Apple has made changes starting with macOS High Sierra 10.13. These changes affect the ability to deploy software using kernel or security framework extensions in the enterprise. Malwarebytes Endpoint Protection and Endpoint Detection and Response for Mac uses a kernel extension for macOS 10.13, 10.14 and a security framework extension for macOS 10.15 to deploy endpoints to Apple computers.
When a kernel extension is installed, the user sees a System Extension Blocked alert.
Third-party kernel extensions can only be installed with the user's explicit consent. The user must click on a button in System Preferences. Apple blocks this button from being clicked remotely via screen sharing or scripted actions. Normally, you must manually allow the kernel extension at the computer. For more details, refer to Apple's Technical Note TN2459, User-Approved Kernel Extension Loading.
To bypass the System Extension Blocked message on your Mac endpoints, deploy a kernel extension (kext) or security framework extension whitelisting policy using a User Approved Mobile Device Management (UAMDM) before you deploy the Malwarebytes Endpoint Agent.
Deploy kext or security framework whitelisting policy using UAMDM
- Download the attached file.
- For macOS 10.13 or macOS 10.14, download Malwarebyets_Protection_profile.mobileconfig
- For macOS 10.15 or macOS 11.x, download Malwarebytes_Protection_profile_10_15.mobileconfig
- Upload the file to your UAMDM.
- Save and deploy your kext whitelisting policy by UAMDM.
Note: If you've already deployed a kext whitelisting policy for other applications, you can instead add the following identifiers to your UAMDM:
- Team identifier: GVZRY6KDKR
- Bundle identifier: com.malwarebytes.ncep.rtprotection.daemon