Skip to main content

After upgrading both of my Macs to High Sierra 10.13.4, I was greeted by several alerts saying that an extension was blocked. OK. Fine. I knew this was coming. The problem for me was that when I went to the Security & Privacy preference pane, and clicked the Allow button, nothing happened. I tried logging out and logging back in, and rebooting. Neither worked. I then logged into a different admin account, and I was able to allow the extensions. I just wanted to pass this on in case anyone else runs into this issue. I haven't figured out exactly why my normal login account could not approve the extensions, but at least the solution was easy.



I used the instructions here to get the Team ID, then I built a Config profile specifically for pre-approving kexts.



here is the apple article about this



https://developer.apple.com/library/content/technotes/tn2459/_index.html



I have had to do this for Cisco, Carbon black, and Now Forescout Secure Conenctor.

To tag on to what @AVmcclint stated, you can just download this python script to list the Team ID's if you don't want to do completely manually.

I am not on Jamf 10 yet. Question is can I create a custom config profile manually and deploy it via policy/script to my 10.13 clients?

@wmateo You can in theory do it in J9.9 by creating a custom setting in Config profiles and import a pre-made kext list (By using Franton's script https://www.jamf.com/jamf-nation/discussions/26583/kextpocalyse-2-the-remediation-blog-post-by-our-own-franton).
If you want to add them manually you'll need to upgrade to Jamf 10 which provides you with the "Approved Kernel Extensions" option.
Keep in mind that the approved kext list needs to be installed before the apps that require them so might need some re-arrangement in in smart groups and policy's.

I have a bundle_id without a team_id.



Using @AVmcclint 's post on this thread, as well as @donmontalvo's post for quidance, I get the following result:



6HB5Y2QTA3 | com.hp.kext.io.enabler.compound | Hewlett Packard | (blah blah blah...)
| com.ni.Fantom.nxtFwdl | 1 | Legacy Developer: N1 | 1



It's for the LEGO Mindstorm NXT software, which is old.



JAMF requires a team_id be input, and I cannot leave it blank. Does anyone have any thoughts?

@costes try: SKTKK2QZ74

@scottb How'd you come across SKTKK2QZ74? I'll throw it on some test units

@costes Pulled from an install. I also verified it on the google doc. Once I reimage a Mac in my downtime, I'll test it too for kicks.

Somebody is nice enough to compile this into one spreadsheet. Link of known Team IDs

@khey Thanks for this, bookmarked!

@scottb and @khey thank you for the resources.



I entered SKTKK2QZ74 as my missing Team_ID in my Config Profile and redeployed to affected devices.



HOWEVER I am getting the same symptom now as @howie_isaacks original post. I'll still get the pop up in regards to the specific KEXT for com.ni.Fantom.nxtFwdl, and nothing happens when clicking Allow. Redeploying the Config Profile did not resolve the issue either.

Any updates on this situation? Also trying to install Lego Mindstorms NXT with the missing Team_ID. Thanks!

@Costes, is the Profile loaded on the Mac before you install the package?
Are you using ONLY the TEAM ID?

Regarding Lego Mindstorms NXT issue, the Fantom.kext is indeed very very old and is missing the Team ID.



But according to this:
https://github.com/JrMasterModelBuilder/Mindstorms-Fantom-Drivers-Mac-Install



the Fantom.kext is not actually required, although the other parts from the legodriver.pkg are needed, so just use the nice script provided to skip the kext installation. (the script is not mine, so thanks goes to the creator!)



So, my package installer for NXT (latest version 2.1.f6) is containing the following packages from the original dmg:



MindstormsUnivEdu.pkg

MindstormsEngUnivEdu.pkg

MindstormsEngi386Edu.pkg (it is called for installation when you run the MindstormsEngUnivEdu.pkg)

Mindstormsi386Edu.pkg (it is also called for installation when you run the MindstormsEngUnivEdu.pkg)

legodriver.pkg

legodriverinstaller.sh


And I'm creating a package that will contain all the files above and will install (actually just copy them) to a temporary folder.
And then, either you can add a postinstall.sh script to the package, but I prefer to create a script in JSS interface, that looks like this:



#!/bin/bash

/usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsUnivEdu.pkg -target /

/usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsEngUnivEdu.pkg -target /

/path/to/temporary/folder/legodriverinstaller.sh /path/to/temporary/folder/legodriver.pkg

/bin/rm -rf /path/to/temporary/folder


*please note again that those 2 packages containing "i386" are not supposed to be installed manually, they are automatically called for installation from the MindstormsEngUnivEdu.pkg



Also, you will need to have Adobe Flash npapi preinstalled, otherwise when you run the first package to install (MindstormsUnivEdu.pkg) it will pop-up to install an old version of Flash found inside the package, and I didn't bother to find another way to suppress that.



I just tested it now on High Sierra 10.13.6, and it worked flawlessly, for a crappy old not updated app that is still required in some environments.

@wryder not sure if this has been answered, but you can easily find the TEAM ID's for any application installed (that uses one) by opening up a terminal window and typing the following:
- sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- (in the new sqlite prompt type) SELECT * FROM kext_policy;

How does one scope this? Will it hurt anything to apply to all computers (computer level) even if they already have approved kexts?
Thanks for any assistance.

I would target 10.13 and higher Macs. I wouldn’t think it should affect already approved stuff, but I might test that. There is the option to allow users to approve their own on top of what is supplied in the profile.

I tried creating the profile and used the following settings and it kernel panic'd my test machine.


I have no idea why.
I was able to resolve by booting into user account in safe mode and manually allowing the kexts is system prefs.
Also, does anyone know how to reset so that we get the "allow" button back in system prefs?
Thanks for any assistance.

We spent a few days trying to get this to work with Sophos Endpoint (ie Cloud). Submitted a ticket to Sophos and got this link.



Advisory: Apple MacOS 10.13 High Sierra Support



Not sure why they won't submit their KEXTs to Apple. This makes administering 700+ iMacs a nightmare. Good thing this happened during Winter Break.

@SFRANCIS004 That is crazy! I was able to get this working for Palo Alto Traps. Before I set up the KEXT in Jamf I had to manually approve, now, Traps installs without any interaction on the remote device. I'm testing out Cisco Anyconnect next, however, I have issues with the pkg where it's not installing correctly. One thing at a time.

Myea, race condition...might want to have a look at...



Jamf slays the dreaded enrollment race condition #kudos

When the KEXT, can you separate them out into individual config profiles or do they have to have everything listed in a single config profile?

@roethelbc I have a single config profile just for approved kexts. It is easy enough to add to it and push out as you encounter more that need to be approved.

Reply


Terms & ConditionsCookie settings