The payload that configures system extensions.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
AllowUserOverrides AllowUserOverrides If `false`, restricts users from approving additional system extensions that configuration profiles don't explicitly allow. | boolean | optional | true | ✗No | macOS (10.15+) |
AllowedTeamIdentifiers AllowedTeamIdentifiers An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers.
To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using `OSSystemExtensionActivationRequest API`.
It's an error for the same team identifier to appear in both this array and as a key in the `AllowedSystemExtensions` dictionary. 1 subkey | array | optional | — | ✗No | macOS (10.15+) |
└─ Identifier AllowedTeamIdentifiersItem | string | — | ✗No | macOS (10.15+) | |
AllowedSystemExtensionTypes AllowedSystemExtensionTypes A dictionary that maps a team identifier to an array of strings, where each string is a type of system extension that you can install for that team identifier. The allowed extension types are `DriverExtension`, `NetworkExtension`, and `EndpointSecurityExtension`.
If there's no entry for a specified team identifier in the dictionary, the system allows all extension types. 1 subkey | dictionary | optional | — | ✗No | macOS (10.15+) |
└─ ANY ANY The mapping of team identifier to an array of strings, where each string is a type of system extension that may be installed for that team identifier. 1 subkey | array | optional | — | ✗No | macOS (10.15+) |
└─ └─ AllowedSystemExtensionTypesItems AllowedSystemExtensionTypesItems Permitted System Extension Type | string | required | — | ✗No | macOS (10.15+) |
AllowedSystemExtensions AllowedSystemExtensions A dictionary of approved system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension to install.
To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using `OSSystemExtensionActivationRequest API`.
It's an error for the same team identifier to appear in both the `AllowedTeamIdentifiers` array and as a key in this dictionary. 1 subkey | dictionary | optional | — | ✗No | macOS (10.15+) |
└─ ANY ANY The mapping of team identifiers to arrays of bundle identifiers, where the bundle identifier is that of the system extension to be installed. 1 subkey | array | optional | — | ✗No | macOS (10.15+) |
└─ └─ AllowedSystemExtensionsItems AllowedSystemExtensionsItems Allowed system extension bundle ID | string | required | — | ✗No | macOS (10.15+) |
RemovableSystemExtensions RemovableSystemExtensions A dictionary of system extensions that are allowed to remove themselves from the machine. The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension. An application using the `OSSystemExtensionDeactivationRequest` API can deactivate the specified system extensions without requiring an administrator to authorize the operation.
Available in macOS 12 and later. 1 subkey | dictionary | optional | — | ✓Yes | macOS (12.0+) |
└─ ANY ANY The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension. 1 subkey | array | optional | — | ✗No | macOS (10.15+) |
└─ └─ RemovableSystemExtensionsItems RemovableSystemExtensionsItems Removed system extension bundle ID | string | required | — | ✗No | macOS (10.15+) |
NonRemovableSystemExtensions NonRemovableSystemExtensions A dictionary of system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension which can't be disabled or uninstalled when SIP is enabled. It's an error for the same mapping to appear in the dictionary values corresponding to `RemovableSystemExtensions` and `NonRemovableSystemExtensions` keys. 1 subkey | dictionary | optional | — | ✓Yes | macOS (15.0+) |
└─ ANY ANY System extension bundle identifiers 1 subkey | array | optional | — | ✗No | macOS (10.15+) |
└─ └─ NonRemovableSystemExtensionsItems NonRemovableSystemExtensionsItems Non Removable system extension bundle ID | string | required | — | ✗No | macOS (10.15+) |
NonRemovableFromUISystemExtensions NonRemovableFromUISystemExtensions A dictionary of system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension which can't be disabled or uninstalled from System Settings or Finder. The set of system extensions between `RemovableSystemExtensions` and `NonRemovableFromUISystemExtensions` can to overlap. 1 subkey | dictionary | optional | — | ✓Yes | macOS (15.0+) |
└─ ANY ANY System extension bundle identifiers 1 subkey | array | optional | — | ✗No | macOS (10.15+) |
└─ └─ NonRemovableFromUISystemExtensionsItems NonRemovableFromUISystemExtensionsItems Non Removable from UI system extension bundle ID | string | required | — | ✗No | macOS (10.15+) |
