With the release of the macOS Mojave 10.14.5, Apple has introduced a new security feature called kernel extension (KEXT) notarization. This marks a significant change in the way third-party kernel extensions are handled, more specifically it means that KEXTs signed after April 7, 2019, must be notarized in order to load on macOS 10.14.5 and above.
On April 10, 2019, Apple published new notarization requirements where the following is stated: “With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps and that all new and updated kernel extensions be notarized as well.” The notarization was announced at Worldwide Developers Conference (WWDC) 2018 and was optional, but Apple was clear that it was going to be required by default in a forthcoming version of macOS.
What is Notarization?
Notarization is the process of submitting the app or kernel extension to Apple for review in order to identify and block malicious software prior to distribution. The Apple Notary Service is an automated system that scans the app/KEXT for malicious content, checks for code-signing issues and return the results. If there are no issues, the notary service generates a ticket – a stamp of approval and also publishes that ticket online where Gatekeeper can find it. The final step of the process is stapling that allows the notarized app to run on macOS without checking into Apple servers.
In order to avoid compatibility problems, kernel extensions can be submitted for notarization, even if they are already in the wild. KEXTs signed before April 7, 2019, will be grandfathered in and will continue to function as of 10.14.5 beta 4. If a KEXT is not notarized, it will not be loaded. In macOS Catalina 10.15 installing third-party kernel extensions requires restarting the computer before they’re permitted to load.
As stated by Apple, notarization means an additional security layer and “give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface.”
How are Endpoint Protector Users Affected?
The latest macOS Client Version of our products, including Endpoint Protector, My Endpoint Protector, and Endpoint Protector Basic, are notarized under the new Apple notarization requirement and are compliant with the latest macOS software distribution requirements.
Organizations who are upgrading to macOS 10.14.5 or above, must upgrade their Endpoint Protector version to the newest macOS Client Version (Client Version 22.214.171.124 or above). Otherwise, they may experience one of the following issues.
- Endpoint Protector KEXTs might not load.
- Endpoint Protector KEXTs may load, but the following warning message is displayed:
System Extension Warning
“One or more system extensions that you have approved will be incompatible with a future version of macOS. Please contact “CoSoSys” for support.”
In order to avoid these, upgrading to macOS 10.14.5 should be delayed until the update to the latest macOS Client Version of Endpoint Protector, My Endpoint Protector or Endpoint Protector Basic.