This guide outlines the steps necessary to deploy Suite and manage the macFUSE kernel extension (KEXT) approval using Jamf Pro.
For a seamless, zero-touch deployment experience, ensure the following prerequisites are met:
Apple Business Manager (ABM) - the Mac is registered in ABM.
Automated Device Enrollment (ADE) is configured between ABM and Jamf Pro.
The Mac is within the scope of a configured PreStage Enrollment and has completed the process from either a fresh install or as a new device out of the box.
You can deploy Suite and approve the Suite KEXT on a Mac using Jamf with user-initiated enrollment, but you'll need to interact with the Mac directly. This is because a BootStrap Token can't be saved unless the Mac has gone through PreStage Enrollment.
⚠️ Important: When Suite or macOS are updated, macOS may require the KEXT to be "Allowed" again. In such cases, you may need to create and deploy a Policy that includes only a Restart Options payload with the "MDM Restart with Kernel Cache Rebuild" option selected, as outlined in the Policy Setup step below.
Workflow Overview
By following these steps, Suite will install, and the KEXT will be automatically approved without user action, applicable to both Apple Silicon and Intel-based Macs.
Device Registration and Enrollment:
The Mac is added to your ABM account by Apple, an authorized reseller, or manually via Apple Configurator.
When powered on (either new or freshly reinstalled) the Mac checks in with ABM and is directed to enroll with your Jamf Pro instance.
PreStage Enrollment and Bootstrap Token Escrow:
During initial setup, the Mac completes PreStage Enrollment with Jamf Pro.
Upon user login, Jamf Pro escrows a Bootstrap Token, allowing deployment of an "Approved Kernel Extension" payload without manual intervention in macOS Recovery Mode on Apple Silicon Macs.
Configuration Profile Deployment:
After setup, the Mac receives a Configuration Profile from Jamf Pro containing an "Approved Kernel Extension" payload with the Team ID for the macFUSE KEXT.
Policy Deployment:
The Mac is targeted by a policy that installs the Suite .pkg and includes a "Restart Options" payload to rebuild the KEXT cache.
PreStage Enrollment Setup
No special options are required within the PreStage Enrollment configuration for Jamf to set the "Reduced Security" mode. The enrollment process itself establishes the necessary trust between ABM, Jamf Pro, and macOS.
Ensure the following:
PreStage Enrollment Configuration: Properly set up in Jamf Pro.
Device Scope: The Mac is included in the PreStage Enrollment scope.
Internet Connectivity: The Mac has internet access during login so macOS can escrow the Bootstrap Token with Jamf Pro.
Configuration Profile Setup
The Configuration Profile with the KEXT details should be applied to the Mac after PreStage Enrollment and before installing Suite (see the Policy Setup section). Don't deploy the profile during enrollment, as it won't work.
To Create the Configuration Profile:
Navigate to: Jamf Pro > Configuration Profiles > New.
Settings:
General:
Name:
macFUSE KEXT ApprovalLevel: Computer Level
Approved Kernel Extensions:
Allow users to approve kernel extensions: Yes
(Optional) Allow standard users to approve legacy kernel extensions (macOS 11 or later): Yes
Approved Team ID:
Display Name:
macFUSETeam ID:
3T5GSNBU6W
💡The Suite application and the macFUSE kernel extensions have different Team IDs. For kernel extension approval, it is required to use the macFUSE KEXT Team ID: 3T5GSNBU6W
Policy Setup
Deploy this policy after the Configuration Profile to ensure the KEXT is approved before loading.
Upload the Suite Package:
Navigate to Jamf Pro > Settings > Computer Management > Packages > New
Display Name:
Suite StudiosUpload: Choose the Suite
.pkginstaller file.
Create a New Policy:
Navigate to Jamf Pro > Policies > New.
General:
Display Name:
Suite InstallationEnabled: Yes
Trigger: Choose an appropriate trigger (e.g., enrollment complete).
Packages:
Add: Select the Suite package you uploaded.
Restart Options:
MDM Restart with Kernel Cache Rebuild: Yes
KEXT Path: Adjust according to the correct macOS version
Sequoia (15):
/Library/Filesystems/macfuse.fs/Contents/Extensions/15/macfuse.kext
Sonoma (14)
/Library/Filesystems/macfuse.fs/Contents/Extensions/14/macfuse.kext
Ventura (13)
/Library/Filesystems/macfuse.fs/Contents/Extensions/13/macfuse.kext
Monterey (12)
/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext
Big Sur (11)
/Library/Filesystems/macfuse.fs/Contents/Extensions/11/macfuse.kext
Catalina (10.15)
/Library/Filesystems/macfuse.fs/Contents/Extensions/10.15/macfuse.kext
Mojave (10.14)
/Library/Filesystems/macfuse.fs/Contents/Extensions/10.14/macfuse.kext
No User Logged In Action: Restart immediately
User Logged In Action:
Restart
Delay:
5minutesStart the restart timer immediately: Yes
After deployment, the Suite package installs silently. Users may see a prompt to allow the KEXT in System Preferences; they should not act on it. Instead, the policy initiates a restart timer, giving users five minutes to save work before the Mac restarts to rebuild the KEXT cache, automatically approving the KEXT.
Upon restart, users can log in and use Suite without further prompts.
FAQ
Is the process different for Intel Macs?
The process is similar, but Intel Macs do not have a "Reduced Security" mode. Therefore, the KEXT payload can be deployed without PreStage Enrollment.
Will I need to re-approve the KEXT after updating Suite?
Possibly. Updating Suite may cause macOS to flag the KEXT as "Updated" or "Modified." We recommend following any Suite update with a policy that includes the "MDM Restart with Kernel Cache Rebuild" option to automatically re-approve the KEXT.
Can I retrospectively allow MDM control if the Mac didn't use PreStage Enrollment?
Currently, no. Even if you manually escrow a Bootstrap Token after User-Initiated Enrollment, it won't allow Jamf Pro to deploy a KEXT payload without the user manually adjusting settings in Recovery Mode.
References
Apple Documentation
Jamf Pro Resources