As of High Sierra (10.13.x), all third-party kernel extensions (kexts) must be explicitly allowed to load. This approval can be performed locally by the end user, or orchestrated via a mobile device management (MDM) policy. 

Approving EDR/EPP sensor kernel extensions

To approve the macOS kernel extension directly on a Mac system:

1. In System Preferences, in the Security & Privacy pane, click the General tab.
2. Click the lock icon and authenticate as an administrator.
3. Click the Allow button for System software from developer “EDR Vendor” was prevented from loading.

The installer will finish running and load the sensor.

To approve the macOS kernel extension via MDM:

1. Specify the Apple Team ID in your configuration profile:
   • Carbon Black Response/Defense/ThreatHunter
     Apple Team ID: 7AGZNQ2S2T
   • CrowdStrike Falcon
     Apple Team ID: X9E956P446
   • Endgame
     Apple Team ID: 4FVLCA237T
   • Microsoft Defender ATP
     Apple Team ID: UBF8T346G9