Apple made changes for macOS 10.13 High Sierra and macOS 10.14 Mojave affecting the ability to deploy software using kernel extensions in the enterprise. Endpoint Protection and Endpoint Detection and Response for Mac use a kernel extension to deploy endpoints to Apple computers running macOS 10.13 and 10.14.
When a kernel extension is installed, the user sees a System Extension Blocked alert.
Third-party kernel extensions can only be installed with the user's explicit consent. The user must click on a button in System Preferences. Apple blocks this button from being clicked remotely via screen sharing or scripted actions. Normally, you must manually allow the kernel extension on the computer. For more details, refer to Apple's Technical Note TN2459, User-Approved Kernel Extension Loading.
To bypass the System Extension Blocked message on your Mac endpoints, deploy a kernel extension (kext) allow-listing policy using a User Approved Mobile Device Management (UAMDM) before you deploy the Endpoint Agent.
Deploy kext allow-listing policy using UAMDM
- Download the attached file for macOS 10.13 or macOS 10.14.
- Upload the file to your UAMDM.
- Save and deploy your kext allow-listing policy by UAMDM.
Note: If you've already deployed a kext allow-listing policy for other applications, you can instead add the following identifiers to your UAMDM:
- Team identifier: GVZRY6KDKR
- Bundle identifier: com.malwarebytes.ncep.rtprotection.daemon