Sorting kernel extensions
Deal with a change to how macOS allows kernel extensions to be installed
There’s a change to how kernel extensions are handled in macOS High Sierra, for which Apple has published advice for system administrators, yet this change may have a small impact on you even as a regular Mac user.
Basically, kernel extensions added to your Mac after you install High Sierra require user approval. After installing High Sierra, we ran into this scenario two times in as many days. The action that’s consequently required on your part is trivial, but we recommend paying closer attention than you might normally do when installing software. For example, we encountered a prompt for action when we installed the Logitech Options software as part of the MX Master 2S mouse reviewed in this issue (see page 86), and with Paragon’s NTFS for Mac software when writing the APFS tutorial on page 56 of this issue too.
Each time we were presented with a clear warning in a dialogue, which instructed us to go to System Preferences’ Security & Privacy pane in order to grant permission for part of the software to run.
The person who is taking an action – installing software – that causes a new kernel extension to be added to your Mac does not have to be logged into an administrator account, nor are they prompted for an admin user’s credentials if they allow the extension to run.
Command or support
Also note that kernel extensions you installed prior to High Sierra, or which are an update to a previously approved kernel extension, are not impacted by this new behaviour.
If you’re comfortable with researching and running commands in Terminal, the spctl command in macOS Recovery enables you to disable User Approved Kernel Extension Loading to prevent risks associated with extensions. However, if you’re getting into that level of technical detail you should read Apple’s support page at bit.ly/hskernel, which describes related considerations – notably, that you may want to set a firmware password to prevent casual resetting of the NVRAM, which re-enables the extension approval rights of all users.