Apple has made changes starting with macOS High Sierra 10.13. These changes affect the ability to deploy software using kernel extensions in the enterprise. Malwarebytes Endpoint Protection for Mac uses a kernel extension to deploy endpoints to Apple computers.
In macOS High Sierra and later, third-party kernel extensions can only be installed with the user's explicit consent. The user must click on a button in System Preferences. Apple blocks this button from being clicked remotely via screen sharing or scripted actions. Thus, requiring the button be manually clicked by someone at the computer.
When a kernel extension is installed, the user sees a System Extension Blocked alert.
After clicking the OK button, an Allow button appears in System Preferences > Security & Preferences for 30 minutes.
After 30 minutes, the button is removed. Until the user approves the third-party kernel extension, future load attempts will cause the approval to reappear but will not trigger another user alert.
For more details, refer to Apple's Technical Note TN2459, User-Approved Kernel Extension Loading.
You can manually run the installer on the Mac and manually click on the Allow button in System Preferences > Security & Preferences.
Remote Deployment for High Sierra 10.13.0 – 10.13.3
To remotely deploy Malwarebytes Endpoint Agent Installer on Macs running macOS High Sierra 10.13.0 – 10.13.3, the following is required:
- The endpoint must be enrolled in Apple's Device Enrollment Program (DEP).
- The endpoint must have a Mobile Device Management (MDM) that was deployed through DEP.
If the endpoint meets these requirements, the need for user approval of the third-party kernel extension is removed. The kernel extension is accepted with no user prompt or actions.
For more information, refer to Apple's article Prepare for changes to kernel extensions in macOS High Sierra.
Remote Deployment for High Sierra 10.13.4 and later
In High Sierra 10.13.4, Apple added an additional requirement to the two previous requirements listed above. In macOS 10.13.4 and later, you must deploy the kernel extension policy com.apple.syspolicy.kernel-extension-policy.
For more information, refer to Apple's kernel extension policy.
Deploy the kernel extension policy
- Edit the kernel extension policy file com.apple.syspolicy.kernel-extension-policy.plist.
For instructions, refer to Apple's help document, Edit property lists.
- Compare the kernel extension policy file's contents to the XML syntax below.
- Add the keys from the syntax below to the kernel extension policy file.
- Deploy the kernel extension policy file to the endpoint via a user approved MDM server.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
If you need to deploy additional kernel extensions to the endpoint, you can add keys for other applications you need to install.
Unable to enroll endpoint in DEP or MDM not deployed via DEP
If the above workarounds do not work for your deployment, because you were unable to enroll the endpoint in DEP or don't have an MDM deployed via DEP, there is another option. This workaround whitelists the Malwarebytes kernel extension on that machine and can be used with NetBoot, NetInstall and NetRestore images.
- Restart the endpoint in Recovery mode.
- On the endpoint, open Terminal.
- In Terminal, enter the command:
spctl kext-consent add GVZRY6KDKR