Settings for specific Team Identifiers take precedence over any settings applied to this row.
  6. Configure Allowed System Extensions by providing the Team Idenfier or Bundle Identifier of the application extension. You can also configure multiple System Extensions.
  7. Select Save and Publish.