Macos Kernel Extension whitelisting issues

Trying to whitelist a kernel extension for an agent I'm trying to install. I'm using Mojave as the client machine and Profile Manger on a Mac server I've set up. I can enroll the client machine fine in Profile Manager, and it can receive canned settings like external device restrictions etc, but I can't seem to get custom settings to work correctly. The process to get this to work is I've been uploading the following: PayloadContent AllowedKernelExtensions HLGBMCXUS7 com.verdasys.dgagent AllowedTeamIdentifiers HLGBMCXUS7 PayloadDescription Configures Kernel Extension Policy settings PayloadDisplayName Kernel Extension Policy PayloadIdentifier com.github.erikberglund.ProfileCreator.F508AD6F-E398-402B-9928-1A2300C1E229.com.apple.syspolicy.kernel-extension-policy.69B09342-9C35-4FB8-9C18-6DF2A53E7C0C PayloadOrganization PayloadType com.apple.syspolicy.kernel-extension-policy PayloadUUID 69B09342-9C35-4FB8-9C18-6DF2A53E7C0C PayloadVersion 1 PayloadDescription allows extensions from specific extension Team Identifiers PayloadDisplayName DigitalGuardian PayloadIdentifier com.github.erikberglund.ProfileCreator.F508AD6F-E398-402B-9928-1A2300C1E229 PayloadOrganization ProfileCreator PayloadRemovalDisallowed PayloadScope System PayloadType Configuration PayloadUUID F508AD6F-E398-402B-9928-1A2300C1E229 PayloadVersion 1 as a .plist file using "com.apple.syspolicy.kernel-extension-policy" as a policy domain into Profile Manager, saving the config on profile manager, then downloading a .mobileconfig file. I move that .mobileconfig file to the already enrolled client, and run the file and except the prompts to install the profile into profile->system prefs. This goes successfully and I see green "verified" at the top BUT it doesn't result in adding the team ID into the DB (at least not so far). I'm using the following code to try to read the sqlite DB to verify: #!/bin/sh # Gather list of User Approved Kernel Extensions. 20180313 DM folder=. file=checkKEXTs.csv # Create folder /bin/mkdir -p ${folder} /usr/sbin/chown root:admin ${folder} /bin/chmod 755 ${folder} /usr/bin/sqlite3 -csv /var/db/SystemPolicyConfiguration/KextPolicy "select team_id,bundle_id from kext_policy" > ${folder}/${file} exit 0 I do see entries, but they're for VMware. Never for the above products. Searching Console, I see the following: rejecting write of key _DKThrottledActivityLast_DKKnowledgeStorageLogging_DKKnowledgeStorageDidInsertEventsNotification:/app/usageActivityDate in { com.apple.contextstored, root, kCFPreferencesAnyHost, no container, managed: 0 } from process 151 because setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access and Sandbox: contextstored(151) deny(1) file-write-data /private/var/root/Library/Preferences/com.apple.contextstored.plist Violation: deny(1) file-write-data /private/var/root/Library/Preferences/com.apple.contextstored.plist Process: contextstored Path: /System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored Load Address: 0x1077f3000 Identifier: contextstored Version: ??? (???) Code Type: x86_64 (Native) Parent Process: launchd Responsible: /System/Library/PrivateFrameworks/CoreDuetContext.framework/Resources/contextstored User ID: 0 Date/Time: 2019-02-23 17:09:04.228 PST OS Version: Mac OS X 10.14.3 (18D109) Report Version: 8 MetaData: {"checker":"cfprefsd","target":"\/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist","profile-in-collection":false,"signing-id":"com.apple.contextstored","profile-flags":0,"build":"Mac OS X 10.14.3 (18D109)","errno":1,"primary-filter":"path","responsible-process-path":"\/System\/Library\/PrivateFrameworks\/CoreDuetContext.framework\/Resources\/contextstored","platform-policy":false,"action":"deny","process":"contextstored","sandbox_checker":"cfprefsd","flags":5,"responsible-process-pid":151,"normalized_target":["private","var","root","Library","Preferences","com.apple.contextstored.plist"],"checker-pid":116,"hardware":"Mac","file-flags":0,"process-path":"\/System\/Library\/PrivateFrameworks\/CoreDuetContext.framework\/Versions\/A\/Resources\/contextstored","summary":"deny(1) file-write-data \/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist","platform-binary":true,"platform_binary":"yes","vnode-type":"REGULAR-FILE","uid":0,"primary-filter-value":"\/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist","operation":"file-write-data","pid":151,"rdev":0,"path":"\/private\/var\/root\/Library\/Preferences\/com.apple.contextstored.plist"} Thread 0 (id: 809): 0 libsystem_kernel.dylib 0x00007fff6c47117a mach_msg_trap + 10 1 CoreFoundation 0x00007fff3f052158 __CFRunLoopServiceMachPort + 336 2 CoreFoundation 0x00007fff3f0516a6 __CFRunLoopRun + 1661 3 CoreFoundation 0x00007fff3f050dd6 CFRunLoopRunSpecific + 467 4 CoreFoundation 0x00007fff3f050bde CFRunLoopRun + 40 5 contextstored 0x00000001077f6525 6 libdyld.dylib 0x00007fff6c337ed9 start + 1 7 contextstored 0x0000000000000001 Thread 1 (id: 5898): 0 libsystem_kernel.dylib 0x00007fff6c472b6a __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff6c52a405 start_wqthread + 13 Thread 2 (id: 5904): 0 libsystem_kernel.dylib 0x00007fff6c472b6a __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff6c52a405 start_wqthread + 13 2 contextstored 0x0000000054485244 Thread 3 (id: 5923): 0 libsystem_kernel.dylib 0x00007fff6c47117a mach_msg_trap + 10 1 libdispatch.dylib 0x00007fff6c3016ff _dispatch_mach_msg_send + 1087 2 libdispatch.dylib 0x00007fff6c300eeb _dispatch_mach_send_drain + 440 3 libdispatch.dylib 0x00007fff6c2fda5a _dispatch_mach_send_msg + 307 4 libdispatch.dylib 0x00007fff6c2fdd15 _dispatch_mach_send_and_wait_for_reply + 382 5 libdispatch.dylib 0x00007fff6c2fe2ad dispatch_mach_send_with_result_and_wait_for_reply + 53 6 libxpc.dylib 0x00007fff6c569161 xpc_connection_send_message_with_reply_sync + 178 7 CoreFoundation 0x00007fff3f0c03ea __91-[CFPrefsPlistSource sendFullyPreparedMessage:toConnection:settingValue:forKey:retryCount:]_block_invoke + 29 8 CoreFoundation 0x00007fff3f047b4d -[_CFXPreferences withConnectionForRole:performBlock:] + 36 9 CoreFoundation 0x00007fff3f0c03be -[CFPrefsPlistSource sendFullyPreparedMessage:toConnection:settingValue:forKey:retryCount:] + 202 10 CoreFoundation 0x00007fff3f0c0025 -[CFPrefsPlistSource sendMessageSettingValue:forKey:] + 605 11 CoreFoundation 0x00007fff3f0bf60a -[CFPrefsPlistSource alreadylocked_setPrecopiedValues:forKeys:count:from:] + 579 12 CoreFoundation 0x00007fff3f08357b -[CFPrefsSource setValues:forKeys:count:copyValues:removeValuesForKeys:count:from:] + 394 13 CoreFoundation 0x00007fff3f0833eb -[CFPrefsSource setValues:forKeys:count:copyValues:from:] + 28 14 CoreFoundation 0x00007fff3f0c204a -[CFPrefsSearchListSource alreadylocked_setPrecopiedValues:forKeys:count:from:] + 1000 15 CoreFoundation 0x00007fff3f08357b -[CFPrefsSource setValues:forKeys:count:copyValues:removeValuesForKeys:count:from:] + 394 16 CoreFoundation 0x00007fff3f0833eb -[CFPrefsSource setValues:forKeys:count:copyValues:from:] + 28 17 CoreFoundation 0x00007fff3f0bf3ac -[CFPrefsSource setValue:forKey:from:] + 71 18 CoreFoundation 0x00007fff3f02fdb0 __108-[_CFXPreferences(SearchListAdditions) withSearchListForIdentifier:container:cloudConfigurationURL:perform:]_block_invoke + 268 19 CoreFoundation 0x00007fff3f02fa72 -[_CFXPreferences(SearchListAdditions) withSearchListForIdentifier:container:cloudConfigurationURL:perform:] + 337 20 CoreFoundation 0x00007fff3f0c1c39 -[_CFXPreferences setValue:forKey:appIdentifier:container:configurationURL:] + 90 21 CoreFoundation 0x00007fff3f0c1bad _CFPreferencesSetAppValueWithContainerAndConfiguration + 116 22 Foundation 0x00007fff41437ec3 -[NSUserDefaults(NSUserDefaults) setObject:forKey:] + 55 23 CoreDuet 0x00007fff52f61de4 -[_DKActivityThrottler setDate:forKey:] + 116 24 CoreDuet 0x00007fff52f60e74 -[_DKActivityThrottler _performNoMoreOftenInSecondsThan:name:activityBlock:throttleBlock:] + 340 25 CoreDuet 0x00007fff52f616e6 __94-[_DKActivityThrottler _performOrScheduleWithTimeInterval:name:queue:activityBlock:callDepth:]_block_invoke.123 + 48 26 libdispatch.dylib 0x00007fff6c2e8d53 _dispatch_call_block_and_release + 12 27 libdispatch.dylib 0x00007fff6c2e9dcf _dispatch_client_callout + 8 28 libdispatch.dylib 0x00007fff6c2f0124 _dispatch_lane_serial_drain + 618 29 libdispatch.dylib 0x00007fff6c2f0bdc _dispatch_lane_invoke + 388 30 libdispatch.dylib 0x00007fff6c2f9090 _dispatch_workloop_worker_thread + 603 31 libsystem_pthread.dylib 0x00007fff6c52a60b _pthread_wqthread + 409 32 libsystem_pthread.dylib 0x00007fff6c52a405 start_wqthread + 13 Binary Images: 0x1077f3000 - 0x1077f7ff3 contextstored (915.240.4) /System/Library/PrivateFrameworks/CoreDuetContext.framework/Versions/A/Resources/contextstored 0x7fff3f016000 - 0x7fff3f464ff7 com.apple.CoreFoundation (6.9 - 1562) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x7fff413b9000 - 0x7fff41787fff com.apple.Foundation (6.9 - 1562) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x7fff52e77000 - 0x7fff5304dff3 com.apple.CoreDuet (1.0 - 1) /System/Library/PrivateFrameworks/CoreDuet.framework/Versions/A/CoreDuet 0x7fff6c2e6000 - 0x7fff6c320ff7 libdispatch.dylib (1008.220.2) /usr/lib/system/libdispatch.dylib 0x7fff6c321000 - 0x7fff6c350ff3 libdyld.dylib (655.1) /usr/lib/system/libdyld.dylib 0x7fff6c470000 - 0x7fff6c498ff7 libsystem_kernel.dylib (4903.241.1) /usr/lib/system/libsystem_kernel.dylib 0x7fff6c528000 - 0x7fff6c532fff libsystem_pthread.dylib (330.230.1) /usr/lib/system/libsystem_pthread.dylib 0x7fff6c55f000 - 0x7fff6c58ffff libxpc.dylib (1336.240.2) /usr/lib/system/libxpc.dylib These log messages appear right at the time of that I install the .mobileconfig file each time, so I suspect there's a correlation. I've tried repairing permissions without success. About the only thing I didn't do is try this on another Mac which I may try as well. I've also tried using a .plist file that only includes configurations for bundle ID's or Team ID's respectively (not combined as in above) without success. The worst part is that I'm having difficulties troubleshooting the issue. I just don't understand the underlying mechanisms very well so I'm open to troubleshooting tips. It may also be that there's something wrong with my .plist code but I'm just not seeing it. Very open to suggestions there as well. It seems like my test machine is trying to commit the settings, but it's just not working. Another thing: I noticed errors related to the file "DetachedSignatures" in the logs as well and copied a file from another machine onto the test one in the /var/db (I think) folder and the errors went away. No idea if they're related. As you can tell, I'm sorta grasping at straws here. Hoping and praying the moderator Gods are kind to me and allow me to keep this post active so I can get help. Thank you so much in advance for reading this and hopefully with your help, I can get beyond this. It's probably something silly I'm missing.