By Anya Novicheva | Program Manager, Microsoft Endpoint Manager
With the release of macOS Catalina 10.15, Apple has introduced system extensions that are currently working alongside kernel extensions on the device. Apple also announced that with the release of 10.15.4, system extensions will replace kernel extensions entirely. Kernel extensions will not be supported on macOS devices running 10.15.4 and later.
Apple’s goal is to “modernize the platform, improve security and reliability, and enable more user-friendly distribution methods.” System extensions runin the user-space rather than at the kernel level. Thus,the capabilities of the operating system can be extended and the extensions don’tjeopardize the security of the operating system. Apple documentation about system extensionsis available here - https://developer.apple.com/documentation/systemextensions
In macOS 10.15.4, the use of deprecated Kernel programming interfaces (KPIs) triggers a notification to the user that the software includes a deprecated API and asks the user to contact the developer for alternatives.The user will then be asked to contact the software developer for a substitute. To transition your kernel extensions for any apps you may have with them, Apple’s documentation points here -https://developer.apple.com/support/kernel-extensions/
Currently you can configure the kernel extensions payload in the Device configuration profiles blade for macOS under Profile type “Extensions”. These settings will continue to stay in the admin console. We’ve now delivered a native experience for the system extensions payload. You can find documentation here:
Please note that system extensions require macOS devices running 10.15 and later, with user approved device enrollment. When multiple system extensions profiles are installed, the keys are combined as follows:
AllowUserOverrides is false if any profile sets it to false.
5/18/2020 - Removed the "we are working on a native experience for the system extensions payload as well. In the meantime, to configure the system extensions payload you can use custom configuration to send the profile (.mobileconfig file) down to your devices." Added in a link to the native experience for system extensions payload docs URL.