Apple has made changes in macOS High Sierra that affects the ability to deploy software using kernel extensions in the enterprise. Malwarebytes Endpoint Protection for Mac uses a kernel extension to deploy endpoints to Apple computers.
In High Sierra 10.13, third-party kernel extensions can only be installed with the user's explicit consent. The user must click on a button in System Preferences. Apple blocks this button from being clicked remotely via screen sharing or scripted actions. Thus, requiring the button be manually clicked by someone at the computer.
When a kernel extension is installed, the user sees a System Extension Blocked alert.
After clicking the OK button, an Allow button appears in System Preferences > Security & Preferences for 30 minutes.
After 30 minutes, the button is removed. Until the user approves the third-party kernel extension, future load attempts will cause the approval to reappear but will not trigger another user alert.
For more details, refer to Apple's Technical Note TN2459, User-Approved Kernel Extension Loading.
You can manually run the installer on the Mac running High Sierra and manually click on the Allow button in System Preferences > Security & Preferences.
Remote Deployment for High Sierra 10.13.0 - 10.13.3
To remotely deploy Malwarebytes Endpoint Agent Installer on macOS High Sierra machines, the following is required:
- The endpoint must be enrolled in Apple's Device Enrollment Program (DEP).
- The endpoint must have a Mobile Device Management (MDM) that was deployed through DEP.
If the endpoint meets these requirements, the need for user approval of the third-party kernel extension is removed. The kernel extension is accepted with no user prompt or actions.
For more information, refer to Apple's article Prepare for changes to kernel extensions in macOS High Sierra.
Remote Deployment for High Sierra 10.13.4
In High Sierra 10.13.4, Apple adds an additional requirement to the two requirements for High Sierra 10.13.0 - 10.13.3, listed above. For High Sierra 10.13.4, you must deploy the kernel extension policy, com.apple.syspolicy.kernel-extension-policy. For more information, refer to Apple's kernel extension policy.
Deploy the kernel extension policy
- Edit the kernel extension policy file com.apple.syspolicy.kernel-extension-policy.plist.
For instructions, refer to Apple's help document, Edit property lists.
- Compare the kernel extension policy file's contents to the XML syntax below.
- Add the keys from the syntax below to the kernel extension policy file.
- Deploy the kernel extension policy file to the endpoint via a user approved MDM server.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
If you need to deploy additional kernel extensions to the endpoint, you can add keys for other applications you need to install.
Unable to enroll endpoint in DEP or MDM not deployed via DEP
If the above workarounds do not work for your deployment, because you were unable to enroll the endpoint in DEP or don't have an MDM deployed via DEP, there is another option. This workaround whitelists the Malwarebytes kernel extension on that machine and can be used with NetBoot, NetInstall and NetRestore images.
- Restart the endpoint in Recovery mode.
- On the endpoint, open the Terminal.
- In the Terminal, enter the command:
spctl kext-consent add GVZRY6KDKR