As of High Sierra (10.13.x), all third-party kernel extensions (kexts) must be explicitly allowed to load. This approval can be performed locally by the end user, or orchestrated via a mobile device management (MDM) policy.
Approving EDR/EPP sensor kernel extensions
To approve the macOS kernel extension directly on a Mac system:
- In System Preferences, in the Security & Privacy pane, click the General tab.
- Click the lock icon and authenticate as an administrator.
- Click the Allow button for System software from developer “EDR Vendor” was prevented from loading.
The installer will finish running and load the sensor.
To approve the macOS kernel extension via MDM:
- Specify the Apple Team ID in your configuration profile:
- Carbon Black Response/Defense/ThreatHunter
Apple Team ID: 7AGZNQ2S2T
- CrowdStrike Falcon
Apple Team ID: X9E956P446
- Endgame
Apple Team ID: 4FVLCA237T
- Microsoft Defender ATP
Apple Team ID: UBF8T346G9
- Carbon Black Response/Defense/ThreatHunter