What macOS Kernel Extensions Are and How Apple Is Evolving Them

macOS kernel extensions (KEXTs) allow applications to interact with low-level hardware or services, offering deeper functionality, including the monitoring or control of deep system behavior. However, KEXTs run inside the OS kernel with broad privileges, which can introduce security and stability risks.

Apple has been shifting towards system extensions that operate outside the kernel, offering users safer ways to extend platform functionality without compromising security.

What are macOS kernel extensions?

KEXTs are modules of code that allow apps and platforms to load directly into the macOS kernel, expanding their capabilities as a result. They help with tasks that require direct, system-wide access, such as the following:

• Driver communication: Ensures the OS understands how to use connected devices that it doesn’t handle natively, helping ensure functionality.
• Network stack interactions: KEXTs inspect, filter, redirect, or modify network data, helping network controls like VPN clients and firewalls enforce security policies.
• Low-level system functions: Supplies platforms with deep-level OS metrics, including memory behavior and real-time process activity, suitable for performance tools, security monitoring, and system management utilities.

Simply put, KEXTs provide deep visibility and control over macOS areas where standard applications can’t reach. They allow the OS to communicate with unsupported hardware effectively, allow technicians to observe and control network data, and provide low-level insight into key device metrics.

Associated risks with macOS KEXT usage

The kernel is responsible for managing hardware, memory, and critical OS processes, which makes operating at this level risky. Kernel extensions allow apps, platforms, or services to operate with the same level of trust and authority as the OS itself.

Since these extensions run at the heart of the operating system, they don’t have many safety rails, which can lead to unexpected crashes, bypassed protections, and difficult troubleshooting procedures.

System-wide impact

If a kernel extension contains an error, the consequences are more severe than a bug in standard applications. KEXTs allow code to run in the kernel, which means a single flaw can cause system crashes, instability, and unpredictable device behavior.

In most cases, the system cannot isolate or recover from kernel failures, forcing a reboot that can lead to data loss or file system corruption. That said, when a kernel extension breaks, it doesn’t just break an app; it can also break the entire OS.

Potential bypassing of security controls

Malicious KEXTs operate under the OS layer, enabling it to bypass built-in security controls, hide its activity, or tamper with system processes. Due to its kernel-level access, misbehaving KEXTs become challenging to detect and remediate, allowing them to silently work behind safeguards indefinitely.

Troubleshooting complexity

Managed macOS devices usually run multiple kernel extensions to support device management and monitoring tools. When these extensions conflict with each other, or with macOS updates, the outcome can be hard to trace. This leads to extensive and time-consuming diagnostic procedures that require deep system knowledge to pull off effectively.

macOS system extensions: A modern alternative to KEXTs

Although kernel extensions pose risks for devices and managed environments, their usage is undeniably essential for a proactive IT management strategy. To address the potential risks associated with KEXTs, Apple introduced Mac system extensions, a safer alternative for deep OS software integration.

System extensions are delivered through dedicated system frameworks that operate within user spaces:

• DriverKit: Supports hardware drivers without the need for kernel access.
• Network extensions: User-space components that allow apps to extend their native networking capabilities.
• Endpoint security extensions: Offers system-level visibility for modern security tools, like Endpoint Detection and Response (EDR) and VPN tools.

Shifting these integrations outside the kernel enables IT teams and MSPs to preserve their management and monitoring capabilities without the systemic risks that come with KEXTs. Apple achieves this by changing where extensions run, how much access is granted, and how failures are contained.

User-space operation

Unlike KEXTs, system extensions operate outside the macOS kernel, preventing third-party code from running below the OS layer. If a system extension fails or misbehaves, macOS can isolate the problem without crashing the system, improving overall reliability.

Limited privilege scope

System extensions maintain least privilege access by only performing approved actions. For instance, a networking extension can observe or manage network traffic without gaining access to unrelated system components or metrics. This scoped access reduces your environment’s attack surface and limits the blast radius caused by bugs or malicious code.

Improved stability and security

System extensions integrate cleanly with macOS security features, including System Integrity Protection, code signing, and user or MDM-based approvals. Additionally, macOS updates are less likely to break them, and failures are easier to troubleshoot and remediate.

Management strategy for macOS kernel extensions

Although Apple is continuously moving towards incorporating system extensions, macOS still continues to support KEXTs, especially within legacy scenarios. Specifically, this exists to support older software and specialized tools that haven’t transitioned to system extension usage.

KEXTs require explicit control and approval through the following:

• User approval: macOS requires users to manually approve KEXT usage before it applies, acting as an intentional friction point.
• MDM-driven approval: Some macOS MDMs allow centralized KEXT approval and whitelisting to speed up load times without requiring user-initiated actions.
• Trust-based approval: Allows administrators to approve KEXTs that originate from a known vendor family to simplify kernel extension management; however, this requires careful vendor vetting.

Additionally, administrators can leverage MDMs to prevent users from independently approving kernel extensions. This control ensures that the responsibility of KEXT governance falls on the shoulders of administrators through policies, preventing users from unknowingly authorizing unsafe extensions.

Impact of Apple silicon and modern macOS architecture

At WWDC 2019, Apple formally announced the deprecation of KEXTs and introduced system extensions in macOS 10.15.4 Catalina as their replacement. In the subsequent year, Apple also announced Apple silicon, which changed how macOS handles trust, security, and low-level system access.

On modern Apple silicon and macOS devices, kernel extensions won’t load unless explicitly allowed, directly conflicting with modern macOS security design. For managed environments, this increases friction and risk when leveraging KEXT at scale.

These strict KEXT restrictions are intentional, as kernel-level extensions can harm devices by introducing external, sometimes unapproved, code into the OS. For IT teams and MSPs managing legacy environments, KEXT dependency will increasingly require security exceptions, manual intervention, or architectural compromises.

Manage macOS system or kernel extensions with NinjaOne

NinjaOne MDM offers several features that help administrators manage kernel and security extensions centrally and at scale across macOS environments.

• System Extensions Management: Add or block specific system extensions through the NinjaOne agent policy, and use bundle identifiers to streamline system extension approvals from trusted vendors.
• Privacy Preferences Management: Pre-configure privacy permissions for specific managed applications, granting necessary access to data sources without requiring user interaction.
• Policy Assignment and Enforcement: Configure MDM settings, including system extensions, within macOS agent policies. View and manage overridden sections of assigned policies via the device dashboard.
• Device Actions: Speed up administrative workflows by using device actions, such as shutting down, installing the NinjaOne agent, or deleting MDM-enrolled macOS devices, directly from the NinjaOne console.

Securing macOS kernel and system extension usage

Kernel extensions play a key role in expanding software and platform capabilities; however, deep kernel access poses security and stability challenges for environments. Apple’s shift towards the use of system extensions helps mitigate risks that come with KEXT usage, while improving device reliability.

Clearly understanding the transition between kernel and system extensions helps you manage macOS devices more securely. Additionally, this helps you plan for future upgrades, ensuring compatibility and streamlining workflows for managed legacy macOS environments.

Related topics:

• Smarter IT Teams Thanks to a Smarter macOS MDM
• Guide to Checking and Managing macOS Firewall Status for IT Security
• macOS Device Management Best Practices with NinjaOne MDM
• Mac MDM (Mobile Device Management): Complete Guide to Managing macOS Devices