This post mainly exists to shamelessly promote my Jamf feature request to add support for RebuildKernelCache. Before jumping into the details, go upvote that feature request. You can always go backtrack later to downvote me if by the end you decide it’s not worth the support.

https://www.jamf.com/jamf-nation/feature-requests/9814/rebuildkernelcache-with-restart-command

RebuildKernelCache and KextPaths

Starting in Big Sur, kernel extensions require user interaction to install. Apple describes the lenghty install process in their developer documentation Installing a Custom Kernel Extension. Working with kernel extensions is intentionally difficult as Apple aggressively pushes third party software out of the kernel. In the short term though there are still vendors lagging behind who have failed to modernize their apps. I’m not going to mince words when it comes to major tech companies choosing not to put resources behind moving to system extensions.

Google Drive File Stream team did a remarkable job ignoring kext deprecation. 45 days after BS release, 575 days since WWDC 19 when kexts were announced dead. No fully compatible Big Sur release from mega corp with nearly limitless resources. #AppleAdmin #MacAdmin #GoogleEdu

— Nathaniel Strauss (@nwstrauss_) December 30, 2020

Of course other companies are guilty too, but one of the worst offenders is Google Drive File Stream, which will be used as an example for the rest of this post. Google has said they’ll launch an Apple silicon compatible version in April 2021 which I assume will also be kextless. Instead of Google making kext deprecation a priority, we get to deal with this.

Again, kernel extensions require user interaction to install. The only exception to the rule is RebuildKernelCache, a new key available as part of the MDM RestartDeviceCommand which when set to true as part of the command payload completes installation of staged kernel extensions. That is, kernel extensions which have been opened at least once, triggering an approval prompt. There’s also a new KextPaths key which can be used alongside RebuildKernelCache. Apple describes it well.

If RebuildKernelCache is true, this value specifies the paths to kexts to add to the auxiliary kernel cache since the last kernel cache rebuild. If not present, the system only adds previously-discovered kexts to the kernel cache.

KextPaths is a way to add kernel extensions to the auxiliary kernel cache collection to be loaded at next reboot even if an app or script has not previously tried to load them. In that way no prompt ever needs to be occur to install a kernel extension.

Without RebuildKernelCache

Let’s take a look at the process to install a kernel extension without MDM on Intel Macs running Big Sur.

https://developer.apple.com/documentation/apple_silicon/installing_a_custom_kernel_extension

1. Launch an app or other code (script) which loads a kernel extension.
2. Open System Preferences > Security & Privacy.
3. Select Allow to install or update the kernel extension.
4. Wait for the system to load the kext and rebuild the auxiliary kext collection. This direction is from Apple. In practice this usually takes very little time.
5. Restart when prompted to load the new kernel extension.

IT admins know the more steps required by an end user, the least likely a process is to be completed successfully. Apple is well within their rights to make installing kernel extensions a pain. I know in my organization, getting these steps correct reliably is going to require a lot of repetitive explanation, at no fault of our users. It feels like enabling screen recording all over again.

With RebuildKernelCache

And now with MDM support.

1. Launch an app or other code (script) which loads a kernel extension.
2. Send a restart command with RebuildKernelCache set to true.
3. Mac reboots via MDM command and loads kernel extension.

Or with KextPaths set as well remove step 1.

It’s clear RebuildKernelCache provides an easier, better user experience. As of writing this, not a single MDM I know of supports the feature. As kernel extensions cling to their last bit of life in Big Sur, it would still be nice to have an automated way during provisioning workflows to make them work. With RebuildKernelCache an admin could install their required kernel extensions, send a restart command, and get them working without user intervention. This is a need for some of us forced to continue using software that hasn’t yet moved to system extensions, and I believe that was in the spirit of Apple introducing the feature in the first place. Ask your MDM vendor to implement it today. If you’re a Jamf Pro customer please consider upvoting my open feature request.

https://www.jamf.com/jamf-nation/feature-requests/9814/rebuildkernelcache-with-restart-command