How to List System Extensions Across All Macs
Using Kolide, you can easily view and query Mac System Extensions across your fleet.
Introduction
In macOS 10.15 (Catalina) Apple introduced a replacement to Kernel Extensions called System Extensions which allow developers to extend the capabilities of macOS by installing and managing system extensions—drivers and other low-level code—in user space rather than in the kernel. These extended capabilities facilitate but are not limited to things like Firewall applications, VPN software, antivirus/endpoint security agents, etc.
By running in user space, System Extensions can’t compromise the security or stability of macOS. The system grants these extensions a high level of privilege, so they can perform the kinds of tasks previously reserved for kernel extensions (KEXTs).
System Extensions can be reviewed on a macOS device using the terminal by running:
systemextensionsctl list
In macOS Big Sur, you can review System Extensions in the macOS GUI by following the steps below:
- Click the Apple menu at top-left of your screen.
- In the dropdown, click the item labeled System Preferences
- In System Preferences click the preference pane labeled Extensions which has a puzzle piece for an icon.
- In Extensions, click the item in the sidebar labeled Added Extensions
By default, a macOS device will not have any System Extensions installed.
For more information about System Extensions please refer to the official Apple Support documentation: - About system extensions and macOS - Apple Developer / System Extensions
What Mac System Extension Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac System Extensions from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac System Extensions Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| bundle_path | Text |
The location of the App that is associated with the System Extension |
|
| category | Text |
The category of the system extension in bundle ID form (ex: |
|
| identifier | Text |
The identifier of the system extension in bundle ID form (ex: |
|
| path | Text |
The original path of the System Extension code |
|
| state | Text |
The activation and enablement state of the system extension (ex: |
|
| team | Text |
The team's ID that signed the system extension. |
|
| uuid | Text |
The system extension's unique ID. |
|
| version | Text |
The text representation of the version |
|
| version_major | Bigint |
|
|
| version_minor | Bigint |
|
|
| version_patch | Bigint |
|
|
| version_subpatch | Bigint |
|
|
| version_pre | Text |
|
|
| version_build | Text |
|
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT
device_name,
team AS ext_team,
state AS ext_state,
version AS ext_version,
identifier AS ext_identifier
FROM mac_system_extensions
WHERE state = 'activated_waiting_for_user';| ext_team | ext_state | device_name | ext_version | ext_identifier |
|---|---|---|---|---|
| 6KALHUIASD8 | activated_waiting_for_user | Jessicas-MacBook-Air-2 | 3.0.36471 | com.f-secure.fsmac.gui.FSCSystemExtension |
| JH4SD6P446 | activated_waiting_for_user | Daves-MacBook-Pro-2288 | 6.36 | com.crowdstrike.falcon.Agent |
| 52985DC85C | activated_waiting_for_user | Lukes-MacBook-Pro | 6.0.1 | com.carbonblack.endpointseagent |
| 87JHSAD6SC | activated_waiting_for_user | Brians-MacBook-Air | 3.1.86425 | com.f-secure.fsmac.gui.FSCSystemExtension |
| LKC845671X | activated_waiting_for_user | Karas-MacBook-Pro | 3.0.41898 | com.f-secure.fsmac.gui.FSCSystemExtension |
Why Should I Collect Mac System Extensions?
Collecting information about installed System Extensions can be useful for IT and Security teams to verify certain security software (like Antivirus, VPN or Firewall) has been successfully installed, and has the extended capabilities it relies on to function properly.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
System Extensions are typically installed alongside apps which require them, this means it is possible for you to install an application intended for personal or private use whose name may be recorded in System Extensions, for example:
- eCigarette-Vaporizer-Control.app
- Adult-Toy-Control.app
- Fertility-Window-Tracker.app
- Torrenting-Software.app
When you use Kolide to list Mac System Extension data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
