Allow System Extensions on macOS using *.mobileconfig

We have a package to be distributed from your MDM and during the installation the users have to click Allow on System Extension. So how to allow System Extensions on macOS using MDM and a mobileconfig file?

Tools used

  • iMazing Profile Editor (Available for download in the macOS app store)
  • Terminal kommando; systemextensionsctl

First need to find out the Apple Team ID and Bundle ID.

In the example below, we have used an imaginary:
Team ID: Y45J12K123

Bundle ID: com.blabla.tset & com.blabla.tset.systset

Open the terminal and type: systemextensionsctl list

As we see in the picture, there is only 1 extension installed on the computer right now. 

You can also check under /Library/SystemExtensions and there should only be a folder with lots of letters and numbers.

Install the application

Start the installation of the application. During installation, this box will appear:

Open System Settings / Privacy & Security and scroll down a bit and you will see this image:

Click Allow 
Bild: Allow in system Settings.png

You can also see this image, click Details and approve the program you are installing.

After the installation of the application is complete, we check again with the command “systemextensionsctl list” in Terminal. Now on this computer we have (may vary depending on your application) two new system extensions installed.

Create *.plist file

Then we will create a plist file that will need to be imported later in the “iMazing Profile Editor”.
Below I have created a plist file that we can use. Just make sure to change the Team ID and Bundle ID to the system extension that was installed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Save the plist file with example: filename: Allowed System Extensions.plist

Create *.mobileconfig fil 

Download “iMazing Profile Editor” and start the program.

Fill in the “General” information first.

Look in the corner for “system extension policy” and click + Add Configuration Payload.

Select choose on Allowed System Extensions

Select your created “Allowed System Extensions.plist” and click Open

Your plist is now added

Save your mobileconfig profile.

Upload the mobileconfig file to your MDM and test it.

Hope it works! 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *