Making Jamf Protect a Non-Removable System Extension

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

In macOS 15, end users can see and disable previously installed and managed system extensions through System Settings or Finder.

For managed computers, Apple's MDM settings include options that allow administrators to prevent users from disabling specific system extensions.

If you use Jamf Protect, which runs as a system extension, Jamf strongly recommends configuring this MDM setting via a configuration profile to restrict users from disabling Jamf Protect.

Requirements

  • Managed computers with macOS Sequoia 15 or later

    Warning:

    The new settings must be scoped to computers with macOS 15 or later. If the computer configuration profile is scoped to computers with macOS 14.x or earlier, the settings will not apply after upgrading to macOS 15.

  • If your MDM solution is Jamf Pro, you will need to configure a smart computer group with membership criteria that includes target computers with macOS 15 or later.

  • Jamf Protect agent version 6.1.1 or later

  • Jamf Protect running as an approved system extension through your MDM solution

  • System Integration Protection (SIP) enabled on the target computers
    Note:

    For more information on enabling SIP, see System Integrity Protection .

  • If Jamf Pro is your MDM solution, you can create a configuration profile using a System Extensions payload.
    1. In Jamf Pro, navigate to Computers > Configuration profiles > System Extensions.
    2. Create a new system extension.
    3. Under Options, select System Extensions and click Configure.
    4. (Optional) Under Allowed System Extensions and Team IDs, enter a display name.
    5. Select Non-removable system extensions from UI from the System Extension Types pop-up menu.
    6. (Optional) Under Team Identifier enter 483DWKW443 .
    7. Under NON-REMOVABLE SYSTEM EXTENSIONS FROM UI, click Add.
    8. Enter the system extension bundle ID for Jamf Protect, com.jamf.protect.security-extension.
    9. To the right of the new system extension, click Save.
    10. Click the Scope tab and scope the profile to a smart computer group targeting computers with macOS 15.
      The configuration profile is deployed to target computers with macOS 15 installed.
  • If you use a MDM solution that is not Jamf Pro, or want to manually upload the configuration profile, you can download the configuration profile in Jamf Protect.
    1. In Jamf Protect, navigate to Administrative > Downloads and download the Non-Removable System Extension Profile (macOS 15 or later).
    2. Upload the Non-Removable System Extension Profile (macOS 15 or later) to your third-party MDM software.
      Note:

      Leave the code-signing for the configuration profile intact to ensure the required settings are deployed and enforced as expected.

    3. Distribute the profile to computers with macOS 15 or later.

Jamf Protect is now non-removable from the user interface, and users can not disable Jamf Protect within System Settings on computers with macOS 15 or later.