Getting the Team ID of kernel extensions in macOS 10.13 (and higher?)


Why do you need Team IDs?

Beginning with macOS 10.13 (High Sierra), Apple is now blocking kernel extensions unless you, in recovery mode (or recovery mode–like environment), change the policy on the machine itself or use an MDM profile to approve certain KEXTs by Team ID.

How do you find these Team IDs, though?

sqlite3

One way is to install the KEXTs on a 10.13 machine, user approve them, and then check the sqlite database to see what the Team IDs are:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;

Here’s an example of some of the output you might see:

EQHXZ8M8AV|com.google.dfsfuse.filesystems.dfsfuse|1|Google, Inc.|8
In this example, EQHXZ8M8AV is the Team ID and com.google.dfsfuse.filesystems.dfsfuse is the bundle ID.

You can use Control-D to exit the sqlite3 session.

Acknowledgements: Got commands from Enabling Kernel Extensions in High Sierra

codesign

Another way is to run this command on an existing bundle from the vendor:

codesign -dv –verbose=4 /PATH/TO/NAMEOFBUNDLE.app

For example, if you run

codesign -dv –verbose=4 /Applications/Google\ Drive\ File\ Stream.app
you should see in the output a line like
TeamIdentifier=EQHXZ8M8AV

This approach can be helpful in fringe cases (you just need the Team ID and not the bundle ID, which may be the case, and the KEXT you’re looking for has an associated bundle you can run codesign on.

Acknowledgements: Got command from MunkiReport-PHP extensions module

Isn’t there a list somewhere of all these Team IDs?

There is a list, actually. There’s a spreadsheet that a bunch of Mac admins are sharing with each other. Unfortunately, at this point, it’s a spreadsheet that anyone with the link can edit, so I wouldn’t really count on that. At this point, I don’t see anything malicious in there (and I haven’t verified every single Team ID, of course), but I would probably play it safe and just get the Team IDs yourself. Chances are that you’ll have to do it only once or twice a year at the most.


5 responses to “Getting the Team ID of kernel extensions in macOS 10.13 (and higher?)”

  1. I just purchased a computer in Facebook Marketplace that came with Frisco ISD, is legal to sell school computer I know is old iMac 2010, but the seller never told me anything, I reinstall the OS and still show Frisco ISD, how can I remove it. Should I returned to the seller and call the cops. Advice Please. Sorry for using this site for this concern, I have search found no answer.

Leave a Reply to Alberto Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.