Secure Kernel Extension loading is inadequate for Enterprise Distribution

App & System Services Core OS
TheDarkKnight OP
Created Jul ’17
Replies 2
Boosts 0
Views 664
Participants 3

Apple's is changing how Kernel Extensions are loaded, following installation and requiring action from users. The way in which an Enterprise is expected to handle this is to boot into Recovery and use the spctl command; see the bottom of the Apple Guide:


https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658


Some of our customers have in excess of 100,000 Macs. It is clearly not feasible for them to require their users to authorize extensions, especially when they don't have Admin accounts and it also not feasible for their IT department to physically take each Mac and boot into Recovery mode to make the change.


This is clearly a case of Security vs UX, but if there is no other way of Enterprises suppressing the message and allowing installation and execution of known kernel extensions then this is problematic.


What reasonable options are left to Enterprises with large Mac estates that wish to push out trusted applications that contain kernel extensions?

Replies  2
Boosts  0
Views  664
Participants  3
hardloaf OP
Jul ’17

Another Enterprise vendor here with very same problem.

I'd guess that If KEXT is signed, installed from signed package and loaded by signed process with root privilege and all signatures are for the same Apple approved Team ID this should be allowed without extra efforts by end users.

The whole concept of asking end users to take a KEXT security related action when 99.99% of those users are not qualified to make this kind decisions is surprising.

0
HStriepe OP
Jul ’17

Current approach for Enterprise is to boot each machine into Recovery mode and run some terminal commands.


Current approach for users is to pop a quick dialog about "KEXTs" and have them make a decison. If they cancel out, that KEXT disappears from the Preference panel notification in 30 min. My mother in law aged 84 will really know, how to deal with this!


It will make systems safer by making them useless. And IT or application developers will get the blame.


This has not been thought through.


Since Apple (or the IT Department) controls the Developer certficate signing these things, I am not sure how much extra safety there is by having non technical people make decisions on something they cannot understand. It defies real logic and smacks of something a liability lawyer might dream up.


There must be better ways to address this.

0
Secure Kernel Extension loading is inadequate for Enterprise Distribution
First post date Last post date
 
 
Q