System Extensions blocked after upgrading to High Sierra 10.13.4

howie_isaacks
Valued Contributor

After upgrading both of my Macs to High Sierra 10.13.4, I was greeted by several alerts saying that an extension was blocked. OK. Fine. I knew this was coming. The problem for me was that when I went to the Security & Privacy preference pane, and clicked the Allow button, nothing happened. I tried logging out and logging back in, and rebooting. Neither worked. I then logged into a different admin account, and I was able to allow the extensions. I just wanted to pass this on in case anyone else runs into this issue. I haven't figured out exactly why my normal login account could not approve the extensions, but at least the solution was easy.

fc217f21919a46c2aebce5780ed95961

49 REPLIES 49

Arre
New Contributor II

Regarding Lego Mindstorms NXT issue, the Fantom.kext is indeed very very old and is missing the Team ID.

But according to this:
https://github.com/JrMasterModelBuilder/Mindstorms-Fantom-Drivers-Mac-Install

the Fantom.kext is not actually required, although the other parts from the legodriver.pkg are needed, so just use the nice script provided to skip the kext installation. (the script is not mine, so thanks goes to the creator!)

So, my package installer for NXT (latest version 2.1.f6) is containing the following packages from the original dmg:

MindstormsUnivEdu.pkg
MindstormsEngUnivEdu.pkg
MindstormsEngi386Edu.pkg (it is called for installation when you run the MindstormsEngUnivEdu.pkg)
Mindstormsi386Edu.pkg (it is also called for installation when you run the MindstormsEngUnivEdu.pkg)
legodriver.pkg
legodriverinstaller.sh

And I'm creating a package that will contain all the files above and will install (actually just copy them) to a temporary folder.
And then, either you can add a postinstall.sh script to the package, but I prefer to create a script in JSS interface, that looks like this:

#!/bin/bash
/usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsUnivEdu.pkg -target /
/usr/sbin/installer -pkg /path/to/temporary/folder/MindstormsEngUnivEdu.pkg -target /
/path/to/temporary/folder/legodriverinstaller.sh /path/to/temporary/folder/legodriver.pkg
/bin/rm -rf /path/to/temporary/folder

*please note again that those 2 packages containing "i386" are not supposed to be installed manually, they are automatically called for installation from the MindstormsEngUnivEdu.pkg

Also, you will need to have Adobe Flash npapi preinstalled, otherwise when you run the first package to install (MindstormsUnivEdu.pkg) it will pop-up to install an old version of Flash found inside the package, and I didn't bother to find another way to suppress that.

I just tested it now on High Sierra 10.13.6, and it worked flawlessly, for a crappy old not updated app that is still required in some environments.

cyepiz
New Contributor II

@wryder not sure if this has been answered, but you can easily find the TEAM ID's for any application installed (that uses one) by opening up a terminal window and typing the following:
- sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- (in the new sqlite prompt type) SELECT * FROM kext_policy;

llitz123
Contributor II

How does one scope this? Will it hurt anything to apply to all computers (computer level) even if they already have approved kexts?
Thanks for any assistance.

blackholemac
Valued Contributor III

I would target 10.13 and higher Macs. I wouldn’t think it should affect already approved stuff, but I might test that. There is the option to allow users to approve their own on top of what is supplied in the profile.

llitz123
Contributor II

I tried creating the profile and used the following settings and it kernel panic'd my test machine.
4ab1b5a0752b4f82a14ba9e8e58278ad
8ebeb993c044490fae19e177fc464fec
I have no idea why.
I was able to resolve by booting into user account in safe mode and manually allowing the kexts is system prefs.
Also, does anyone know how to reset so that we get the "allow" button back in system prefs?
Thanks for any assistance.

SFRANCIS004
New Contributor III

We spent a few days trying to get this to work with Sophos Endpoint (ie Cloud). Submitted a ticket to Sophos and got this link.

Advisory: Apple MacOS 10.13 High Sierra Support

Not sure why they won't submit their KEXTs to Apple. This makes administering 700+ iMacs a nightmare. Good thing this happened during Winter Break.

bcbackes
Contributor

@SFRANCIS004 That is crazy! I was able to get this working for Palo Alto Traps. Before I set up the KEXT in Jamf I had to manually approve, now, Traps installs without any interaction on the remote device. I'm testing out Cisco Anyconnect next, however, I have issues with the pkg where it's not installing correctly. One thing at a time.

donmontalvo
Esteemed Contributor II

Myea, race condition...might want to have a look at...

Jamf slays the dreaded enrollment race condition #kudos

--
https://donmontalvo.com

roethelbc
New Contributor III

When the KEXT, can you separate them out into individual config profiles or do they have to have everything listed in a single config profile?

AVmcclint
Valued Contributor III

@roethelbc I have a single config profile just for approved kexts. It is easy enough to add to it and push out as you encounter more that need to be approved.