Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Implement MDM-approved kernel extension loading for macOS

Please implement kernel extension whitelisting for macOS. A change in macOS High Sierra has made it so that kernel extensions have to be user-approved or whitelisted by profiles deployed by MDM. Kernel extensions include critical applications like hardware drivers, and anti-virus utilities.

More information in the links below:

https://support.apple.com/en-us/HT208019
https://developer.apple.com/library/content/technotes/tn2459/_index.html
http://www.richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/

39 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Nathan Perkins shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

I’ll change the status back to “needs more info” and talk to the PM who owns this feature

previously posted: As of the week of April 23, 2018, Intune supports User Approved MDM enrollment. Devices enrolled using the macOS Company Portal are considered “Not User Approved” unless the end user opens System Preferences and manually provides approval. To this end, the macOS Company Portal now directs users on macOS 10.13.2 and above to go and manually approve their enrollment at the end of the enrollment process. The Intune admin console will report on if an enrolled device is user approved.
https://docs.microsoft.com/en-us/intune/whats-new
Thanks for your feedback! Please go vote on other things you’d like to see.

2 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Nathan Perkins commented  ·   ·  Flag as inappropriate

    I might have misinterpreted. User approved MDM enrollment and kernel extension whitelisting are linked, but kernel extension whitelisting can also be done in conjunction with DEP, which doesn't require user intervention. I would like to be able to enroll systems using DEP and whitelist kernel extensions so that our users do not have to approve.

    I'm also hoping that the InTune will have a GUI to create the profiles needed for kernel extension whitelisting.

    More info here:
    https://simplemdm.com/2017/11/01/user-approved-mdm-enrollment/

  • Nathan Perkins commented  ·   ·  Flag as inappropriate

    Hi Kathy,

    I don't think that User Approved MDM enrollment has anything to do with MDM-approved kernel extension loading. With High Sierra, kernel extensions have to be approved by the user by default. With MDM added, the MDM can deploy a profile that whitelists trusted kernel extension developer IDs so that those kernel extensions will not require user approval.

    Could you review the materials I posted and reopen this suggestion if that feature is not

Feedback and Knowledge Base