View Other Properties

Contents

View Other Properties

How to List System Extensions Across All Macs

Using Kolide, you can easily view and query Mac System Extensions across your fleet.

Introduction

In macOS 10.15 (Catalina) Apple introduced a replacement to Kernel Extensions called System Extensions which allow developers to extend the capabilities of macOS by installing and managing system extensions—drivers and other low-level code—in user space rather than in the kernel. These extended capabilities facilitate but are not limited to things like Firewall applications, VPN software, antivirus/endpoint security agents, etc.

By running in user space, System Extensions can’t compromise the security or stability of macOS. The system grants these extensions a high level of privilege, so they can perform the kinds of tasks previously reserved for kernel extensions (KEXTs).

System Extensions can be reviewed on a macOS device using the terminal by running:

systemextensionsctl list

In macOS Big Sur, you can review System Extensions in the macOS GUI by following the steps below:

  1. Click the Apple menu at top-left of your screen.
  2. In the dropdown, click the item labeled System Preferences
  3. In System Preferences click the preference pane labeled Extensions which has a puzzle piece for an icon.
  4. In Extensions, click the item in the sidebar labeled Added Extensions

By default, a macOS device will not have any System Extensions installed.

For more information about System Extensions please refer to the official Apple Support documentation: - About system extensions and macOS - Apple Developer / System Extensions

What Mac System Extension Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac System Extensions from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac System Extensions Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

bundle_path Text

The location of the App that is associated with the System Extension

category Text

The category of the system extension in bundle ID form (ex: com.apple.system_extension.network_extension).

identifier Text

The identifier of the system extension in bundle ID form (ex: ch.tripmode.TripMode.FilterExtension).

path Text

The original path of the System Extension code

state Text

The activation and enablement state of the system extension (ex: activated_enabled).

team Text

The team's ID that signed the system extension.

uuid Text

The system extension's unique ID.

version Text

The text representation of the version

version_major Bigint

version's semver major version (ex: 4.2.1 would yield 4)

version_minor Bigint

version's semver minor version (ex: 4.2.1 would yield 2)

version_patch Bigint

version's semver patch version (ex: 4.2.1 would yield 1)

version_subpatch Bigint

version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

version_pre Text

version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

version_build Text

version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Identify system extensions which have been installed but not approved by the end-user and require additional permissions before they can be utilized
Kolide SQL
SELECT
  device_name,
  team AS ext_team,
  state AS ext_state,
  version AS ext_version,
  identifier AS ext_identifier
FROM mac_system_extensions 
WHERE state = 'activated_waiting_for_user';
Example Results
ext_team ext_state device_name ext_version ext_identifier
6KALHUIASD8 activated_waiting_for_user Jessicas-MacBook-Air-2 3.0.36471 com.f-secure.fsmac.gui.FSCSystemExtension
JH4SD6P446 activated_waiting_for_user Daves-MacBook-Pro-2288 6.36 com.crowdstrike.falcon.Agent
52985DC85C activated_waiting_for_user Lukes-MacBook-Pro 6.0.1 com.carbonblack.endpointseagent
87JHSAD6SC activated_waiting_for_user Brians-MacBook-Air 3.1.86425 com.f-secure.fsmac.gui.FSCSystemExtension
LKC845671X activated_waiting_for_user Karas-MacBook-Pro 3.0.41898 com.f-secure.fsmac.gui.FSCSystemExtension

Why Should I Collect Mac System Extensions?

Collecting information about installed System Extensions can be useful for IT and Security teams to verify certain security software (like Antivirus, VPN or Firewall) has been successfully installed, and has the extended capabilities it relies on to function properly.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

System Extensions are typically installed alongside apps which require them, this means it is possible for you to install an application intended for personal or private use whose name may be recorded in System Extensions, for example:

  • eCigarette-Vaporizer-Control.app
  • Adult-Toy-Control.app
  • Fertility-Window-Tracker.app
  • Torrenting-Software.app

When you use Kolide to list Mac System Extension data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Mac Kernel Extensions
kernel, security, stability, extensions
New
Mac Crashes
operating-system, hardware, stability
New
Users
operating-system, identity, login, access
View full list of Kolide's Device Properties
Book A Demo
Book A Demo