As of High Sierra (10.13.x), all 3rd party kernel extensions (kext) must be explicitly allowed to load. This approval can be performed locally by the end-user, or orchestrated via Mobile Device Management (MDM) policy using Apple's MDM or a 3rd party tool such as JAMF. Documentation of this feature, along with basic instructions for approval, can be found here.

Red Canary leverages EDR sensors that employ kexts, with the relevant information for approval provided below.

Carbon Black Response

Apple Team ID: 7AGZNQ2S2T

Reference


CrowdStrike Falcon

Apple Team ID: X9E956P446

Reference

Did this answer your question?