End-of-Life (EoL)

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Starting with macOS 10.13, Apple introduced a software change that requires users to approve kernel extensions before they can use them. The GlobalProtect App on macOS uses a kernel extension in order to support Split Tunneling and Enforce GlobalProtect for Network Access. When users access the GlobalProtect app that has these features enabled, the app displays the following message:
macOS requires user approval to load GlobalProtect Kernel Extension. Please navigate to macOS System Preferences > Security & Privacy and select Allow. If the issue persists, please contact your IT Administrator.
To allow GlobalProtect app users to automatically load the kernel extension without receiving this message, you can use MDM to create a policy for that kernel extension.
Users can enable kernel extensions in macOS by selecting
System Preferences
Security & Privacy
and selecting
for the kernel extension that was blocked from loading. Apple Technical Note TN2450 describes the process. However, this method requires the user to manually approve the kernel extension.
The following steps use MobileIron to configure a policy to automatically approve the kernel extension. While this configuration has been tested with MobileIron, you can use any Qualified MDM vendor to create and implement this policy.
  1. In MobileIron, select
    , then select
    macOS Kernel Extension Policy
    You can also select an existing
    macOS Kernel Extension Policy
  2. Give the policy a
    , then
    a team identifier and kernel extension.
  3. Enter the
    Team Identifier
    used by the GlobalProtect app (
    ) and the
    Allowed Kernel Extensions
    ), then
    the team ID and kernel extension.
  4. Select
  5. Select a
    configuration, then select the policy to be distributed to
    macOS Devices
    ; then, click

Recommended For You