Deprecated Kernel Extensions and System Extension Alternatives

System extensions on macOS Catalina (10.15) allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. At WWDC19, we announced the deprecation of kernel extensions as part of our ongoing effort to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods. Kernel programming interfaces (KPIs) will be deprecated as alternatives become available, and future OS releases will no longer load kernel extensions that use deprecated KPIs by default.

Transitioning Your Kernel Extensions

If your software uses deprecated and supported KPIs, you’ll need to factor out deprecated components into a stand-alone system extension. If your software uses new system extensions and legacy kernel extensions, you can distribute to supported operating systems. Software that supports a broad range of macOS versions should continue to use kernel extensions for older versions and run system extensions where supported.

Below is a list of deprecated KPIs as of macOS 10.15. In macOS 10.15.4, use of deprecated KPIs triggers a notification to the user that the software includes a deprecated API and asks the user to contact the developer for alternatives.

KAUTH

Please use EndpointSecurity instead of the following deprecated KPIs:

  • kauth_listen_scope
  • kauth_unlisten_scope

Network Filter

Clients should use NetworkExtension instead of the following deprecated KPIs:

  • ipf_addv4
  • ipf_addv6
  • ipf_inject_input
  • ipf_inject_output
  • ipf_remove
  • sflt_attach
  • sflt_detach
  • sflt_register
  • sflt_unregister
  • sock_accept
  • sock_bind
  • sock_close
  • sock_connect
  • sock_getpeername
  • sock_getsockname
  • sock_getsockopt
  • sock_gettype
  • sock_inject_data_in
  • sock_inject_data_out
  • sock_ioctl
  • sock_isconnected
  • sock_isnonblocking
  • sock_listen
  • sock_receive
  • sock_receivembuf
  • sock_send
  • sock_sendmbuf
  • sock_setpriv
  • sock_setsockopt
  • sock_shutdown
  • sock_socket
  • sockopt_copyin
  • sockopt_copyout
  • sockopt_direction
  • sockopt_level
  • sockopt_name
  • sockopt_valsize

IOHIDFamily

All KPIs in IOHIDFamily are deprecated. Clients should use HIDDriverKit instead.

IOUSBFamily

IOUSBFamily has been deprecated and headers removed from SDK since macOS El Capitan (10.11). All clients should move to IOUSBHostFamily or USBDriverKit, where appropriate and outlined below.

USB Networking

The combination of using IONetworkingFamily KPIs as well as any USB KPI (IOUSBHostFamily or IOUSBFamily) is deprecated. USB KPIs have alternatives in USBDriverKit . Clients of IONetworkingFamily KPIs should use NetworkingDriverKit instead.

USB Serial

The combination of using any IOSerialFamily KPI as well as any USB KPI (IOUSBHostFamily or IOUSBFamily) is deprecated. USB KPIs have alternatives in USBDriverKit. Clients of IOSerialFamily KPIs should use SerialDriverKit or USBSerialDriverKit instead.

USB Vendor Specific IPC

Any kernel extension using USB KPI (IOUSBHostFamily or IOUSBFamily) that does not tie into the IO Family subsystem and uses IOUserClient, or subclasses, for IPC is deprecated. USB KPIs have alternatives in USBDriverKit or consider IOUSBHost. DriverKit also has mechanisms for communication channels.

Contacting Us

Entitlements

To deploy drivers built with DriverKit, allow other developers to use your system extensions, or use the EndpointSecurity API, you’ll need an entitlement from Apple.

Request an entitlement

Feedback

Your feedback is valuable and helps inform the direction of our system extension development. Send us your API enhancement requests or bug reports.

Provide feedback