Create a Mac System Extension Policy

The MacOS System Extension policy lets you pre-approve specific System Extensions before they are installed. System Extensions run in the user space, rather than in the kernel space like Kernel Extensions do. System Extensions are an important way to support Mobile Device Management (MDM) because they allow extensions to load without user interaction. 

Note:

MacOS 15 Sequoia will disable the option to toggle system extensions under System Settings > General > Login Items & Extensions > Endpoint Security Extensions for end users.

To create a macOS System Extension policy: 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Policy Management.
  3. In the All tab, click (+).
  4. On the New Policy panel, select the Mac tab.
  5. Select System Extension Policy from the list, then click configure.
  6. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
  7. (Optional) In the Policy Notes field, enter details like when you created the policy, where you tested it, and where you deployed it.
  8. Enter your application’s Apple Team ID for the System Extension you want to preapprove. For instructions on locating your Team ID and Bundle ID, see Create a Mac Application Privacy Preferences Policy.
  9. Click Add Bundle ID and enter the unique identifier for the System Extension you want to preapprove. For example, com.webfilter_cloud.se-agent.extension.
  10. Select Security Extension to preapprove Endpoint Security Framework as the extension type for this app. For example, an antivirus software app can monitor system events to improve security.
  11. Select Driver Extension to preapprove Hardware Driver Framework as the extension type for this app. For example, a driver for USB or Serial devices can perform installations.
  12. Select Network Extension to preapprove Network Extension Framework as the extension type for this app. Examples include a content filter, DNS proxy, or VPN client and require the following fields:
    • Filter Data Provider Bundle ID – Enter the unique identifier for the Data Provider included in your System Extension. Locate this identifier by consulting the documentation for your System Extension. For example, com.webfilter_cloud.se-agent.extension.
    • Filter Data Provider Designated Requirement – Paste the code block for the Data Provider included in your System Extension. To locate the code block, see Create a Mac Application Privacy Preferences Policy.
    • Filter Grade – Click this field and choose the priority of your filter. Firewall grade traffic is reviewed before Inspector grade traffic.
  13. Select Filter Packets to let the System Extension monitor inbound and outbound packet traffic.
  14. Select Filter Sockets to allow the System Extension to monitor inbound and outbound socket traffic.
  15. Click Filter Type and choose the type of filter you’ll use. Plugin is the most common filter type.
  16. For Organization, enter your Organization name if your app requires it.
  17. For Plugin Bundle ID, enter the unique identifier for the app included in your System Extension. Locate this identifier by consulting the documentation for your System Extension. For example, com.webfilter_cloud.se-agent.extension. Locate this identifier by consulting the documentation for your System Extension.
  1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
  3. Click Save. If prompted, click Save again.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case