If 'false', restricts users from approving additional system extensions that configuration profiles don't explicitly allow.
true
—
AllowedTeamIdentifiers
array
Allowed Team Identifiers
An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers.
To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using 'OSSystemExtensionActivationRequest API'.
It's an error for the same team identifier to appear in both this array and as a key in the 'AllowedSystemExtensions' dictionary.
—
—
AllowedSystemExtensions
dict
Allowed System Extensions
A dictionary of approved system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension to install.
To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using 'OSSystemExtensionActivationRequest API'.
It's an error for the same team identifier to appear in both the 'AllowedTeamIdentifiers' array and as a key in this dictionary.
—
—
AllowedSystemExtensionTypes
dict
Allowed System Extension Types
A dictionary that maps a team identifier to an array of strings, where each string is a type of system extension that you can install for that team identifier. The allowed extension types are 'DriverExtension', 'NetworkExtension', and 'EndpointSecurityExtension'.
If there's no entry for a specified team identifier in the dictionary, the system allows all extension types.
—
—
RemovableSystemExtensions
dict
Removable System Extensions
A dictionary of system extensions that are allowed to remove themselves from the machine. The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension. An application using the 'OSSystemExtensionDeactivationRequest' API can deactivate the specified system extensions without requiring an administrator to authorize the operation.
Available in macOS 12 and later.
—
—
NonRemovableSystemExtensions
dict
—
A dictionary of system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension which can't be disabled or uninstalled when SIP is enabled. It's an error for the same mapping to appear in the dictionary values corresponding to 'RemovableSystemExtensions' and 'NonRemovableSystemExtensions' keys.
—
—
NonRemovableFromUISystemExtensions
dict
—
A dictionary of system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension which can't be disabled or uninstalled from System Settings or Finder. The set of system extensions between 'RemovableSystemExtensions' and 'NonRemovableFromUISystemExtensions' can to overlap.
—
—
AllowedTeamIdentifiersItem
string
Team Identifier
—
—
—
{{key}}
string
Team Identifier
—
—
—
{{value}}
array
Bundle Identifier
The mapping of team identifiers to arrays of bundle identifiers, where the bundle identifier is that of the system extension to be installed.
—
—
AllowedSystemExtensionsItemsrequired
string
Bundle Identifier
Allowed system extension bundle ID
—
—
{{key}}
string
Team Identifier
—
—
—
{{value}}
array
System Extension Types
The mapping of team identifier to an array of strings, where each string is a type of system extension that may be installed for that team identifier.
—
—
AllowedSystemExtensionTypesItemsrequired
string
System Extension Type
Permitted System Extension Type
—
{{key}}
string
Team Identifier
—
—
—
{{value}}
array
Bundle Identifier
The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension.