Posted on 03-30-2018 03:10 AM
After upgrading both of my Macs to High Sierra 10.13.4, I was greeted by several alerts saying that an extension was blocked. OK. Fine. I knew this was coming. The problem for me was that when I went to the Security & Privacy preference pane, and clicked the Allow button, nothing happened. I tried logging out and logging back in, and rebooting. Neither worked. I then logged into a different admin account, and I was able to allow the extensions. I just wanted to pass this on in case anyone else runs into this issue. I haven't figured out exactly why my normal login account could not approve the extensions, but at least the solution was easy.
Posted on 08-22-2018 12:54 PM
Regarding Lego Mindstorms NXT issue, the Fantom.kext is indeed very very old and is missing the Team ID.
But according to this:
the Fantom.kext is not actually required, although the other parts from the legodriver.pkg are needed, so just use the nice script provided to skip the kext installation. (the script is not mine, so thanks goes to the creator!)
So, my package installer for NXT (latest version 2.1.f6) is containing the following packages from the original dmg:
MindstormsUnivEdu.pkg MindstormsEngUnivEdu.pkg MindstormsEngi386Edu.pkg (it is called for installation when you run the MindstormsEngUnivEdu.pkg) Mindstormsi386Edu.pkg (it is also called for installation when you run the MindstormsEngUnivEdu.pkg) legodriver.pkg legodriverinstaller.sh
And I'm creating a package that will contain all the files above and will install (actually just copy them) to a temporary folder.
And then, either you can add a postinstall.sh script to the package, but I prefer to create a script in JSS interface, that looks like this:
#!/bin/bash /usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsUnivEdu.pkg -target / /usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsEngUnivEdu.pkg -target / /path/to/temporary/folder/legodriverinstaller.sh /path/to/temporary/folder/legodriver.pkg /bin/rm -rf /path/to/temporary/folder
*please note again that those 2 packages containing "i386" are not supposed to be installed manually, they are automatically called for installation from the MindstormsEngUnivEdu.pkg
Also, you will need to have Adobe Flash npapi preinstalled, otherwise when you run the first package to install (MindstormsUnivEdu.pkg) it will pop-up to install an old version of Flash found inside the package, and I didn't bother to find another way to suppress that.
I just tested it now on High Sierra 10.13.6, and it worked flawlessly, for a crappy old not updated app that is still required in some environments.
Posted on 08-30-2018 04:53 PM
@wryder not sure if this has been answered, but you can easily find the TEAM ID's for any application installed (that uses one) by opening up a terminal window and typing the following:
- sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- (in the new sqlite prompt type) SELECT * FROM kext_policy;
Posted on 09-25-2018 09:04 AM
How does one scope this? Will it hurt anything to apply to all computers (computer level) even if they already have approved kexts?
Thanks for any assistance.
Posted on 09-25-2018 09:32 AM
I would target 10.13 and higher Macs. I wouldn’t think it should affect already approved stuff, but I might test that. There is the option to allow users to approve their own on top of what is supplied in the profile.
Posted on 09-25-2018 10:17 AM
I tried creating the profile and used the following settings and it kernel panic'd my test machine.
I have no idea why.
I was able to resolve by booting into user account in safe mode and manually allowing the kexts is system prefs.
Also, does anyone know how to reset so that we get the "allow" button back in system prefs?
Thanks for any assistance.
Posted on 12-17-2018 10:12 AM
We spent a few days trying to get this to work with Sophos Endpoint (ie Cloud). Submitted a ticket to Sophos and got this link.
Advisory: Apple MacOS 10.13 High Sierra Support
Not sure why they won't submit their KEXTs to Apple. This makes administering 700+ iMacs a nightmare. Good thing this happened during Winter Break.
Posted on 12-20-2018 06:41 PM
@SFRANCIS004 That is crazy! I was able to get this working for Palo Alto Traps. Before I set up the KEXT in Jamf I had to manually approve, now, Traps installs without any interaction on the remote device. I'm testing out Cisco Anyconnect next, however, I have issues with the pkg where it's not installing correctly. One thing at a time.
Posted on 12-23-2018 09:20 PM
Myea, race condition...might want to have a look at...
Jamf slays the dreaded enrollment race condition #kudos
Posted on 05-06-2019 09:05 AM
When the KEXT, can you separate them out into individual config profiles or do they have to have everything listed in a single config profile?
Posted on 05-06-2019 09:09 AM
@roethelbc I have a single config profile just for approved kexts. It is easy enough to add to it and push out as you encounter more that need to be approved.