macOS Extensions

Introduced with Catalina and fully implemented with Big Sur, Apple announced the deprecation of kernel extensions and replaced them with system extensions. The macOS agent implements a system extension and it is the core of policy enforcement.

You can read more about system extensions on Apple’s website.

Legacy Kernel Extensions (KEXT)

The legacy and now deprecated flavor of the macOS agent is composed of several components and at the core of it are the KEXT and ThycoticACSvc daemon. They work together to enforce policy.

Effect on Privilege Manager Customers by Apple Deprecating Kernel Extensions in macOS

In 2019, Apple announced the deprecation of kernel extensions (KEXTS) in a future OS upgrade and that System Extensions should be used instead. Beginning in macOS 10.15.4, the use of kernel extensions will trigger a notification that software using this type of extension includes a deprecated API and an alternative should be provided by the vendor.

How Does This Affect Privilege Manager?

All new macOS agent functionality is implemented with a system extension for policy enforcement. The KEXT-based macOS agent will continue to function on supported versions of macOS up to and including Catalina. However, no new feature functionality will be made available. To take advantage of new features, you should upgrade to the latest version of Privilege Manager that supports your endpoints.

Using a Privacy Preference Policy Control Configuration Profile Payload

Privacy Preference Policy Control (PPPC) configuration profile payload allow for enterprises to manage and ease, through Mobile Device Management (MDM), the installation process of products that leverage KEXTs and SYSEXs for their end-users. When properly configured, this eliminates the need for the user to deal with all of the dialogs below.

Delinea can provide the necessary configuration payloads that can be loaded into or leveraged with your MDM solution.

Allow System Extension

alt

If you’re not delivering a PPPC configuration profile via MDM to manage this, users will need to give Privilege Manager Security Full Disk Access.

Full Disk Access

alt

Allow System Events

alt

Clicking OK enables Privilege Manager to send AppleEvents to manage application windows. This setting can be found in System Preferences | Security & Privacy | Privacy | Automation.

alt

Accessibility

alt

alt