Help

System Extension Blocked alert is not prompted.

Mickkeeyy
New Contributor

Posted on ‎04-05-2023 03:33 PM

I have installed Ivanti client and connected to it, I am using a PSAM feature. To use this I need to get a system extension blocked for the SAM. And I need to allow it on the Security & Privacy section. 

Issue: I am not getting this prompt nor appeared in the Security & Privacy section.

 

Can any one help me on this. 
Do we have any terminal command or any other process to enable the system extensions prompt?  OR to manually allow this extensions? 

 

0 Kudos
1 REPLY 1

AJPinto
Honored Contributor II

Posted on ‎04-06-2023 04:44 AM

System Extensions on macOS can be buggy, and vendor support of them is still a bit flaky at times. System Extensions are also a pain to troubleshoot due to SIP.

  • Try on another device, if the other device is also not prompting for the system extension check to make sure you don't already have it approved and if you don't have it approved contact the vendor to make sure the client you are using includes the system extension. Some times you need to enable a feature for the system extension to spawn.
  • There are no terminal commands that can approve a system extension, only MDM and users can approve them. There is a terminal command that can list the system extensions on the Mac and their status. 
  • If macOS is bugged and not presenting the system extension approval the only way to approve a System Extension is to use MDM or reinstall macOS.

 

systemextensionsctl list

The output should look something like this. Note the status of active waiting for user, this would be waiting on a user prompt to approve. If its already been approved by MDM or User it will say activated enabled instead of waiting for user. If you remove a system extension the status will be waiting on reboot to remove.

 

SystemExtensionsSuck:~User$ systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active  teamID  bundleID (version)  name    [state]
    *   DE8Y96K9QP  com.cisco.anyconnect.macos.acsockext (4.9.04053/4.9.04053)  Cisco AnyConnect Socket Filter Extension    [activated waiting for user]

 

 

You can use the code sign binary to get the information to make the configuration profile to approve the system extension. Or you can use The Show Me Your ID app to get the same information. The vendor should also have documentation for making the configuration profile to approve their system extension. Only do the leg work yourself if absolutely necessary or you prefer doing it yourself.

HCS Technology Group - Show Me Your ID 3.0 (hcsonline.com)

 

codesign -display -r - {path to application without brackets}
User@SystemExtensionsSuck ~ % codesign -display -r - /Applications/ProfileCreator.app 
Executable=/Applications/ProfileCreator.app/Contents/MacOS/ProfileCreator
# designated => cdhash H"1c14f6107dea3c5eb18002499388751ea0e48acd"

 

 

0 Kudos