Add macOS system and kernel extensions in Intune

On macOS devices, you can add kernel extensions and system extensions. Both kernel extensions and system extensions allow users to install app extensions that extend the native capabilities of the operating system. Kernel extensions execute their code at the kernel level. System extensions run in a tightly controlled user-space.


macOS kernel extensions are being replaced with system extensions. For more information, go to Support Tip: Using system extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.

To add extensions that are always allowed to load on your devices, use Microsoft Intune. Intune uses configuration profiles to create and customize these settings for your organization's needs. After you add these features in a policy, you then push or deploy the policy to macOS devices in your organization.

This feature applies to:

  • macOS

This article describes system extensions and kernel extensions. It also shows you how to create a device configuration policy using kernel extensions in Intune.

System extensions

System extensions run in the user space, and don't access the kernel. Their goal is to increase security, provide more end user control, and limit kernel level attacks. These extensions can be:

  • Driver extensions, including drivers to USB, network interface cards (NIC), serial controllers, and human interface devices (HID)
  • Network extensions, including content filters, DNS proxies, and VPN clients
  • Endpoint security extensions, including endpoint detection, endpoint response, and antivirus

System extensions are included in an app's bundle, and installed from the app. Specifically, you write your system extension, and then package the extension in your app bundle. For more information, go to system extensions (opens Apple's web site).

When the app with the system extension is ready, you can deploy the app using Microsoft Intune. For more information, go to Add apps to Microsoft Intune.

Kernel extensions


macOS kernel extensions are being replaced with system extensions. For more information, go to Support Tip: Using system extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.

Kernel extensions add features at the kernel-level. These features access parts of the OS that regular programs can't access. They can be used if your organization has specific needs or requirements that aren't available in an app or a device feature.

For example, you have a virus scanning program that scans your device for malicious content. You can add this virus scanning program's kernel extension as an allowed kernel extension in Intune. Then, assign the extension to your macOS devices.

With this feature, administrators can allow users to override kernel extensions, add team identifiers, and add specific kernel extensions in Intune.

For more information on kernel extensions, go to kernel extensions (opens Apple's web site).


Kernel extensions don't work on macOS devices with the M1 chip, which are macOS devices running on Apple silicon. This behavior is a known issue, with no ETA. It's possible you can get them to work, but it's not recommended. For more information, go to Kernel extensions in macOS (opens Apple's web site).

For any macOS devices running 10.15 and newer, we recommend using system extensions (in this article). If you use the kernel extensions settings, then consider excluding macOS devices with M1 chips from receiving the kernel extensions profile.


What you need to know

  • Unsigned legacy kernel extensions and system extensions can be added.
  • Be sure to enter the correct team identifier and bundle ID of the extension. Intune doesn't validate the values you enter. If you enter wrong information, the extension won't work on the device. A team identifier is exactly 10 alphanumeric characters long.


Apple released information regarding signing and notarization for all software. On macOS 10.14.5 and newer, kernel extensions deployed through Intune don't have to meet Apple's notarization policy.

For information on this notarization policy, and any updates or changes, go to the following resources:

Create the kernel extension policy

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration > Create > New policy.

  3. Enter the following properties:

    • Platform: Select macOS
    • Profile type: Select Templates > Extensions.
  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS-AV scanning using kernel extensions.
    • Description: Enter a description for the policy. This setting is optional, but recommended.
  6. Select Next.

  7. In Configuration settings, configure your settings:

  8. Select Next.

  9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, go to Use RBAC and scope tags for distributed IT.

    Select Next.

  10. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, go to Assign user and device profiles.

    Select Next.

  11. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.


Be sure to assign the profile and monitor its status.