How to Enforce Privacy and Kernel Extension Policies for Clients

Version 7.3 of Parallels® Mac Management for Microsoft® SCCM comes with important new features that enable admins to manage kernel extension and roll out privacy policies using configuration profiles. Both kinds of policies are key to safeguard corporate Mac® devices against threats and potential privacy hazards—and both can be applied using Parallels Mac Management 7.3.

Apple® requires that one of two preconditions be satisfied for these safety-related settings to be distributed using configuration profiles:

  1. Users must consent to mobile device management (MDM) enrollment, and the configuration files are distributed via an MDM server, or
  2. The Mac in question must be part of the Apple Device Enrollment Program (DEP).

Apple introduced its new User Approved MDM (UAMDM) Enrollment with the macOS® High Sierra release. It enables MDM solutions to make use of new, enhanced safety policies. Parallels Mac Management 7.3 supports UAMDM—and along with that, the helpful safety policies for kernel extensions and privacy settings without the need for Apple DEP.

Tailor-made data privacy

Using privacy rules, admins can determine which applications should be allowed to access global positioning data or images, for example. Other rules define whether specific programs may access a camera or microphone. Directory access is a crucial privacy parameter under the EU’s General Data Protection Regulation (GDPR). The intention is to prevent unauthorized access to customer data by applications—to process them without their owners’ permission, for example. The Apple name for these privacy policies transferred as a configuration profile payload is Privacy Preferences Policy Control (PPPC). These privacy settings can only be rolled out to Mac® computers running macOS Mojave (10.14) or later.

Kernel extension policies

Kernel extensions for macOS are what users generally call “drivers.” Devices that macOS does not support out of the box need specific kernel extensions—but that’s not all. In many cases, software tools that dive deep into the operating system’s entrails try to install their own kernel extensions in order to work properly. Capturing tools and VPN software are two such examples. But kernel extensions have extensive system access rights, which is why they also represent a potential risk for the systems’ safety or stability. With User Approved MDM Enrollment, admins are allowed to include kernel extensions into a white list using team or bundle identifiers.

Parallels Mac Management 7.3 lets admins make use of User Approved MDM Enrollment, enabling them to apply new, advanced safety configurations in cases where Apple DEP is not used to roll out corporate Mac devices.

Learn more about how to manage Mac devices like PCs with Parallels Mac Management for Microsoft SCCM in our weekly Webinars. Register now for free!