macOS System Extension & Kernel Development

Deep Systems Expertise for Apple's Platform.

macOS systems-level consulting covers the engineering work that takes place below the application layer: writing software that interacts directly with the kernel, hardware drivers, the network stack, the file system, or security subsystems. This work has historically been done through kernel extensions (kexts), but Apple has been systematically replacing that model with the System Extensions framework and its family of user-space extension types — a shift that demands both deep knowledge of the old model and hands-on experience with the new APIs. Joya Systems has both.

From Kernel Extensions to System Extensions

Beginning with macOS 10.15 Catalina, Apple deprecated kernel extensions in favor of System Extensions. The motivation was stability and security: kexts run in kernel space, where a bug can kernel-panic the entire machine and bypass system integrity protections. System Extensions run in a restricted user-space process, supervised by the OS, and communicate with the kernel only through narrow, Apple-defined interfaces.

The migration is not a line-for-line rewrite. The architecture changes fundamentally. Code that previously used private kernel symbols, direct memory mapping, or undocumented I/O Kit APIs must be redesigned around public frameworks with strict entitlement requirements, sandboxing constraints, and notarization mandates. We have navigated this transition and can guide your project through it.

Types of macOS Systems-Level Work We Do

• DriverKit drivers— hardware peripheral communication using Apple's user-space driver framework. DriverKit replaces I/O Kit kexts for most hardware categories and requires code-signing with Apple-granted DriverKit entitlements.
• Network Extensions — VPN clients, transparent network proxies, content filters, and packet tunnel providers built on the NetworkExtension framework. These extensions intercept and process network traffic at the system level without requiring a kext.
• Endpoint Security extensions — behavioral monitoring, process execution control, and threat response using the EndpointSecurity framework. ES clients receive real-time notifications or auth callbacks for system events such as process creation, file access, and network connections.
• File Provider extensions — virtual and cloud-backed file systems integrated into Finder using the FileProvider framework, with support for on-demand content materialization and file coordination.
• Legacy kext work — maintenance, debugging, and analysis of existing kernel extensions for customers still supporting older macOS versions where System Extensions are unavailable or impractical.

Past macOS Projects

Our macOS systems work spans projects that required intercepting and controlling OS behavior at a level most engineers never touch:

• File system interception — intercepting file system operations at the kernel level to inspect, modify, or block I/O before it reaches the underlying volume, enabling use cases such as transparent encryption, DLP, and access auditing.
• Application execution whitelisting — controlling which executables the OS is permitted to launch, a capability now served by Endpoint Security authorization callbacks but historically implemented directly in the kernel via MAC framework hooks.
• Network packet inspection — deep inspection of network traffic at the packet level, used for security monitoring, protocol analysis, and network policy enforcement.

Why This Expertise Is Rare

Apple's systems programming ecosystem is deliberately restrictive. Entitlements required for Endpoint Security, DriverKit, and Network Extensions must be individually approved by Apple. Public documentation for these frameworks is thinner than equivalent Windows or Linux documentation, and many behaviors are discovered only through source inspection, WWDC session archaeology, and trial-and-error against live hardware. System-level bugs on macOS are harder to reproduce and harder to debug: kernel debugging requires a separate machine connected via Thunderbolt or FireWire, and user-space extension debugging requires working around the OS's activation lifecycle.

Engineers who have shipped production macOS system software — not just read the documentation — are a small community. Our team has worked at this level across multiple projects and multiple macOS generations.

Cross-Platform Systems Capability

Many security and infrastructure products must run on more than one OS. Joya Systems develops at the systems level on all three major desktop platforms. Our Windows driver development practice covers WFP, NDIS, minifilter file system filters, and KMDF/WDM device drivers. Our Linux kernel development practice spans kernel modules, eBPF programs, netfilter hooks, and LSM-based security modules. Cross-platform architecture — designing a coherent product that behaves consistently across Windows, Linux, and macOS despite radically different kernel interfaces — is something we do regularly.

If your project requires macOS systems-level engineering, whether greenfield development, a kext migration, or forensic debugging of an existing extension, contact us to discuss the details. You can also browse our full services offering or review our past driver development projects for a broader picture of our work.

Frequently Asked Questions

What macOS system extension types does Joya Systems develop?

Joya Systems develops all major categories of macOS system extension: DriverKit extensions for hardware peripheral communication, Network Extensions for VPN, content filtering, and packet tunneling, Endpoint Security extensions for behavioral monitoring and threat response, and File Provider extensions for cloud-backed and virtual file systems. We also have experience with the earlier kernel extension model and can advise on migration strategies.

Can you migrate our kernel extension (kext) to a System Extension?

Yes. A kext-to-System Extension migration is not a mechanical rewrite — the architecture changes significantly. We assess your kext's requirements, identify the appropriate System Extension type or combination of types, and deliver a notarized, entitlement-approved replacement that works on current macOS releases without requiring users to disable SIP.

Do you develop DriverKit drivers for macOS?

Yes. DriverKit is Apple's user-space driver framework that replaces I/O Kit kernel extensions for most hardware categories. DriverKit drivers run in user space under a restricted sandbox and must be code-signed with specific DriverKit entitlements granted by Apple. We handle the full lifecycle: driver design, IOService subclassing, entitlement acquisition, code signing, and notarization.

How does macOS System Extension development differ from kernel extension development?

Kernel extensions run in kernel space with unrestricted memory access and direct kernel API calls, while System Extensions run in a restricted user-space process managed by the SystemExtensions framework. System Extensions must be activated via user consent or MDM, are sandboxed, and communicate with the kernel through Apple-defined XPC interfaces. A crashing System Extension cannot kernel-panic the machine. Debugging workflows also differ: LLDB attaches to a user-space process rather than a remote kernel debug session.

What entitlements and signing requirements apply to macOS system extensions?

Every System Extension type requires a specific Apple-provisioned entitlement. The host application needs com.apple.developer.system-extension.install; Network Extensions require the appropriate com.apple.developer.network-extension.* entitlement; Endpoint Security clients require com.apple.developer.endpoint-security.client; and DriverKit extensions require com.apple.developer.driverkit. All binaries must pass Apple Notary Service before distribution, and the host app must be signed with a Developer ID certificate.

Our Services

• What our customers say about us?

  

  Read our customer testimonials to find out why our clients keep returning for their projects.

  View Testimonials