System Extensions blocked after upgrading to High Sierra 10.13.4

Valued Contributor

After upgrading both of my Macs to High Sierra 10.13.4, I was greeted by several alerts saying that an extension was blocked. OK. Fine. I knew this was coming. The problem for me was that when I went to the Security & Privacy preference pane, and clicked the Allow button, nothing happened. I tried logging out and logging back in, and rebooting. Neither worked. I then logged into a different admin account, and I was able to allow the extensions. I just wanted to pass this on in case anyone else runs into this issue. I haven't figured out exactly why my normal login account could not approve the extensions, but at least the solution was easy.



New Contributor II

Regarding Lego Mindstorms NXT issue, the Fantom.kext is indeed very very old and is missing the Team ID.

But according to this:

the Fantom.kext is not actually required, although the other parts from the legodriver.pkg are needed, so just use the nice script provided to skip the kext installation. (the script is not mine, so thanks goes to the creator!)

So, my package installer for NXT (latest version 2.1.f6) is containing the following packages from the original dmg:

MindstormsEngi386Edu.pkg (it is called for installation when you run the MindstormsEngUnivEdu.pkg)
Mindstormsi386Edu.pkg (it is also called for installation when you run the MindstormsEngUnivEdu.pkg)

And I'm creating a package that will contain all the files above and will install (actually just copy them) to a temporary folder.
And then, either you can add a script to the package, but I prefer to create a script in JSS interface, that looks like this:

/usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsUnivEdu.pkg -target /
/usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsEngUnivEdu.pkg -target /
/path/to/temporary/folder/ /path/to/temporary/folder/legodriver.pkg
/bin/rm -rf /path/to/temporary/folder

*please note again that those 2 packages containing "i386" are not supposed to be installed manually, they are automatically called for installation from the MindstormsEngUnivEdu.pkg

Also, you will need to have Adobe Flash npapi preinstalled, otherwise when you run the first package to install (MindstormsUnivEdu.pkg) it will pop-up to install an old version of Flash found inside the package, and I didn't bother to find another way to suppress that.

I just tested it now on High Sierra 10.13.6, and it worked flawlessly, for a crappy old not updated app that is still required in some environments.

New Contributor II

@wryder not sure if this has been answered, but you can easily find the TEAM ID's for any application installed (that uses one) by opening up a terminal window and typing the following:
- sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- (in the new sqlite prompt type) SELECT * FROM kext_policy;

Contributor III

How does one scope this? Will it hurt anything to apply to all computers (computer level) even if they already have approved kexts?
Thanks for any assistance.

Valued Contributor III

I would target 10.13 and higher Macs. I wouldn’t think it should affect already approved stuff, but I might test that. There is the option to allow users to approve their own on top of what is supplied in the profile.

Contributor III

I tried creating the profile and used the following settings and it kernel panic'd my test machine.
I have no idea why.
I was able to resolve by booting into user account in safe mode and manually allowing the kexts is system prefs.
Also, does anyone know how to reset so that we get the "allow" button back in system prefs?
Thanks for any assistance.

New Contributor III

We spent a few days trying to get this to work with Sophos Endpoint (ie Cloud). Submitted a ticket to Sophos and got this link.

Advisory: Apple MacOS 10.13 High Sierra Support

Not sure why they won't submit their KEXTs to Apple. This makes administering 700+ iMacs a nightmare. Good thing this happened during Winter Break.

Contributor II

@SFRANCIS004 That is crazy! I was able to get this working for Palo Alto Traps. Before I set up the KEXT in Jamf I had to manually approve, now, Traps installs without any interaction on the remote device. I'm testing out Cisco Anyconnect next, however, I have issues with the pkg where it's not installing correctly. One thing at a time.

Esteemed Contributor II

Myea, race condition...might want to have a look at...

Jamf slays the dreaded enrollment race condition #kudos


New Contributor III

When the KEXT, can you separate them out into individual config profiles or do they have to have everything listed in a single config profile?

Honored Contributor

@roethelbc I have a single config profile just for approved kexts. It is easy enough to add to it and push out as you encounter more that need to be approved.