Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
TL;DR: macOS Sequoia brings more control to IT teams, but they need to take the time to review their current system extension policies and setup.
macOS Sequoia introduces some important changes to system extensions, impacting how IT administrators manage and secure Apple devices. These changes are part of Apple’s ongoing efforts to enhance device security and improve control over system functions, particularly in enterprise environments.
About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade Wi-Fi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
System extensions in macOS Sequoia
System extensions allow software to extend the functionality of macOS without using legacy kernel extensions (kexts), which Apple began phasing out due to security risks. This was especially critical when macOS was protected from a faulty update from a popular security vendor. Instead, system extensions run in user space, offering better stability and security. In macOS Sequoia, Apple refines how these extensions are handled, introducing new capabilities that administrators should know.
Previously, system extensions were installed without much visibility to the end-user, simplifying deployment but limiting flexibility in terms of control. With macOS Sequoia, however, system extensions become more accessible to IT administrators, who now have enhanced options for managing them. These changes offer a more transparent, secure, and customizable environment for enterprise-level device management while prioritizing macOS safety and security.
Changes to management and control
A significant update in macOS Sequoia is the ability for administrators to control system extensions via their device management system. This includes the introduction of new keys in configuration profiles that can be leveraged to manage these extensions. Specifically, IT administrators now can ensure critical system extensions are always enabled while preventing users from disabling them.
The new configuration profile keys allow admins to lock certain extensions in place, ensuring they remain active on the computer. This is particularly critical for maintaining security as disabling essential system extensions could leave a system vulnerable to attack or hack. macOS Sequoia’s enhancements align with Apple’s broader move towards tightening security and giving IT teams more control while maintaining a great macOS user experience.
These configuration profile improvements streamline workflows, as IT admins can now define which system extensions are critical and which ones can be left to user discretion. This level of control enhances the IT team’s ability to enforce security policies, particularly in highly regulated industries such as finance, travel, and medicals, where system integrity is absolutely critical
Enhanced user visibility and security
Another critical shift in macOS Sequoia is improved transparency around system extensions. In earlier macOS versions, users had little to no insight into the system extensions running on their devices. With Sequoia, users with administrative privileges can now see these extensions and, if allowed by IT policies, turn them off. This increases user awareness and places more responsibility on IT teams to correctly configure permissions and policies.
This dual approach — more transparency for users but stricter controls for IT teams — balances usability and security. It allows organizations to customize device management on company-owned devices while ensuring that vital extensions remain in place, even as end-users gain more visibility.
What are the implications for IT teams?
For IT teams managing large fleets of Apple devices, the changes in Sequoia offer new tools to enhance security and control. However, they also necessitate updated management strategies. Administrators will need to review their existing system extension policies and update configuration profiles to take advantage of the new capabilities offered by macOS Sequoia.
Ensuring that critical extensions are locked in and inaccessible to unauthorized users will be a priority, alongside guiding end-users on how system extensions operate in this new environment. IT teams will benefit from the greater control brought by macOS Sequoia, but they must also be proactive in understanding and implementing these changes to avoid disruptions and security gaps.
Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
FTC: We use income earning auto affiliate links. More.