System Extensions device management payload settings for Apple devices
You can configure System Extensions settings for users of a Mac that enrolls in a device management service. Installing or removing this payload can change the state of system extensions on the Mac. If a containing app activates a system extension, and the system extension is in a pending state, installing a payload that allows the extension completes the activation process. If a system extension is active, removing a payload that allows the extension deactivates that extension.
The System Extensions payload supports the following. For more information, see Payload information.
Supported approval method: Requires user approval.
Supported installation method: Requires a device management service to install.
Supported payload identifier: com.apple.system-extension-policy
Supported operating systems and channels: macOS device.
Supported enrollment methods: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one System Extensions payload can be delivered to a device.
You can use the settings in the table below with the System Extensions payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Allowed system extensions | The list of system extensions approved for the Mac. | Yes | |||||||||
Allowed system extension types | A dictionary that maps a team identifier to an array of strings, where each string is a type of system extension that you can install for that team identifier. If there is no entry for a specified team identifier in the dictionary, the system allows all extension types. | No | |||||||||
Allowed team identifiers | An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers. | No | |||||||||
Allow user overrides | Restricts users from approving additional system extensions that configuration profiles don’t explicitly allow. | No | |||||||||
Note: Each device management service developer implements these settings differently. To learn how System Extensions settings are applied to your devices, consult your developer’s device management service documentation.